Page MenuHomePhabricator

PHP Warning "headers already sent" from MediaWiki::preOutputCommit during SpecialCentralAutoLogin
Closed, ResolvedPublic

Description

Error

Request URL: GET enwiki /wiki/Special:CentralAutoLogin/setCookies?type=script&return=1&returnto= … &proto=https
Request ID: XQDBUApAICsAAIyT-aMAAAAB

message
PHP Warning: Cannot modify header information - headers already sent by (output started at /srv/mediawiki/php-1.34.0-wmf.8/extensions/CentralAuth/includes/specials/SpecialCentralAutoLogin.php:649)
trace
#1 /srv/mediawiki/php-1.34.0-wmf.8/includes/WebResponse.php(72): header(string, boolean)
#2 /srv/mediawiki/php-1.34.0-wmf.8/includes/MediaWiki.php(672): WebResponse->header(string)
#3 /srv/mediawiki/php-1.34.0-wmf.8/includes/MediaWiki.php(566): MediaWiki::preOutputCommit(RequestContext, Closure)
#4 /srv/mediawiki/php-1.34.0-wmf.8/includes/MediaWiki.php(881): MediaWiki->doPreOutputCommit(Closure)
#5 /srv/mediawiki/php-1.34.0-wmf.8/includes/MediaWiki.php(515): MediaWiki->main()
#6 /srv/mediawiki/php-1.34.0-wmf.8/index.php(42): MediaWiki->run()
#7 /srv/mediawiki/w/index.php(3): require(string)

Impact

The application explicitly tries to add an HTTP response header, but PHP is silently rejecting this attempt because other code in the same process had already started the response body and thus it cannot send response headers any more.

The request continues as if the header was output, without awareness that this operation was skipped. This means anything that relies on this header being present might be confused, corrupted, or become stale without automatic recovery.

Notes

Details

Related Gerrit Patches:

Event Timeline

Krinkle created this task.Jun 12 2019, 6:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 12 2019, 6:21 PM

It seems some code in MediaWiki::preOutputCommit that relates to headers is already aware that special pages and other end points are currently allowed to handle their own response (such as Special:Export and Special:CentralAutoLogin do, via OutputPage::disable), and have handling for scenarios where headers are already sent.

However, the following three features do not account for this and currently get silently ignored by PHP, resulting in the above warning:

  1. The UseDC and UseCDNCache cookies.
  2. The X-Database-Lagged: true header.
  3. The X-Response-Substitute: true header.

The sample in the task description is from X-Database-Lagged: true.

Gilles assigned this task to aaron.Jun 17 2019, 8:12 PM
Gilles moved this task from Inbox to Doing on the Performance-Team board.

Change 517617 had a related patch set uploaded (by Aaron Schulz; owner: Aaron Schulz):
[mediawiki/core@master] Various cleanups to MediaWiki::preOutputCommit

https://gerrit.wikimedia.org/r/517617

Change 517617 merged by jenkins-bot:
[mediawiki/core@master] Various cleanups to MediaWiki::preOutputCommit

https://gerrit.wikimedia.org/r/517617

aaron closed this task as Resolved.Jun 19 2019, 11:27 AM
mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:06 PM