Page MenuHomePhabricator
Create Task
Maniphest T208950

User Input can cause fatal error in ValidateFeeController
Closed, ResolvedPublic
Actions

Description

It appears like certain user input can cause PHP to throw a fatal error on FundraisingFrontend:

[07-Nov-2018 15:30:53 Europe/Berlin] PHP Fatal error:  Uncaught TypeError: Argument 1 passed to WMDE\Euro\Euro::__construct() must be of the type integer, float given, called in /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/vendor/wmde/euro/src/Euro.php on line 62 and defined in /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/vendor/wmde/euro/src/Euro.php:24
Stack trace:
#0 /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/vendor/wmde/euro/src/Euro.php(62): WMDE\Euro\Euro->__construct(9.2233720368548E+20)
#1 /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/app/Controllers/ValidateFeeController.php(50): WMDE\Euro\Euro::newFromString('111111111111111...')
#2 /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/app/Controllers/ValidateFeeController.php(25): WMDE\Fundraising\Frontend\App\Controllers\ValidateFeeController->euroFromRequest(Object(Symfony\Component\HttpFoundation\Request))
#3 /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/vendor/symfony/http-kernel/HttpKerne in /usr/share/nginx/www/spenden.wikimedia.de/release-20181101181039/vendor/wmde/euro/src/Euro.php on line 24

Taken from php-errors.log on production.

Note: This happened during the cat17 vs 10h16 skin test, it could be that the issue is somewhere in 10h16 but I have not looked into this at all at the time of writing this.

Related Objects

Event Timeline

Tim_WMDE created this task.Nov 7 2018, 2:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2018, 2:57 PM
Tim_WMDE updated the task description. (Show Details)Nov 7 2018, 3:01 PM
Tim_WMDE mentioned this in T208168: Observe server performance during performance test.Nov 7 2018, 4:26 PM
gabriel-wmde subscribed.Nov 26 2018, 4:41 PM

Regardless if our frontend validation catches this or not - this is an oversight in our Euro class. It should check the string length or the data type after conversion. Also, we need to define the maximum amount the Euro class can handle. Probably PHP_INT_MAX since we're using integers internally. But since PHP_INT_MAX is platform-specifiy maybe we should come up with our own number that is maximally compatible.

JeroenDeDauw subscribed.EditedJan 17 2019, 5:45 PM

https://github.com/wmde/Euro/pull/9

kai.nissen closed this task as Resolved.Jan 13 2020, 4:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL