Page MenuHomePhabricator
Create Task
Maniphest T161242

Usernames in HHVM info output
Closed, InvalidPublic
Actions

Description

Unclear if this is a security issue or if just the data that's being dumped by HHVM non-public, filing as a security issue initially to be on the safe-side.

I have been seeing in the logs recently (I can definitely confirm I've seen it for both 1.29.0-wmf.16 and 1.29.0-wmf.17) HHVM info-level messages that seem to just be a dump of usernames here is an example of 1 error: https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-2017.03.23/hhvm/?id=AVr8w9atWOR5i8Oux1cj (around that time period there are many, the message is always unique -- it's a list of usernames -- so it's a bit difficult to point to a specific message in logstash).

Unsure who to tag about this. Tentatively adding @Tgr @Anomie @Legoktm since they're the login system pros.

Related Objects

Event Timeline

thcipriani created this task.Mar 23 2017, 7:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 23 2017, 7:48 PM
Tgr added a comment.Mar 23 2017, 8:07 PM

I get a HTTP 502 for that link.

Tgr added a comment.EditedMar 23 2017, 8:16 PM

https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-2017.03.23/hhvm/?id=AVr8w9atWOR5i8Oux1cj is an example. I doubt much can be done about this as long as our hhvm logging is as poor as it is now. See T157396: HHVM fills logstash with junk (due to not handling multiline errors?) most of all but there are a bunch of smaller issues about errors that could be handled elsewhere ending up in HHVM (with no trace information) instead.

In general there is nothing secret about usernames, anyone can list them (except oversighted / globally locked ones). Also a list of usernames is almost certainly unrelated to authentication code. More likely Special:AllPages on the user namespace or something like that, resulting in a huge SQL query which causes an error which gets split up due to line length limits.

Reedy updated the task description. (Show Details)Mar 28 2017, 8:27 PM
dpatrick subscribed.Mar 28 2017, 8:31 PM

I concur with @Tgr. While odd/alarming, this doesn't seem like a security issue. But thanks for exercising caution @thcipriani.

dpatrick removed a project: acl*security.Mar 28 2017, 8:31 PM
Restricted Application added a project: acl*security. · View Herald TranscriptMar 28 2017, 8:31 PM
dpatrick removed a project: acl*security.Mar 28 2017, 8:32 PM
bd808 added projects: HHVM, MediaWiki-Debug-Logger, Upstream.Apr 6 2017, 3:07 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 21 2017, 1:27 AM

I made the task public based on T161242#3138352.

Tgr closed this task as Invalid.Sep 21 2017, 1:32 AM

Let's also close it, there is nothing to do here and the problems with logging are already captured in other tickets.

Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL