Page MenuHomePhabricator
Create Task
Maniphest T133497

Providing both HTTPS as protocol and 443 as port makes citoid fail
Closed, ResolvedPublic0 Estimated Story Points
Actions

Description

Given that I had opened VisualEditor
And started "Cite"
When I filled in a link to an external site (book at Oria.no)
Then I expect a properly formatted reference

Instead I got a failure

Screendum citoid 2016-04-24.png (279×436 px, 25 KB)

If I remove the port number the reference is properly formatted

Screendum citoid 2016-04-24-correct.png (242×439 px, 17 KB)

Event Timeline

jeblad created this task.Apr 24 2016, 1:54 PM
Restricted Application added a project: VisualEditor. · View Herald TranscriptApr 24 2016, 1:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
jeblad added a comment.Apr 24 2016, 2:02 PM

There is a note at w:no:Wikipedia:Torget#HTTPS_og_port_443 about this bug as the site Oria.no is the major provider of bibliographic information in Norway.

Mvolz added a project: Security-General.EditedApr 24 2016, 2:08 PM
Mvolz subscribed.

I believe that ports are disallowed as a security feature to prevent citoid from being used for port scanning but I could be wrong; @dpatrick is this true? Is there a way to allow these kinds of links?

Mvolz added a subscriber: dpatrick.Apr 24 2016, 2:10 PM
jeblad added a comment.Apr 25 2016, 11:30 AM

I have notified Bibsys about the problem with the explicit port address, hopefully they can fix this.

Jdforrester-WMF moved this task from To Triage to TR0: Interrupt on the VisualEditor board.Apr 26 2016, 7:11 PM
Jdforrester-WMF triaged this task as Medium priority.Apr 26 2016, 8:28 PM
dpatrick added a comment.EditedApr 26 2016, 10:15 PM

@jeblad, just to clarify, the original citation URL which caused the error is https://bibsys-almaprimo.hosted.exlibrisgroup.com:443/BIBSYS:default_scope:BIBSYS_ILS71491487680002201, correct?

@Mvolz, can you tell me the version of node.js and the url module that are currently deployed? My hypothesis is that the url.parse is incorrectly parsing the URL.

Oh, and to answer your question, @Mvolz, explicit port specification is allowed. It is access to localhost and private IP address ranges that is disallowed.

jeblad added a comment.Apr 27 2016, 1:31 AM

Yes, I got the correct page.
Attached the source of the page.

bibsys.html85 KBDownload

mobrovac subscribed.Apr 27 2016, 12:17 PM

There are two problems here for the URL https://bibsys-almaprimo.hosted.exlibrisgroup.com:443/BIBSYS:default_scope:BIBSYS_ILS71491487680002201:

  1. Citoid seems to disregard the protocol in the URL and puts http instead, which results in it querying http://bibsys-almaprimo.hosted.exlibrisgroup.com:443/BIBSYS:default_scope:BIBSYS_ILS71491487680002201
  2. The underlying library Citoid is using for issuing external requests does not strip the port off of the hostname, which results in it setting the header host: 'bibsys-almaprimo.hosted.exlibrisgroup.com:443. As such, it is rejected by the server (likely because of the SSL certificate name mismatch).

As you've found yourself, @jeblad, the workaround is to strip it manually from the URL being fed to Citoid, but the problem surely needs a proper fix.

Mvolz removed a project: Security-General.Apr 27 2016, 12:22 PM
Mvolz removed a subscriber: dpatrick.
Jdforrester-WMF set the point value for this task to 0.Apr 28 2016, 1:21 AM
Danmichaelo subscribed.EditedMay 14 2016, 9:06 PM

It can be reproduced with curl as well:

curl -I -L https://bibsys-almaprimo.hosted.exlibrisgroup.com:443/BIBSYS:default_scope:BIBSYS_ILS71521654120002201 \
   -H 'Host: bibsys-almaprimo.hosted.exlibrisgroup.com:443'

It's very odd indeed to have a https url redirect to http and then back to https. I will also complain to Bibsys about this.

Mvolz moved this task from Backlog to IO Tasks on the Citoid board.Jul 29 2016, 3:03 PM
Jdforrester-WMF moved this task from TR0: Interrupt to External and Administrivia on the VisualEditor board.Aug 9 2016, 7:34 PM
Mvolz moved this task from IO Tasks to Service on the Citoid board.Oct 28 2016, 3:13 PM
jeblad added a comment.Feb 20 2017, 10:49 AM

The example https://bibsys-almaprimo.hosted.exlibrisgroup.com:443/BIBSYS:default_scope:BIBSYS_ILS71491487680002201 seems to work now? Can anyone else confirm that this is in fact solved?

jeblad added a comment.EditedJun 29 2017, 10:52 PM

Seems like this works now?

First reference on the newly created wikipage is a random example from Oria.no while the second reference is the initially posted failing reference.

As the failing reference used as an example in the initial post now works I will close this task.

jeblad closed this task as Resolved.Jun 29 2017, 10:58 PM
Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptJun 29 2017, 10:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL