Page MenuHomePhabricator

Search exceptions handling prints response information on the screen
Closed, ResolvedPublic

Description

Example query.

Result:

obrazek.png (900×1 px, 280 KB)

obrazek.png (796×1 px, 133 KB)

[XHK55ApAICkAAC9ap@kAAAAM] 2019-02-24 15:37:04: Kritická výjimka typu „WMFTimeoutException“

Tagging as Vuln-Infoleak in case the response information may contain sensitive data.

Event Timeline

As can be easily understood by "WMFTimeoutException", this happens upon reaching the timeout of 60 seconds. No idea about why info is printed on the screen though.

Cannot reproduce the problem with the given URL. Instead I get an error message properly displayed:
Při hledání došlo k chybě: Kvůli dočasnému problému jsme nemohli provést požadované vyhledávání. Zkuste to znovu později.
(An error has occurred while searching: We could not complete your search due to a temporary problem. Please try again later. )

For the records, XHK55ApAICkAAC9ap@kAAAAM is the execution time limit of 60 seconds was exceeded.

Cannot reproduce the problem with the given URL. Instead I get an error message properly displayed:

I was going to say it's due to PHP7, given that the exception happened with PHP 7.2, but I cannot reproduce it either with PHP7 enabled.

Cannot reproduce the problem with the given URL. Instead I get an error message properly displayed:
Při hledání došlo k chybě: Kvůli dočasnému problému jsme nemohli provést požadované vyhledávání. Zkuste to znovu později.
(An error has occurred while searching: We could not complete your search due to a temporary problem. Please try again later. )

Yes, this is the "expected" warning and I do get it when logged out. But I can still reproduce the problem under my account.

I cannot reproduce it either with PHP7 enabled.

Thanks for reminding me this information is missing: I do have PHP7 enabled.

Soooo... I tried again and managed to reproduce it. The first obstacle I found is that somehow my first try was using HHVM (according to Logstash) despite PHP7 being enabled. So I disabled and re-enabled PHP7 and tried again. This time, the search succeeded but warned me that only partial results were available. Trying for the third time finally produced the error. I can also see that sort of JSON-encoded object being echoed. At a quick glance I cannot see any private info in there, but we'd better make it disappear...

related: T216860

Also there is a guarantee of no private information in there, everything in that response can be requested through the api directly using the cirrusdoc property.

The timeout problem was fixed by T216860 but I have no clue what cause the response from elastic to be displayed on site...

debt triaged this task as High priority.Feb 28 2019, 6:08 PM
debt moved this task from needs triage to elastic / cirrus on the Discovery-Search board.
debt subscribed.

We'll take a look

Could it be caused by display_errors being set to true in INI settings? (T211488)

That could potentially be related to display_errors. I'll see if I can hack something up in beta cluster to use a tiny timeout and reproduce the error

I can force the client to timeout, but I can't seem to reproduce the problem with displaying the response on screen. It seems plausible that display_errors was the problem, and is now fixed. I'm willing to call this complete and we can re-open if it is seen again.

debt claimed this task.