Page MenuHomePhabricator
Create Task
Maniphest T247531

SpecialMWOAuthManageMyGrants: Call to a member function getConsumerKey() on boolean
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Request URL: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants/update/289952

reqId: Xmo6YQpAAD8AAF05gegAAAEP

Error Message
[{exception_id}] {exception_url} Error from line 95 of /srv/mediawiki/php-1.35.0-wmf.23/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php: Call to a member function getConsumerKey() on boolean
#0 /srv/mediawiki/php-1.35.0-wmf.23/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php(78): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants->addSubtitleLinks(string)
#1 /srv/mediawiki/php-1.35.0-wmf.23/includes/specialpage/SpecialPage.php(575): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants->execute(string)
#2 /srv/mediawiki/php-1.35.0-wmf.23/includes/specialpage/SpecialPageFactory.php(621): SpecialPage->run(string)
#3 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(299): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#4 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(972): MediaWiki->performRequest()
#5 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(535): MediaWiki->main()
#6 /srv/mediawiki/php-1.35.0-wmf.23/index.php(47): MediaWiki->run()
#7 /srv/mediawiki/w/index.php(3): require(string)
#8 {main}

Notes: 4 of these in wmf.23. Reporting as a security issue because OAuth.

Similar to T147414?

Details

Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Get consumerKey from 'consumerId' not from 'acceptanceId'mediawiki/extensions/OAuthwmf/1.35.0-wmf.24+9 -6
Get consumerKey from 'consumerId' not from 'acceptanceId'mediawiki/extensions/OAuthmaster+9 -6
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Mar 12 2020, 3:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2020, 3:36 PM
brennen added subscribers: Anomie, Tgr.Mar 12 2020, 3:42 PM

cc: @Tgr, @Anomie per that earlier ticket.

Tgr added a comment.Mar 12 2020, 6:48 PM

This is just some HTML rendering failing, not a security issue.

Tgr added a comment.Mar 12 2020, 6:51 PM

...but I have no idea how to turn the task into a normal bug report.

This was caused by rEOAU8750ffba62b2: OAuth: Add navigation links to special pages (part two). Not entirely sure how; maybe replag (although that would require some really fast clicking), or we have some consumer acceptance record without a consumer (which would be concerning, but still not really a security issue).

sbassett triaged this task as High priority.Mar 12 2020, 6:52 PM
sbassett removed projects: Security, Security-Team.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett subscribed.
In T247531#5965198, @Tgr wrote:

...but I have no idea how to turn the task into a normal bug report.

Hopefully that fixes things?

Reedy added a project: MediaWiki-extensions-OAuth.Mar 12 2020, 6:54 PM
Aklapper changed the subtype of this task from "Security Issue" to "Task".Mar 12 2020, 6:57 PM
Ammarpad subscribed.EditedMar 13 2020, 8:36 AM
In T247531#5965198, @Tgr wrote:

... or we have some consumer acceptance record without a consumer (which would be concerning, but still not really a security issue).

That seems unlikely to me, otherwise it will not be happening for (amost) all apps.

gerritbot added a comment.Mar 13 2020, 11:38 AM

Change 579530 had a related patch set uploaded (by Ammarpad; owner: Ammarpad):
[mediawiki/extensions/OAuth@master] Get consumerKey from 'consumerId' not from 'accessId'

https://gerrit.wikimedia.org/r/579530

Ammarpad moved this task from Backlog to Needs Review on the MediaWiki-extensions-OAuth board.Mar 13 2020, 3:04 PM
Base subscribed.Mar 15 2020, 11:01 PM
Ammarpad claimed this task.Mar 16 2020, 4:37 PM
Ammarpad merged a task: T247767: 'Fatal exception of type Error' when trying to manage access to OAuth consumers.
Ammarpad changed the subtype of this task from "Task" to "Production Error".
Ammarpad added a subscriber: Pppery.
gerritbot added a comment.Mar 17 2020, 11:12 PM

Change 579530 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/579530

Pppery unsubscribed.Mar 17 2020, 11:24 PM
Tgr closed this task as Resolved.Mar 18 2020, 2:04 PM

Thanks @Ammarpad!

matmarex merged a task: T248114: Internal error when trying to revoke OAuth consumer.Mar 19 2020, 5:55 PM
matmarex added subscribers: Tacsipacsi, matmarex.
Jdforrester-WMF added a project: MW-1.35-notes (1.35.0-wmf.25; 2020-03-24).Mar 19 2020, 9:28 PM
Ammarpad merged a task: T248142: Unable to update or revoke grant for disabled oauth tool.Mar 20 2020, 7:04 AM
Ammarpad added a subscriber: DannyS712.
Tacsipacsi added a comment.Mar 20 2020, 8:49 AM

Given the number of reports and the severity of the issue, is it possible to deploy the patch everywhere on Monday via SWAT instead of via the train?

DannyS712 reopened this task as Open.Mar 20 2020, 8:54 AM
DannyS712 added a project: MediaWiki-backport-deployments.
In T247531#5986239, @Tacsipacsi wrote:

Given the number of reports and the severity of the issue, is it possible to deploy the patch everywhere on Monday via SWAT instead of via the train?

Tagging MediaWiki-backport-deployments and reopening since there is more to be done
https://wikitech.wikimedia.org/wiki/Deployments doesn't currently list anything past Thursday, March 19, 23:00–00:00 UTC

Ammarpad closed this task as Resolved.Mar 20 2020, 9:13 AM

The bug in this task is resolved. Whether it's deployed to production or when that's done, is a separate issue. If the bug persists after deployment then we can call it not resolved.

DannyS712 removed a project: MediaWiki-backport-deployments.Mar 20 2020, 9:21 AM
Tacsipacsi added a subscriber: thcipriani.Mar 20 2020, 9:25 AM

The last two weeks’ tables were created by @thcipriani, maybe he can tell us a bit more.

Ammarpad merged a task: T248284: On Special:OAuthManageMyGrants, "manage access" leads to Fatal exception.Mar 23 2020, 5:30 AM
Ammarpad added a subscriber: Yair_rand.
gerritbot added a comment.Mar 23 2020, 8:15 AM

Change 582768 had a related patch set uploaded (by Gergő Tisza; owner: Ammarpad):
[mediawiki/extensions/OAuth@wmf/1.35.0-wmf.24] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/582768

gerritbot added a comment.Mar 23 2020, 11:30 AM

Change 582768 merged by jenkins-bot:
[mediawiki/extensions/OAuth@wmf/1.35.0-wmf.24] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/582768

Stashbot added a comment.Mar 23 2020, 11:41 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-23T11:41:24Z] <tgr@deploy1001> Synchronized php-1.35.0-wmf.24/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php: SWAT: [[gerrit:582768|Get consumerKey from consumerId not from acceptanceId (T247531)]] (duration: 01m 01s)

Jdforrester-WMF edited projects, added MW-1.35-notes (1.35.0-wmf.24; 2020-03-17); removed MW-1.35-notes (1.35.0-wmf.25; 2020-03-24).Mar 23 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
A_smart_kitten mentioned this in T391779: Is the #MediaWiki-backport-deployments project desired (& if so, how should it be used)?.Apr 15 2025, 11:05 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits