Page MenuHomePhabricator
Create Task
Maniphest T258347

This response cannot be represented using "format=php"
Closed, DeclinedPublic
Actions

Description

To reproduce:

Hit this URL: https://commons.wikimedia.org/w/api.php?list=allimages&ailimit=250&action=query&aistart=20200717070102&aiend=20200717235959&aisort=timestamp&aidir=newer&aiprop=user|sha1|size|dimensions|mime|timestamp|comment|metadata&aicontinue=20200717124915|Janela_em_parede_de_Xisto.jpg&continue=-||&format=php&servedby=&requestid=1034731822:

The resulting response:

a:3:{s:5:"error";a:3:{s:4:"code";s:13:"internalerror";s:4:"info";s:101:"This response cannot be represented using "format=php". See https://phabricator.wikimedia.org/T68776.";s:1:"*";s:243:"See https://commons.wikimedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.";}s:9:"requestid";s:10:"1034731822";s:8:"servedby";s:6:"mw1343";}

It works if I try the same request in JSON (link: https://commons.wikimedia.org/w/api.php?list=allimages&ailimit=250&action=query&aistart=20200717070102&aiend=20200717235959&aisort=timestamp&aidir=newer&aiprop=user|sha1|size|dimensions|mime|timestamp|comment|metadata&aicontinue=20200717124915|Janela_em_parede_de_Xisto.jpg&continue=-||&servedby=&requestid=1034731822).

Related Objects

Event Timeline

Magog_the_Ogre created this task.Jul 19 2020, 1:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 19 2020, 1:31 PM
Magog_the_Ogre updated the task description. (Show Details)Jul 19 2020, 1:31 PM
Aklapper edited projects, added MediaWiki-Action-API; removed ApiFeatureUsage.Jul 19 2020, 1:36 PM

(Unrelated to https://www.mediawiki.org/wiki/Extension:ApiFeatureUsage hence removing project tag)

Response says: This response cannot be represented using "format=php". See https://phabricator.wikimedia.org/T68776.

Restricted Application added a project: Platform Engineering. · View Herald TranscriptJul 19 2020, 1:36 PM
Magog_the_Ogre added a comment.Jul 19 2020, 3:37 PM

Apologies if the fix is something on my end (e.g., a header or parameter). I read the other phabricator ticket and didn't see a workaround on my end.

eprodromou triaged this task as Lowest priority.Jul 21 2020, 8:25 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou subscribed.

OK, this seems to be a CORS error using the PHP output format. Since there's a relatively easy workaround (use JSON), we'll take a look but it's unlikely to be a high priority.

eprodromou moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.Jul 21 2020, 8:25 PM
AMooney edited projects, added Platform Engineering (Icebox); removed Platform Team Workboards (Clinic Duty Team), MediaWiki-Action-API.Aug 12 2020, 5:19 PM
Aklapper added a project: MediaWiki-Action-API.Aug 12 2020, 6:08 PM
Aklapper added a subscriber: AMooney.

@AMooney: Assuming that "Set projects" was accidentally used instead of "Add projects", hence restoring some previous project tags.

Krinkle closed this task as Declined.Apr 2 2021, 7:54 PM
Krinkle subscribed.

"This response cannot be represented using "format=php". See https://phabricator.wikimedia.org/T68776 […]

This message comes from the apierror-formatphp interface message, and a codesearch on MW PHP files shows this is only used in one file ApiFormatPhp.php, for the purpose of disallowing responses that would contain <cross-domain-policy.

The Commons file-metadata API request from @Magog_the_Ogre, when accessed using JSON, can be seen to contain the following meta data:

"value": "\u2022\n\nThe SWF movie opens a socket to the attacker […] At this point, DNS rebinding appears\nbecause the attacker responds with the IP address of the target server\n[3].\n<?xml version=\"1.0\"?>\n\u003Ccross-domain-policy>\n<allow-access-from domain=\"*\" to-ports=\"*\" />\n</cross-domain-policy>\n\nTable 2.\n\nVulnerable Adobe Flash Player policy file"

This is an excerpt of the File:DNS_rebinding_attacks_(IA_dnsrebindingttac109454560).pdf on Commons, which talks about the very issue this API error is protecting the user from. This is working as expected. It cannot be safely represented in format=php, which is why one needs to use a different API format to access it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL