Page MenuHomePhabricator

Prevent use of known buggy versions of PHP (that are greater than the minimum supported PHP version) (7.4.0 – 7.4.8, and 7.3.0 - 7.3.18)
Closed, ResolvedPublic

Description

After T243667: Cannot log in when username contains spaces in PHP 7.4: "wrong username or password", we should prevent PHP 7.4.2 from being used somehow... Because 7.4.2 is >= minimum (7.2.22), it's valid, but we know it's pretty broken...

It might be beneficial having some more generic way of doing this in MW as these bugs happen. We did previously have a PHP Bug Tester, but that was removed as all fixes were before out minimum version

Obviously when we bump our min PHP version to 7.4, we can set >= 7.4.3 (or higher), but in the meantime, MW pretends it's a workable version

Event Timeline

A simple fix could be just to append supported/unsupported behind the php version listed on Special:Version

@Hadykuzalala: You've assigned this task to yourself, do you plan to work on it? If not, please remove yourself as assignee (via Add Action...Assign / Claim in the dropdown menu).

Aklapper removed a subscriber: Hadykuzalala.
thiemowmde renamed this task from Blacklist of newer PHP versions to Blocklisting of newer PHP versions that have been patched already.Feb 25 2021, 10:43 AM

Change 659970 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@master] PHPVersionCheck: Complain about known-bad versions above minimum

https://gerrit.wikimedia.org/r/659970

Change 659970 merged by jenkins-bot:
[mediawiki/core@master] PHPVersionCheck: Complain about known-bad versions above minimum

https://gerrit.wikimedia.org/r/659970

Change 666700 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_35] PHPVersionCheck: Complain about known-bad versions above minimum

https://gerrit.wikimedia.org/r/666700

aaron renamed this task from Blocklisting of newer PHP versions that have been patched already to Blacklisting of newer PHP versions that have been patched already.Feb 25 2021, 10:37 PM

Um @aaron... why are you changing the title back to blacklisting?

Change 667000 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_31] PHPVersionCheck: Complain about known-bad versions above minimum

https://gerrit.wikimedia.org/r/667000

Change 667000 abandoned by Reedy:
[mediawiki/core@REL1_31] PHPVersionCheck: Complain about known-bad versions above minimum

Reason:

https://gerrit.wikimedia.org/r/667000

Change 666700 merged by jenkins-bot:
[mediawiki/core@REL1_35] PHPVersionCheck: Complain about known-bad versions above minimum

https://gerrit.wikimedia.org/r/666700

Would it be possible to avoid introducing this blacklisting of PHP versions in minor release 1.35.2?

It is going to break at least some actually used installs such as OSM Wiki.

previous discussion was in https://phabricator.wikimedia.org/T270228#6865721 and https://github.com/openstreetmap/operations/issues/511

Um @aaron... why are you changing the title back to blacklisting?

What is "blocklisting"? In any case the title is still confusing now. Should it say "not been patched already"?

https://en.wikipedia.org/wiki/Blacklist_(computing)

In computing, a blacklist, blocklist or denylist is a basic access control mechanism that allows through all elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned.

It's a synonym.

While I agree the title probably isn't the best, the use of "blacklist" etc should generally be avoided too, so just reverting it isn't the most helpful. See T254646: Reconsidering how we name things more generally.

Reedy renamed this task from Blacklisting of newer PHP versions that have been patched already to Prevent use of known buggy versions of PHP (that are greater than the minimum supported PHP version).Feb 26 2021, 11:09 PM

This PHP restriction is completely breaking MediaWiki installation on Ubuntu 20.04 (focal) since that currently has PHP 7.4.3 in its repo. Fortunately, I have a version of MW downloaded from Feb 8, so I can use that, but this patch prevents upgrading MediaWiki as long as Ubuntu doesn't have a new enough version of PHP.

Relevant:

Indeed, odd that they haven't shipped php 7.4.9 or higher to focal (LTS) yet. Upstream PHP is at 7.4.15 meanwhile. I'd expect a supported LTS to keep up better than this.

Compare to Debian (https://packages.debian.org/bullseye/php7.4) which is, as one would expect, at 7.4.15 for both of the releases channels that contain php74 packages.

Aklapper renamed this task from Prevent use of known buggy versions of PHP (that are greater than the minimum supported PHP version) to Prevent use of known buggy versions of PHP (that are greater than the minimum supported PHP version) (7.4.0 – 7.4.8, and 7.3.0 - 7.3.18).Mar 7 2021, 11:08 AM
Aklapper removed a project: Patch-For-Review.

[Comment only about Ubuntu:]
With regard to providing newer official PHP 7.4 versions for Ubuntu 20.04, feel free to post a question to Ubuntu in their Ubuntu forums.
Workaround: Ubuntu users who are fine with using PPAs can find recent PHP versions at https://launchpad.net/~ondrej/+ppa-packages / http://ppa.launchpad.net/ondrej/php/ubuntu/pool/main/p/ as long as Ubuntu main does not ship updates to its users...

Change 670340 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@REL1_35] Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8

https://gerrit.wikimedia.org/r/670340

Change 670340 abandoned by Jforrester:
[mediawiki/core@REL1_35] Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8

Reason:
We fixed this otherwise.

https://gerrit.wikimedia.org/r/670340

Change 670340 restored by Reedy:
[mediawiki/core@REL1_35] Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8

https://gerrit.wikimedia.org/r/670340

Change 670340 merged by jenkins-bot:
[mediawiki/core@REL1_35] Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8

https://gerrit.wikimedia.org/r/670340

Reedy assigned this task to Jdforrester-WMF.
Reedy removed a project: Patch-For-Review.