PHP Warning: preg_match(): Compilation failed: two named subpatterns have the same name at offset 62
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error

MediaWiki version: 1.35.0-wmf.1

message

PHP Warning: preg_match(): Compilation failed: two named subpatterns have the same name at offset 62

Impact

Notes

Details

Request ID: XaJqMwpAICoAAHe-eQwAAAAH
Request URL: /wiki/Wikimedia_Taiwan/wiki/index.php5/$1

Stack Trace

exception.trace

#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
#1 /includes/PathRouter.php(311): preg_match(string, string, NULL)
#2 /includes/PathRouter.php(285): PathRouter::extractTitle(string, stdClass)
#3 /includes/PathRouter.php(260): PathRouter->internalParse(string)
#4 /includes/WebRequest.php(205): PathRouter->parse(string)
#5 /includes/WebRequest.php(361): WebRequest::getPathInfo(string)
#6 /includes/Setup.php(780): WebRequest->interpolateTitle()
#7 /includes/WebStart.php(81): require_once(string)
#8 /index.php(41): require(string)
#9 /srv/mediawiki/w/index.php(3): require(string)
#10 {main}

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Stop using SCRIPT_NAME where possible, rely on statically configured routing	mediawiki/core	master	+79 -44

Customize query in gerrit

Related Objects

Mentioned In: T266619: $relPath is false inside thumb_handler.php
T248947: img_auth.php may leak private extension images into the public cache (CVE-2020-15005)
Mentioned Here: T34486: WebRequest::getPathInfo() broken in img_auth.php on DreamHost
rMWae1d5aefbf45: Update img_auth.php and WebRequest code to handle non index.php scripts like…

Event Timeline

Krinkle created this task.Oct 13 2019, 12:29 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2019, 12:29 AM

Quick glance:

The wgArticlePath is configured as /wiki/$1 which means anything after /wiki/ that isn't a query string, should be considered as the page title. And titles like "My_$1_coin" should (and generally, do) work fine.
The PathRouterTest cases also cover this case.
In PathRouter::extractTitle the code correctly uses preg_quote() to escape the configured router path, and never embeds or substitutes the user input URL into the regex pattern (Good).

Some ad-hoc debugging on mwdebug1002 from this function reveals it tries three configured router paths:

PathRouter::extractTitle
 path = /wiki/Wikimedia_Taiwan/wiki/index.php5/$1  pattern=/wiki/$1  SCRIPT_NAME=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1

PathRouter::extractTitle:
 path = /wiki/Wikimedia_Taiwan/wiki/index.php5/$1  pattern=/w/index.php/$1  SCRIPT_NAME=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1

PathRouter::extractTitle:
 path = /wiki/Wikimedia_Taiwan/wiki/index.php5/$1  pattern=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1/$1  SCRIPT_NAME=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1

This last one is the likely cause and appears to be due to something also feeding the url as router path, which seems bad. And worse, it doesn't escape it in any way.

I imagine this might also explain why requests for static.php are calling this path, and more over, trying to match for a /w/static.php/$1 path which definitely isn't meant to happen, e.g. from https://meta.wikimedia.org/w/skins/Vector/images/arrow-down.svg

PathRouter::extractTitle:
 path = /w/skins/Vector/images/arrow-down.svg  pattern=/wiki/$1  SCRIPT_NAME=/w/static.php

PathRouter::extractTitle:
 path = /w/skins/Vector/images/arrow-down.svg  pattern=/w/index.php/$1  SCRIPT_NAME=/w/static.php

PathRouter::extractTitle:
 path = /w/skins/Vector/images/arrow-down.svg  pattern=/w/static.php/$1  SCRIPT_NAME=/w/static.php

In T235357#5570557, @Krinkle wrote:

path = /wiki/Wikimedia_Taiwan/wiki/index.php5/$1  pattern=/wiki/$1  SCRIPT_NAME=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1

That seems wrong. $_SERVER['SCRIPT_NAME'] is supposed to be the current script's path, without the pathinfo part.

I imagine this might also explain why requests for static.php are calling this path, and more over, trying to match for a /w/static.php/$1 path which definitely isn't meant to happen, e.g. from https://meta.wikimedia.org/w/skins/Vector/images/arrow-down.svg

It seems that's intentional in WebRequest's code.

if ( isset( $_SERVER['SCRIPT_NAME'] )
    && strpos( $_SERVER['SCRIPT_NAME'], '.php' ) !== false
) {
    // Check for SCRIPT_NAME, we handle index.php explicitly
    // But we do have some other .php files such as img_auth.php
    // Don't let root article paths clober the parsing for them
    $router->add( $_SERVER['SCRIPT_NAME'] . "/$1" );
}

That was added in rMWae1d5aefbf45: Update img_auth.php and WebRequest code to handle non index.php scripts like…, which mentions T34486: WebRequest::getPathInfo() broken in img_auth.php on DreamHost.

Anomie moved this task from Inbox to Triage Meeting Inbox on the Platform Engineering board.Oct 15 2019, 3:01 PM

daniel edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.Oct 15 2019, 8:13 PM

Krinkle moved this task from Untriaged to Oct2019/1.35.wmf.1+ on the Wikimedia-production-error board.Oct 19 2019, 9:13 PM

Anomie merged a task: T236839: PathRouter: preg_match(): Compilation failed: two named subpatterns have the same name.Oct 30 2019, 3:35 PM

Anomie added a subscriber: brennen.

daniel triaged this task as High priority.Nov 11 2019, 8:06 PM

• WDoranWMF moved this task from Inbox to Backlog on the Platform Team Workboards (Clinic Duty Team) board.Dec 2 2019, 5:41 PM

brennen added a project: User-brennen.Jan 7 2020, 7:27 PM

brennen moved this task from Backlog to Logs/Train on the User-brennen board.

xSavitar merged a task: T242859: PHP Warning: preg_match(): Compilation failed: two named subpatterns have the same name at offset 62.Jan 19 2020, 4:50 PM

xSavitar subscribed.

@D3r1ck01 - just for clarity, are you still proposing 565762: PathRouter: Allow duplicate names for subpatterns in RegEx as a fix for this one?

At change 565762 @brennen wrote:

[…] this seems like it might obscure some other underlying issue, […]

I believe you're right. The regular expression seems fine. One URL to MediaWiki can only have 1 primary title, extracted from one $-placeholder in the url path-pattern. The code that consumes the result is not prepared to handle an array of multiple values, and there can't be any way to process such array, since that is fundmantally is how MediaWiki works.

The fact that we concatenate two strings and accidentally create another "$1" pattern is an accident. The solution will need to be in preventing that problem from reaching the regular expression (higher level, the input to the regex). The solution cannot be to let the problem sink deeper (lower level, the regex).

In T235357#5830353, @brennen wrote:

@D3r1ck01 - just for clarity, are you still proposing 565762: PathRouter: Allow duplicate names for subpatterns in RegEx as a fix for this one?

Yes! I saw a review you left, anything needed from my end ATM?

I note that something like this just happend in group1 for 1.35.0-wmf.22:

2020-03-04T17:07:19 on metawiki
url /wiki/Wikimedia_Taiwan/wiki/index.php5/$1
unique id Xl-gRwpAICEAAAVeBEIAAAEY

https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-deploy-2020.03.04/mediawiki?id=AXCmhCNgarkxubcm-g_o&_g=h@44136fa should be a direct link.

• LarsWirzenius unsubscribed.Mar 9 2020, 2:36 PM

• holger.knust moved this task from Backlog to Later on the Platform Team Workboards (Clinic Duty Team) board.Mar 30 2020, 2:48 PM

tstarling claimed this task.Mar 30 2020, 10:56 PM

In T235357#5575583, @Anomie wrote:
In T235357#5570557, @Krinkle wrote:
path = /wiki/Wikimedia_Taiwan/wiki/index.php5/$1  pattern=/wiki/$1  SCRIPT_NAME=/wiki/Wikimedia_Taiwan/wiki/index.php5/$1
That seems wrong. $_SERVER['SCRIPT_NAME'] is supposed to be the current script's path, without the pathinfo part.

I can reproduce this locally. PATH_INFO is not set, so SCRIPT_NAME just gets set to the same thing as REQUEST_URI. In ap_add_cgi_vars(), if r->path_info is set, the URI is split and SCRIPT_NAME receives the first part of the path, but it's not set.

mod_proxy_fcgi has some code for setting PATH_INFO, depending on the proxy-fcgi-pathinfo environment variable, but this code is not used when mod_proxy_fcgi is invoked via SetHandler. The proxy_fcgi_canon hook is never called.

Note that SCRIPT_NAME is the pre-rewrite URL, it does not even include the script name. Pretty much every usage of SCRIPT_NAME in core is broken by this.

Change 584817 had a related patch set uploaded (by Tim Starling; owner: Tim Starling):
[mediawiki/core@master] Stop using SCRIPT_NAME where possible, rely on statically configured routing

https://gerrit.wikimedia.org/r/584817

gerritbot added a project: Patch-For-Review.Mar 31 2020, 5:51 AM

tstarling mentioned this in T248947: img_auth.php may leak private extension images into the public cache (CVE-2020-15005).Mar 31 2020, 6:24 AM

Nikerabbit merged a task: T190146: PHP Warning when viewing a page whose name contains $1.Mar 31 2020, 7:13 AM

Nikerabbit added subscribers: Nikerabbit, gerritbot, KartikMistry, Reedy.

Change 584817 merged by jenkins-bot:
[mediawiki/core@master] Stop using SCRIPT_NAME where possible, rely on statically configured routing

https://gerrit.wikimedia.org/r/584817

Anomie closed this task as Resolved.Apr 1 2020, 4:51 PM

DannyS712 removed a project: Patch-For-Review.Apr 1 2020, 4:56 PM

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.27; 2020-04-07).Apr 1 2020, 5:00 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM

Paladox added a subtask: T266619: $relPath is false inside thumb_handler.php.Oct 27 2020, 10:33 PM