Page MenuHomePhabricator
Create Task
Maniphest T143610

UploadBase::detectScript() is executed for partially uploaded files (verifyPartialFile()), not only complete ones (verifyFile()) which it expects, causing false positives
Open, LowPublic
Actions

Description

UploadBase::detectScript() is executed for partially uploaded files (verifyPartialFile()), not only complete ones (verifyFile()). However, it expects to only work with complete files (e.g. it checks the first two bytes to determine UTF-16 endianness, and some other checks).

This means that the checks meant to run only on first 1 KB of the file, or first 256 KB, etc., in fact run for the first x KB of every uploaded chunk, accidentally checking things in the middle of large files.

Here's an example file that falsely fails with 'uploadscripted' when every 5 MB chunk is checked, but passes when uploaded in one large chunk:

31.tif24 MBDownload
(~25 MB TIFF file, source). The easiest way to reproduce is to try uploading the file with UploadWizard, which uses 5 MB chunked uploads. The cause is the presence of the string '<PrE' at offset 10332876 within the file.

Even if an individual chunk of a file was nefarious, only the uploader is able to access stashed uploads (including chunked ones), so allowing them is not a security vulnerability.

Note that this is not a security issue – it can only cause false positives (file upload prevented for good files), never false negatives (file upload allowed for bad files). I am tagging Security since it's security-relevant code, and because I would like the explanation above and the patch carefully reviewed from the security perspective.

(Originally reported at https://commons.wikimedia.org/wiki/Commons:Upload_help#.22Internal_error:_Server_failed_to_store_temporary_file..22_.28uploadscripted.29.)

Details

SubjectRepoBranchLines +/-
upload: Allow disabling of per-chunk file verification during chunked uploadmediawiki/coremaster+32 -0
UploadBase: Move detectScript() call from verifyPartialFile() to verifyFile()mediawiki/coremaster+3 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Aug 22 2016, 8:58 PM
Restricted Application added a project: Multimedia. · View Herald TranscriptAug 22 2016, 8:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot subscribed.Aug 22 2016, 8:58 PM

Change 306057 had a related patch set uploaded (by Bartosz Dziewoński):
UploadBase: Move detectScript() call from verifyPartialFile() to verifyFile()

https://gerrit.wikimedia.org/r/306057

Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 22 2016, 8:58 PM
gerritbot added a project: Patch-For-Review.Aug 22 2016, 8:58 PM
matmarex updated the task description. (Show Details)Aug 22 2016, 9:13 PM
Restricted Application added a project: Internet-Archive. · View Herald TranscriptAug 22 2016, 9:13 PM
matmarex claimed this task.Aug 22 2016, 9:29 PM
matmarex removed a project: Internet-Archive.
matmarex triaged this task as Medium priority.Aug 22 2016, 9:53 PM
Bawolff subscribed.Aug 22 2016, 10:24 PM

I'm not sure how confident I am that other users really can't view stash. In current WMF config, its possible to be able to view thumbnails of stashed files by other users, and I imagine third parties would be less locked down.

matmarex added a comment.Sep 4 2016, 8:02 AM
In T143610#2573853, @Bawolff wrote:

I'm not sure how confident I am that other users really can't view stash. In current WMF config, its possible to be able to view thumbnails of stashed files by other users, and I imagine third parties would be less locked down.

Right, but that's a bug, see T130436. Vanilla MediaWiki with all default settings (other than file upload enabled) correctly prevents viewing them (although it's possible to accidentally break this, see T144176).

matmarex added subtasks: Restricted Task, Restricted Task.Sep 4 2016, 8:03 AM
gerritbot added a comment.Oct 1 2016, 8:51 AM

Change 306057 abandoned by Bartosz Dziewoński:
UploadBase: Move detectScript() call from verifyPartialFile() to verifyFile()

https://gerrit.wikimedia.org/r/306057

matmarex removed matmarex as the assignee of this task.Oct 1 2016, 8:51 AM
matmarex lowered the priority of this task from Medium to Low.
matmarex removed a project: Patch-For-Review.

Since the blocker tasks would require some work from WMF Operations before this change could go live on Wikimedia sites, and I have no power over them to make them prioritize it, this goes on the back burner. Frankly it's a low-severity issue and I can't justify to myself bugging people about it.

MarkTraceur moved this task from Untriaged to Tracking on the Multimedia board.Nov 30 2016, 7:21 PM
matmarex mentioned this in T147720: Non transcluded variable in stashfailed error message.Dec 13 2016, 12:05 PM
matmarex added a comment.Dec 13 2016, 12:41 PM

Example file that fails with 'filetype-bad-ie-mime' in the same manner: https://commons.wikimedia.org/wiki/File:Fotografi,_katedral_i_Salamanca_-_Hallwylska_museet_-_107303.tif

Lokal_Profil awarded a token.EditedDec 13 2016, 4:04 PM
Lokal_Profil subscribed.

I have ~125 tif files on a disk which all fail due to this. The ones <100 MB I can re-upload un-chunked (which is a pain but works sooner or later) but anything bigger is completely blocked by this bug (different chunk sizes haven't solved it for me either although I could of course go on experimenting).

zhuyifei1999 mentioned this in T182264: IE content analyzer is executed on non-first chunks during chunk uploading, preventing legitimate uploads.Dec 7 2017, 5:49 AM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
TheDJ subscribed.Mar 21 2023, 1:56 PM

@matmarex can you add me to the subtasks so that I can read them ?

matmarex added a comment.Mar 21 2023, 4:58 PM

Sure, done.

gerritbot added a comment.Feb 8 2024, 5:16 AM

Change 998655 had a related patch set uploaded (by Maddog; author: Maddog):

[mediawiki/core@master] upload: Allow disabling of per-chunk file verification during chunked upload

https://gerrit.wikimedia.org/r/998655

gerritbot added a project: Patch-For-Review.Feb 8 2024, 5:16 AM
mdoggydog subscribed.Feb 8 2024, 6:26 AM

I've just submitted a patch that (in my opinion) solves this issue in a pretty practical way: it provides a configuration parameter to allow a site to skip trying to apply any file verification to the individual chunks of a chunked upload. This way, a site admin can decide for themselves if the checks improve security on their site, and how that improvement weighs against the problems caused by the checks. (E.g., in my case, with a site that serves in part as a document archive, the false positives are simply unacceptable.)

Bawolff added a comment.Feb 8 2024, 8:50 PM

Is this just about the checks for internet explorer 6? That seems so far past relavence that we should just remove them.

mdoggydog added a comment.Feb 8 2024, 9:12 PM
In T143610#9527018, @Bawolff wrote:

Is this just about the checks for internet explorer 6? ...

No --- there are still false positive rejections of uploads (due to detectScript(), etc) even with VerifyMimeTypeIE turned off. (Turning off the IE6 bits does reduce the incidence of false positives, in my experience, but does not eliminate them.)

The current verify-each-chunk behavior also results in attempting to extract metadata from each and every chunk. As elaborated in my commit message:

Attempting to verify chunks taken from the middle of files also causes
non-sensical behavior. When uploading a PDF file, the verification checks
call MediaHandler::getSizeAndMetadataWithFallback(), and for a PDF this
invokes executing an external program, pdfinfo, via a firejail sandbox.
In a chunked upload, pdfinfo is spawned for *every single chunk* and every
one of those calls fails anyway, because pdfinfo is being fed an incomplete
PDF file or random gibberish taken from the middle of a PDF file. Uploading
a 10MB PDF file will result in 10 pointless executions of pdfinfo (which
also requires copying the chunks into temporary sandbox directories).

Being able to simply turn off the verify-each-chunk behavior mostly eliminates that, too.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL