Page MenuHomePhabricator

Cannot log in when username contains spaces in PHP 7.4: "wrong username or password"
Closed, ResolvedPublic

Description

ПродуктВерсия
MediaWiki1.31.6 (c168a3f) 20:28, 19 декабря 2019
PHP7.4.2 (fpm-fcgi)
MariaDB10.3.21-MariaDB-1:10.3.21+maria~disco-log
ICU64.2
LuaSandbox3.0.3
Lua5.1.5
LilyPond2.18.2

In PHP 7.4 a bug was fixed: Bug #78929, plus signs in cookie values are converted to spaces.

Now, I cannot login under a username consisting of two words. One-word usernames still work. The login screen displays the username with a plus sign instead of the space.

If I keep it, login fails with "wrong username or password". If I replace it with a space, I am redirected to the page version shown to anonymous users, and my subsequent edits are anonymous. The cookies for user name and user ID are set correctly. The debug log says:

…
User: cache miss for user 22
…
 User: loading options for user 22 from database
…
Session "ecd5g7rtb2mnckj8mg5tben39blchujn" requested with mismatched UserID and UserName cookies.
…
[session] SessionBackend "834q3173a0ovtdfqocreua0pq447su39" is unsaved, marking dirty in constructor
[session] SessionBackend "834q3173a0ovtdfqocreua0pq447su39" save: dataDirty=1 metaDirty=1 forcePersist=0
[cookie] setcookie: "…_session", "", "1548417355", "/", "", "", "1"
[cookie] setcookie: "…UserID", "", "1548417355", "/", "", "", "1"
[cookie] already deleted setcookie: "…Token", "", "1548417355", "/", "", "", "1"
[cookie] already deleted setcookie: "forceHTTPS", "", "1548417355", "/", "", "", "1"
…

LocalSettings.php:

$wgSessionCacheType = CACHE_DB;

php.ini:

session.save_handler = files
session.save_path = "/var/cache/session"

I have managed to temporarily fix the issue by wrapping $this->getCookie( $request, 'UserName', $prefix ) in CookieSessionProvider::getUserInfoFromCookies () with urldecode ().

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2020, 12:14 PM
alex-mashin updated the task description. (Show Details)Jan 25 2020, 12:16 PM
Anomie added a subscriber: Anomie.

In PHP 7.4 a bug was fixed: Bug #78929, plus signs in cookie values are converted to spaces.

Looks like that introduced a new bug because they didn't change setcookie() to match. Filed that upstream as https://bugs.php.net/bug.php?id=79174.

Anomie closed this task as Resolved.Jan 28 2020, 5:37 PM

Resolved upstream. If you're using PHP 7.4, upgrade to 7.4.3 or later.

Aklapper renamed this task from Spaces in logins under PHP 7.4 to Cannot log in when username contains spaces in PHP 7.4: "wrong username or password".Jan 30 2020, 3:45 PM
Florian added a subscriber: Florian.
Rainer_Klute reopened this task as Open.Feb 20 2020, 7:08 PM
Rainer_Klute added a subscriber: Rainer_Klute.

Arrrgh! I just upgraded from PHP 7.4.1 to 7.4.3 – and that bug is back again!

BTW, I am running MediaWiki 1.34.0.

Rainer_Klute closed this task as Resolved.Feb 20 2020, 7:22 PM
Rainer_Klute claimed this task.

False alert, sorry! It worked on a second try. Probably my cookies were still broken from a previous login. Phew!