Page MenuHomePhabricator
Create Task
Maniphest T277687

Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]
Closed, DuplicatePublicSecurity
Actions

Description

Error

MediaWiki version: 1.36.0-wmf.34

message
Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]

Impact

No visible user-facing impact, as far as I can tell. Results in logspam.

Notes

One of these in the last ~4 hours.

Details

Request ID
YFJF4jLbOUereZ@Gtbsu8wAAAE0
Request URL
https://meta.wikimedia.org/w/index.php?title=Special:CentralAuth&target=[username]
Stack Trace
exception.trace
from /srv/mediawiki/php-1.36.0-wmf.34/includes/user/User.php(2068)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.36.0-wmf.34/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.36.0-wmf.34/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.36.0-wmf.34/includes/GlobalFunctions.php(1068): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.36.0-wmf.34/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.36.0-wmf.34/includes/user/User.php(2068): User->deprecateInvalidCrossWiki(string, string)
#6 /srv/mediawiki/php-1.36.0-wmf.34/includes/user/ActorStore.php(431): User->getId(string)
#7 /srv/mediawiki/php-1.36.0-wmf.34/includes/ActorMigration.php(326): MediaWiki\User\ActorStore->acquireActorId(User, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlockStore.php(379): ActorMigration->getInsertValues(Wikimedia\Rdbms\DBConnRef, string, User)
#9 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlockStore.php(165): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlock.php(499): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1950): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#12 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#13 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#14 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#15 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#16 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
#17 /srv/mediawiki/php-1.36.0-wmf.34/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
#18 /srv/mediawiki/php-1.36.0-wmf.34/includes/specialpage/SpecialPageFactory.php(1375): SpecialPage->run(NULL)
#19 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(309): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#20 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(925): MediaWiki->performRequest()
#21 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(547): MediaWiki->main()
#22 /srv/mediawiki/php-1.36.0-wmf.34/index.php(53): MediaWiki->run()
#23 /srv/mediawiki/php-1.36.0-wmf.34/index.php(46): wfIndexMain()
#24 /srv/mediawiki/w/index.php(3): require(string)
#25 {main}
ProjectBranchLines +/-Subject
mediawiki/extensions/CentralAuthREL1_36+3 -1Cross-wiki block should pass correct wiki blocker
mediawiki/extensions/CentralAuthwmf/1.37.0-wmf.4+3 -1Cross-wiki block should pass correct wiki blocker
mediawiki/extensions/CentralAuthwmf/1.37.0-wmf.3+3 -1Cross-wiki block should pass correct wiki blocker
mediawiki/extensions/CentralAuthmaster+3 -1Cross-wiki block should pass correct wiki blocker
mediawiki/coremaster+48 -15Make DatabaseBlock::$blocker a UserIdentity
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Mar 17 2021, 6:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2021, 6:17 PM
brennen moved this task from Backlog to Logs/Train on the User-brennen board.Mar 17 2021, 6:17 PM
Pchelolo edited projects, added Platform Team Workboards (MW Expedition); removed Platform Engineering.Mar 17 2021, 6:27 PM
gerritbot added a comment.Mar 17 2021, 6:33 PM

Change 668736 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/core@master] Make DatabaseBlock::$blocker a UserIdentity

https://gerrit.wikimedia.org/r/668736

gerritbot added a project: Patch-For-Review.Mar 17 2021, 6:33 PM
Pchelolo added a subscriber: Pchelolo.Mar 17 2021, 6:35 PM

Ok, I see what's going on.. Sneaky CentralAuth trying to pass around cross-wiki user as a User object... The patch above will not fix it right away, but is a necessary step before we can resolve this one.

daniel added a subscriber: daniel.Mar 17 2021, 6:46 PM

Heads up: this is the code path that caused T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869).

The warnings we are now seeing are highlighting the original cause of that issue: using User objects to represent a user on another wiki. The patch above is designed to allow us to instead use a UserIdentity bound to the correct wiki.

gerritbot added a comment.Mar 17 2021, 6:51 PM

Change 673076 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/CentralAuth@master] [Untested, DNM yet] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/673076

gerritbot added a comment.Mar 17 2021, 7:02 PM

Change 668736 merged by jenkins-bot:
[mediawiki/core@master] Make DatabaseBlock::$blocker a UserIdentity

https://gerrit.wikimedia.org/r/668736

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.36; 2021-03-23).Mar 17 2021, 8:00 PM
Zabe moved this task from Untriaged to Mar 2021 on the Wikimedia-production-error board.Mar 18 2021, 9:41 PM
daniel mentioned this in T275531: Make RevisionRecord return a ProperPageIdentity.Mar 25 2021, 1:42 PM
daniel added a comment.Mar 25 2021, 1:50 PM

Still hitting this on php-1.36.0-wmf.36, two instances in the last 8 hours (JJ3HaHgBg_6mGHGhWcbD and 9x3HaHgBfVMx58vqV92i). The stack trace shows UserIdentity instead of User, but still the wrong wiki ID:

Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: 'enwiki', Actual: the local wiki. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId]

from /srv/mediawiki/php-1.36.0-wmf.36/includes/user/UserIdentityValue.php(98)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.36.0-wmf.36/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.36.0-wmf.36/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.36.0-wmf.36/includes/GlobalFunctions.php(1068): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.36.0-wmf.36/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.36.0-wmf.36/includes/user/UserIdentityValue.php(98): MediaWiki\User\UserIdentityValue->deprecateInvalidCrossWiki(string, string)
#6 /srv/mediawiki/php-1.36.0-wmf.36/includes/user/ActorStore.php(489): MediaWiki\User\UserIdentityValue->getId(string)
#7 /srv/mediawiki/php-1.36.0-wmf.36/includes/ActorMigration.php(319): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlockStore.php(379): ActorMigration->getInsertValues(Wikimedia\Rdbms\DBConnRef, string, MediaWiki\User\UserIdentityValue)
#9 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlockStore.php(165): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlock.php(524): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1950): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#12 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#13 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#14 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#15 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#16 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
daniel triaged this task as High priority.Mar 25 2021, 2:06 PM
Pchelolo closed this task as a duplicate of T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128).May 5 2021, 5:56 PM
taavi raised the priority of this task from High to Needs Triage.May 5 2021, 5:57 PM
taavi set Security to Software security bug.
taavi added projects: Security, Security-Team.
taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".
taavi changed the subtype of this task from "Production Error" to "Security Issue".
taavi added a subscriber: taavi.

protecting per T281972

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".May 10 2021, 11:45 AM
gerritbot added a comment.May 10 2021, 4:42 PM

Change 688289 had a related patch set uploaded (by Urbanecm; author: Ppchelko):

[mediawiki/extensions/CentralAuth@REL1_36] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/688289

gerritbot added a comment.May 12 2021, 11:16 AM

Change 688289 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/688289

Zabe added a subscriber: Zabe.May 15 2021, 2:43 PM
Zabe mentioned this in T286490: PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'enwiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId].Jul 12 2021, 5:33 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL