Page MenuHomePhabricator
Create Task
Maniphest T129506

MediaWiki:Gadget-popups.js isn't renderable
Closed, ResolvedPublic
Actions

Assigned To
dpatrick
Authored By
eranroz
Mar 10 2016, 5:19 PM
Tags
Referenced Files
F3947905: T129506_01_Math_REL1_23.patch
Apr 29 2016, 11:54 PM
F3947901: T129506_00_MediaWiki_REL1_23.patch
Apr 29 2016, 11:54 PM
F3947907: T129506_01_Math_REL1_25.patch
Apr 29 2016, 11:54 PM
F3947904: T129506_00_MediaWiki_REL1_26.patch
Apr 29 2016, 11:54 PM
F3947908: T129506_01_Math_master.patch
Apr 29 2016, 11:54 PM
F3947902: T129506_00_MediaWiki_master.patch
Apr 29 2016, 11:54 PM
F3947906: T129506_01_Math_REL1_26.patch
Apr 29 2016, 11:54 PM
F3947903: T129506_00_MediaWiki_REL1_25.patch
Apr 29 2016, 11:54 PM
View All 13 Files
Subscribers
Aklapper
Bawolff
csteipp
dpatrick
eranroz
gerritbot
IKhitron
View All 16 Subscribers

Description

It isn't possible to access:
https://en.wikipedia.org/w/index.php?title=MediaWiki:Gadget-popups.js
it takes forever.

However:
https://en.wikipedia.org/w/index.php?title=MediaWiki:Gadget-popups.js&action=raw&ctype=text/javascript
(or edit) works properly.

Seems like syntaxhighlight is broken

Details

SubjectRepoBranchLines +/-
Skip shell invocation on large inputmediawiki/extensions/MathREL1_28+10 -0
Skip shell invocation on large inputmediawiki/extensions/MathREL1_27+10 -0
Skip shell invocation on large inputmediawiki/extensions/Mathmaster+10 -0
Skip shell invocation on large inputmediawiki/extensions/MathREL1_23+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

eranroz created this task.Mar 10 2016, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2016, 5:19 PM
matmarex subscribed.Mar 10 2016, 5:19 PM
IKhitron subscribed.Mar 10 2016, 5:24 PM
matmarex edited projects, added WMF-General-or-Unknown, Math; removed SyntaxHighlight.Mar 10 2016, 6:49 PM

@ori is investigating, but so far we know it's not related to SyntaxHighlight. The page had an unclosed <math> tag followed by a lot of code and apparently something couldn't handle it.

matmarex assigned this task to ori.Mar 10 2016, 6:49 PM
ori set Security to Software security bug.Mar 10 2016, 7:58 PM
ori added a project: acl*security.
ori changed the visibility from "Public (No Login Required)" to "Custom Policy".

HHVM 3.12.1 fails when a command-line argument to a process spawned using a LightProcess exceeds MAX_ARG_STRLEN, as defined in binfmts.h. MAX_ARG_STRLEN is the maximum length of strings passed to execve(). MAX_ARG_STRLEN is 131072 (or 128 kB).

We hit the limit because: (1) we parse JavaScript pages; (2) Gadget-popups.js contained a <math> tag in a comment, followed by 216 kB of JavaScript code; (3) the math extension tried to invoke texvc with that text as a command-line argument.

On HHVM 3.12.1, when using LightProcesses, this causes a crash.

Action items:

  • add a check to wfShellExec that arguments are under MAX_ARG_STRLEN
  • file a bug for HHVM indicating that it should check that arguments are < MAX_ARG_STRLEN before calling execve()
  • add a sanity check to the math extension that skips shelling out to texvc if the input is insanely large
csteipp subscribed.Mar 10 2016, 10:09 PM

T129506.patch1 KBDownload
Deployed as a security patch. We probably want to backport and release this, since the DoS vector would apply to any mediawiki instance using bash.

22:03 csteipp: deployed patch for T129506 to wmf15 & 16

csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.Mar 10 2016, 10:12 PM
dpatrick triaged this task as High priority.Mar 15 2016, 9:21 PM
dpatrick added a project: Vuln-DoS.
dpatrick subscribed.Mar 15 2016, 9:24 PM

@ori, are you planning on adding the sanity check to the Extension:Math to skip shelling out to texvc? If not, I'll take care of that.

Legoktm merged a task: Restricted Task.Mar 27 2016, 9:43 PM
Legoktm added subscribers: Legoktm, Quiddity, whym, Reedy.
ori added a comment.Apr 7 2016, 6:43 PM
In T129506#2124476, @dpatrick wrote:

@ori, are you planning on adding the sanity check to the Extension:Math to skip shelling out to texvc? If not, I'll take care of that.

I'd appreciate that.

Krenair merged a task: T132301: Error on ml.wikibooks.Apr 10 2016, 8:08 PM
Krenair added a subscriber: Ruslik0.
Bawolff reassigned this task from ori to dpatrick.Apr 19 2016, 2:34 PM
Bawolff subscribed.

Assigning to @dpatrick per previous comment about check in E:Math

dpatrick added a comment.Apr 19 2016, 6:00 PM

Here are some revised patches, based on conversation with @csteipp.

The first patch revises Ori's patch above to use a constant:

T129506_00_MediaWiki.patch1 KBDownload

This second patch uses the constant to skip shelling out to texvc:

T129506_01_Math.patch1 KBDownload

dpatrick added a comment.Apr 19 2016, 7:20 PM

Revised again. Moved constant definition to Defines.php and corrected some error message content:

T129506_00_MediaWiki.patch1 KBDownload

T129506_01_Math.patch1 KBDownload

Bawolff added a subscriber: Physikerwelt.Apr 20 2016, 11:03 AM
In T129506#2219612, @dpatrick wrote:

Revised again. Moved constant definition to Defines.php and corrected some error message content:

T129506_00_MediaWiki.patch1 KBDownload

T129506_01_Math.patch1 KBDownload

This would make math ext depend on a specific version of mediawiki - thats probably fine, but we should check with ext maintainer to make sure (different exts seem to have different policies in regards to that sort of thing)

Its probably better to have a specific new error (input too long) then to reuse unknown error.

demon mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 20 2016, 3:09 PM
Physikerwelt added a comment.EditedApr 20 2016, 9:46 PM

The math extension is automatically tagged with release and wmf tags. As long as the corresponding versions of math and core work with each other that's fine.
Since the master branch depends on core, it would be nice if the core patch could be applied before the math patch. Otherwise, Jenkins might get confused.

Advertisement:
Support the new math rendering mode that does not use the shell
I would very much like to get rid of the usage of shell command at all. cf. T74240 and T78046
The new rendering mode is now on beta.
The only thing that blocks it from becoming default are performance consideration for page editing. There is a pending config change by @mobrovac
https://gerrit.wikimedia.org/r/#/c/283269/
End of advertisement

dpatrick added a comment.EditedApr 25 2016, 5:49 PM
In T129506#2222659, @Bawolff wrote:
In T129506#2219612, @dpatrick wrote:

Its probably better to have a specific new error (input too long) then to reuse unknown error.

Can we do that in a public change through gerrit? I'd like to move forward with getting the patches generated for the three other releases (and for both Mediawiki and Math).

Bawolff added a comment.Apr 26 2016, 2:29 AM

Yeah, that sounds good

dpatrick added a comment.Apr 29 2016, 11:54 PM

Patches for all releases:

T129506_00_MediaWiki_master.patch1 KBDownload

T129506_01_Math_master.patch1 KBDownload

T129506_00_MediaWiki_REL1_23.patch1 KBDownload

T129506_01_Math_REL1_23.patch1 KBDownload

T129506_00_MediaWiki_REL1_25.patch1 KBDownload

T129506_01_Math_REL1_25.patch1 KBDownload

T129506_00_MediaWiki_REL1_26.patch1 KBDownload

T129506_01_Math_REL1_26.patch1 KBDownload

csteipp added a comment.May 5 2016, 6:25 PM

Redeployed core patch (with define), and dependent Math patch.

18:17 csteipp: deployed revert/new patches for core & extension for T129506

csteipp closed this task as Resolved.May 5 2016, 6:26 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM
gerritbot subscribed.Jan 20 2017, 11:03 PM

Change 333309 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333309

gerritbot added a project: Patch-For-Review.Jan 20 2017, 11:03 PM
gerritbot added a comment.Jan 20 2017, 11:21 PM

Change 333310 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333310

gerritbot added a comment.Jan 20 2017, 11:21 PM

Change 333311 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333311

gerritbot added a comment.Jan 20 2017, 11:24 PM

Change 333312 had a related patch set uploaded (by Chad):
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333312

gerritbot added a comment.Jan 20 2017, 11:29 PM

Change 333312 merged by Chad:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333312

gerritbot added a comment.Jan 20 2017, 11:48 PM

Change 333309 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333309

gerritbot added a comment.Jan 20 2017, 11:48 PM

Change 333311 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333311

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-01-24_(1.29.0-wmf.9)).Jan 21 2017, 12:00 AM
gerritbot added a comment.Jan 21 2017, 12:04 AM

Change 333310 merged by jenkins-bot:
Skip shell invocation on large input

https://gerrit.wikimedia.org/r/333310

chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL