Page MenuHomePhabricator
Create Task
Maniphest T272123

Merging to MediaWiki/extensions/CentralAuth is blocked
Closed, ResolvedPublic
Actions

Description

See https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/91675/console

includes/specials/SpecialMultiLock.php:344 SecurityCheck-XSS Calling method \OutputPage::addHTML() in \SpecialMultiLock::showUserTable that outputs using tainted argument #1 ($rowtext). (Caused by: Builtin-\OutputPage::addHTML)

Details

SubjectRepoBranchLines +/-
Fix phan errors?mediawiki/extensions/CentralAuthmaster+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

RhinosF1 triaged this task as Unbreak Now! priority.Jan 15 2021, 8:29 AM
RhinosF1 created this task.

Master of a deployed extension

Aklapper added a subscriber: DannyS712.Jan 15 2021, 8:38 AM

Output mentions userList and showUserTable; showUserTable is only in /includes/specials/SpecialMultiLock.php and the last change touching that file was the one-liner in rECAUe088712c76686107caa2af201ce596fbe960e9e4 . No idea if related but giving a heads-up to @DannyS712.

(Also, T247428: Improve caused-by lines as seen for GlobalBlocking comes to my mind.)

taavi subscribed.Jan 15 2021, 8:40 AM
DannyS712 added a subscriber: Daimona.Jan 15 2021, 8:42 AM
In T272123#6750437, @Aklapper wrote:

Output mentions userList and showUserTable; showUserTable is only in /includes/specials/SpecialMultiLock.php and the last change touching that file was the one-liner in rECAUe088712c76686107caa2af201ce596fbe960e9e4 . No idea if related but giving a heads-up to @DannyS712.

Wasn't me, wasn't related, but thanks for the heads up

@Daimona might know more - was there a core change that could have triggered this? I don't see anything recent

RhinosF1 added a comment.Jan 15 2021, 8:55 AM

I managed to get the failure on a blank patch too https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/656297 so I'm not insane and it is 100% master already.

gerritbot added a comment.Jan 15 2021, 9:08 AM

Change 656298 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/CentralAuth@master] Fix phan errors?

https://gerrit.wikimedia.org/r/656298

gerritbot added a project: Patch-For-Review.Jan 15 2021, 9:08 AM
DannyS712 claimed this task.Jan 15 2021, 10:08 AM
DannyS712 lowered the priority of this task from Unbreak Now! to High.
Restricted Application added a project: User-DannyS712. · View Herald TranscriptJan 15 2021, 10:08 AM
DannyS712 moved this task from Unsorted to Awaiting review and deployment on the User-DannyS712 board.Jan 15 2021, 10:08 AM
DannyS712 mentioned this in T272134: Follow-up to T272123: check if the errors are valid.Jan 15 2021, 10:16 AM
gerritbot added a comment.Jan 15 2021, 10:40 AM

Change 656298 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Fix phan errors?

https://gerrit.wikimedia.org/r/656298

RhinosF1 added a comment.Jan 15 2021, 10:42 AM

Thanks everyone! Looks to be working now.

DannyS712 closed this task as Resolved.Jan 15 2021, 10:49 AM
DannyS712 edited projects, added ci-test-error (WMF-deployed Build Failure); removed Patch-For-Review, ci-test-error.
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.27; 2021-01-19).Jan 15 2021, 11:00 AM
Daimona added a comment.Jan 15 2021, 1:14 PM

Yeah, unrelated changes can cause new errors, this is fairly common in static analysis. Taint-check is specifically vulnerable to this because the result depends on the order in which source files are analyzed (due to how method dependencies are tracked). I'm investigating the errors and will report in the follow-up task.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL