Page MenuHomePhabricator

SpecialMWOAuthManageMyGrants: Call to a member function getConsumerKey() on boolean
Closed, ResolvedPublicPRODUCTION ERROR

Description

Request URL: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants/update/289952

reqId: Xmo6YQpAAD8AAF05gegAAAEP

Error Message
[{exception_id}] {exception_url} Error from line 95 of /srv/mediawiki/php-1.35.0-wmf.23/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php: Call to a member function getConsumerKey() on boolean
#0 /srv/mediawiki/php-1.35.0-wmf.23/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php(78): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants->addSubtitleLinks(string)
#1 /srv/mediawiki/php-1.35.0-wmf.23/includes/specialpage/SpecialPage.php(575): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants->execute(string)
#2 /srv/mediawiki/php-1.35.0-wmf.23/includes/specialpage/SpecialPageFactory.php(621): SpecialPage->run(string)
#3 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(299): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#4 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(972): MediaWiki->performRequest()
#5 /srv/mediawiki/php-1.35.0-wmf.23/includes/MediaWiki.php(535): MediaWiki->main()
#6 /srv/mediawiki/php-1.35.0-wmf.23/index.php(47): MediaWiki->run()
#7 /srv/mediawiki/w/index.php(3): require(string)
#8 {main}

Notes: 4 of these in wmf.23. Reporting as a security issue because OAuth.

Similar to T147414?

Event Timeline

This is just some HTML rendering failing, not a security issue.

...but I have no idea how to turn the task into a normal bug report.

This was caused by rEOAU8750ffba62b2: OAuth: Add navigation links to special pages (part two). Not entirely sure how; maybe replag (although that would require some really fast clicking), or we have some consumer acceptance record without a consumer (which would be concerning, but still not really a security issue).

sbassett removed projects: Security, Security-Team.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett added a subscriber: sbassett.

...but I have no idea how to turn the task into a normal bug report.

Hopefully that fixes things?

Aklapper changed the subtype of this task from "Security Issue" to "Task".Mar 12 2020, 6:57 PM

... or we have some consumer acceptance record without a consumer (which would be concerning, but still not really a security issue).

That seems unlikely to me, otherwise it will not be happening for (amost) all apps.

Change 579530 had a related patch set uploaded (by Ammarpad; owner: Ammarpad):
[mediawiki/extensions/OAuth@master] Get consumerKey from 'consumerId' not from 'accessId'

https://gerrit.wikimedia.org/r/579530

Ammarpad changed the subtype of this task from "Task" to "Production Error".
Ammarpad added a subscriber: Pppery.

Change 579530 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/579530

Given the number of reports and the severity of the issue, is it possible to deploy the patch everywhere on Monday via SWAT instead of via the train?

Given the number of reports and the severity of the issue, is it possible to deploy the patch everywhere on Monday via SWAT instead of via the train?

Tagging MediaWiki-backport-deployments and reopening since there is more to be done
https://wikitech.wikimedia.org/wiki/Deployments doesn't currently list anything past Thursday, March 19, 23:00–00:00 UTC

The bug in this task is resolved. Whether it's deployed to production or when that's done, is a separate issue. If the bug persists after deployment then we can call it not resolved.

The last two weeks’ tables were created by @thcipriani, maybe he can tell us a bit more.

Change 582768 had a related patch set uploaded (by Gergő Tisza; owner: Ammarpad):
[mediawiki/extensions/OAuth@wmf/1.35.0-wmf.24] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/582768

Change 582768 merged by jenkins-bot:
[mediawiki/extensions/OAuth@wmf/1.35.0-wmf.24] Get consumerKey from 'consumerId' not from 'acceptanceId'

https://gerrit.wikimedia.org/r/582768

Mentioned in SAL (#wikimedia-operations) [2020-03-23T11:41:24Z] <tgr@deploy1001> Synchronized php-1.35.0-wmf.24/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuthManageMyGrants.php: SWAT: [[gerrit:582768|Get consumerKey from consumerId not from acceptanceId (T247531)]] (duration: 01m 01s)