Page MenuHomePhabricator
Create Task
Maniphest T182209

[Clonable] Cast block start to int in maintenance SQL
Closed, ResolvedPublic
Actions

Description

There is an experimental security checker script that is currently
being worked on. It is getting confused by some of the SQL paging queries
in various maitenance scripts.

In order to help the script out, cast the $from, $to, $start and $end type
variables to ints before putting them into the SQL snippet.

For example, if you have

$res = $db->select(
	'ipblocks',
	[ 'ipb_user' ],
	[   
		"ipb_user >= $from",
		"ipb_user <= $to",
	],  
	__METHOD__,
	...
);

where $from and $to are integers that denote what part we are currently on, replace
them with

$res = $db->select(
	'ipblocks',
	[ 'ipb_user' ],
	[   
		"ipb_user >= " . (int)$from,
		"ipb_user <= " . (int)$to,
	],  
	__METHOD__,
	...
);

Similarly for BETWEEN conditions.

$cond = "page_id BETWEEN $blockStart AND $blockEnd";

Needs to be changed to

$cond = "page_id BETWEEN " . (int)$blockStart . " AND " . (int)$blockEnd;

You should of course only do this for the numeric range conditions. Other things in the query should not have this done to them.

Things that need replacing:

  • maintenance/cleanupBlocks.php:54
  • maintenance/cleanupBlocks.php:126
  • maintenance/migrateUserGroup.php:63
  • maintenance/migrateUserGroup.php:75
  • maintenance/migrateUserGroup.php:87
  • maintenance/orphans.php:202 (Specificly, $row->page_id needs to be cast)
  • maintenance/populateBacklinkNamespace.php:70
  • maintenance/populateIpChanges.php:87
  • maintenance/populateLogSearch.php:79
  • maintenance/populateLogUsertext.php:67
  • maintenance/populateRecentChangesSource.php:63
  • maintenance/populateRevisionSha1.php:96
  • maintenance/rebuildFileCache.php:107
  • maintenance/recountCategories.php:159 (For this one, cast $row->count, but only in the WHERE condition, not in the SET clause)
  • maintenance/updateRestrictions.php:62

Details

SubjectRepoBranchLines +/-
Cast block start to int in maintenace SQLmediawiki/coremaster+21 -19
Customize query in gerrit

Event Timeline

Bawolff created this task.Dec 6 2017, 4:47 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptDec 6 2017, 4:47 PM
Bawolff moved this task from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.Dec 6 2017, 6:55 PM
nikitavbv claimed this task.Dec 8 2017, 7:10 PM
nikitavbv subscribed.

This should be easy to change. I will work on it.

gerritbot subscribed.Dec 8 2017, 7:36 PM

Change 396450 had a related patch set uploaded (by Phantom42; owner: Phantom42):
[mediawiki/core@master] Cast block start to int in maintenace SQL

https://gerrit.wikimedia.org/r/396450

gerritbot added a project: Patch-For-Review.Dec 8 2017, 7:36 PM
Bawolff closed this task as Resolved.Dec 8 2017, 8:36 PM
gerritbot added a comment.Dec 8 2017, 8:42 PM

Change 396450 merged by jenkins-bot:
[mediawiki/core@master] Cast block start to int in maintenace SQL

https://gerrit.wikimedia.org/r/396450

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)).Dec 8 2017, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL