Maniphest T201628

Cannot edit subpages on third-party wiki, probably due to percent-encoding of URIs
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• Whatamidoing-WMF
	Aug 9 2018, 4:45 PM

Description

User:Prh47bridge reports at https://www.mediawiki.org/wiki/Topic:Ufpmahlnfqo7jgbw that it is not possible to edit subpages at their wiki. URLs containing Page%2FSubpage and Page/Subpage seem to be treated differently (and neither of them seem to be entirely correct).

There is much more information, including potentially useful information from logs, in the origianl post at mw.org.

Event Timeline

• Whatamidoing-WMF created this task.Aug 9 2018, 4:45 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2018, 4:45 PM

The symptoms described by the user seems to suggest there is a problem in the Apache config of the site. Asked them to paste their configs here.

Apache config is below. I've taken out a few directory names but left the name of my site. Looking at it, I'm wondering if the problem is the order of the directives. Note that adding nocanon to ProxyPass was an attempt to fix the problem. It doesn't seem to have made any difference.

DocumentRoot /.../festipedia
ServerName www.festipedia.org.uk
ServerAlias *.festipedia.org.uk festipedia.org.uk festipedia.uk *.festipedia.uk

Alias /awstatsclasses/ /usr/share/java/awstats/
Alias /awstats-icon/ /usr/share/awstats/icon/
ScriptAlias /awstats/ /usr/lib/cgi-bin/

Alias /cacti "/usr/share/cacti/site"

Alias /wiki "/.../festipedia/w/index.php"

This is to permit URL access to stuff needed for awstats.

<Directory /usr/share/awstats/icon>
Options None
AllowOverride None
Require all granted
</Directory>

<Directory /usr/share/java/awstats>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>

And the same again for Cacti

<Directory "/usr/share/cacti/site">
Options None
AllowOverride None
Require all granted
</Directory>

<Directory "/.../festipedia">
Require all granted

RewriteEngine On
RewriteBase /

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

Redirect / to Main Page

RewriteRule ^/*$ %{DOCUMENT_ROOT}/w/index.php [L]

require non-empty HOST header

RewriteCond %{HTTP_HOST} !^$

require case-insensitive HOST to be www.festipedia.org.uk

RewriteCond %{HTTP_HOST} !^www.festipedia.org.uk$ [NC]

301 redirect everything to correct www.festipedia.org.uk

RewriteRule ^(.*)$ https://www.festipedia.org.uk/$1 [R=301,L]

Redirect /statistics to /awstats/awstats.pl

RewriteRule ^statistics/?$ https://www.festipedia.org.uk/awstats/awstats.pl [R=301,L]
</Directory>

Plug an XSS vulnerability for old IE clients

RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
RewriteRule . - [forbidden]
</Directory>

Expose the REST API at /api/rest_v1

ProxyPass /api/rest_v1/ http://localhost:7231/www.festipedia.org.uk/v1/ nocanon

CustomLog /var/log/apache2/festipedia.access.log "combined"
LogLevel emerg

SSLEngine on
SSLProtocol all
SSLCertificateFile /.../certs/festipedia.crt
SSLCertificateKeyFile /.../certs/newprivate.key
SSLCACertificateFile /.../intermediate.crt

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

• mobrovac added a project: Platform Team Legacy (Later).Dec 20 2018, 12:16 PM

• Deskana renamed this task from Cannot edit subpages, probably due to percent-encoding of URIs to Cannot edit subpages on third-party wiki, probably due to percent-encoding of URIs.Mar 19 2019, 10:57 AM

JTannerWMF moved this task from To Triage to Freezer on the VisualEditor board.Mar 27 2019, 6:14 PM

WDoranWMF edited projects, added Platform Team Workboards (Clinic Duty Team), Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)); removed Platform Team Legacy (Later), Services (next).Jul 10 2019, 6:36 PM

Please reopen if this is still occurring.

No-one has suggested any fixes and the issue is still occurring on my site.

WDoranWMF removed a project: Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).Aug 13 2019, 7:02 PM

daniel moved this task from Inbox to Backlog on the Platform Team Workboards (Clinic Duty Team) board.Oct 8 2019, 9:57 AM

• AMooney changed the task status from Open to Stalled.Mar 12 2020, 1:22 PM

• AMooney edited projects, added Platform Engineering; removed Platform Team Workboards (Clinic Duty Team).

WDoranWMF moved this task from Inbox to Icebox on the Platform Engineering board.Mar 12 2020, 1:32 PM

WDoranWMF edited projects, added Platform Engineering (Icebox); removed Platform Engineering.Mar 23 2020, 2:04 PM

I've now found the problem by turning on debug logging in Apache. There is no problem in the code. The issue is the documentation.

To make this work correctly, you need the directive:

AllowEncodedSlashes NoDecode

in your Apache config or it will simply give a 404 error for any urls with encoded slashes.

You also need to add nocanon to the ProxyPass directive otherwise Apache will encode the % character, which results in the request being rejected.

See my comment on Apr 27 2020 re Apache configuration. I have updated the documentation.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptAug 24 2020, 2:50 PM

Cannot edit subpages on third-party wiki, probably due to percent-encoding of URIsClosed, ResolvedPublicActions