Page MenuHomePhabricator
Create Task
Maniphest T277687

Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]
Closed, DuplicatePublicSecurity
Actions

Description

Error

MediaWiki version: 1.36.0-wmf.34

message
Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]

Impact

No visible user-facing impact, as far as I can tell. Results in logspam.

Notes

One of these in the last ~4 hours.

Details

Request ID
YFJF4jLbOUereZ@Gtbsu8wAAAE0
Request URL
https://meta.wikimedia.org/w/index.php?title=Special:CentralAuth&target=[username]
Stack Trace
exception.trace
from /srv/mediawiki/php-1.36.0-wmf.34/includes/user/User.php(2068)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.36.0-wmf.34/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.36.0-wmf.34/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.36.0-wmf.34/includes/GlobalFunctions.php(1068): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.36.0-wmf.34/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.36.0-wmf.34/includes/user/User.php(2068): User->deprecateInvalidCrossWiki(string, string)
#6 /srv/mediawiki/php-1.36.0-wmf.34/includes/user/ActorStore.php(431): User->getId(string)
#7 /srv/mediawiki/php-1.36.0-wmf.34/includes/ActorMigration.php(326): MediaWiki\User\ActorStore->acquireActorId(User, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlockStore.php(379): ActorMigration->getInsertValues(Wikimedia\Rdbms\DBConnRef, string, User)
#9 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlockStore.php(165): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.36.0-wmf.34/includes/block/DatabaseBlock.php(499): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1950): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#12 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#13 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#14 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#15 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#16 /srv/mediawiki/php-1.36.0-wmf.34/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
#17 /srv/mediawiki/php-1.36.0-wmf.34/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
#18 /srv/mediawiki/php-1.36.0-wmf.34/includes/specialpage/SpecialPageFactory.php(1375): SpecialPage->run(NULL)
#19 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(309): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#20 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(925): MediaWiki->performRequest()
#21 /srv/mediawiki/php-1.36.0-wmf.34/includes/MediaWiki.php(547): MediaWiki->main()
#22 /srv/mediawiki/php-1.36.0-wmf.34/index.php(53): MediaWiki->run()
#23 /srv/mediawiki/php-1.36.0-wmf.34/index.php(46): wfIndexMain()
#24 /srv/mediawiki/w/index.php(3): require(string)
#25 {main}
SubjectRepoBranchLines +/-
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthREL1_36+3 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthwmf/1.37.0-wmf.4+3 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthwmf/1.37.0-wmf.3+3 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthmaster+3 -1
Make DatabaseBlock::$blocker a UserIdentitymediawiki/coremaster+48 -15
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Mar 17 2021, 6:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2021, 6:17 PM
brennen moved this task from Backlog to Logs/Train on the User-brennen board.Mar 17 2021, 6:17 PM
Pchelolo edited projects, added Platform Team Workboards (MW Expedition); removed Platform Engineering.Mar 17 2021, 6:27 PM
gerritbot added a comment.Mar 17 2021, 6:33 PM

Change 668736 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/core@master] Make DatabaseBlock::$blocker a UserIdentity

https://gerrit.wikimedia.org/r/668736

gerritbot added a project: Patch-For-Review.Mar 17 2021, 6:33 PM
Pchelolo subscribed.Mar 17 2021, 6:35 PM

Ok, I see what's going on.. Sneaky CentralAuth trying to pass around cross-wiki user as a User object... The patch above will not fix it right away, but is a necessary step before we can resolve this one.

daniel subscribed.Mar 17 2021, 6:46 PM

Heads up: this is the code path that caused T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869).

The warnings we are now seeing are highlighting the original cause of that issue: using User objects to represent a user on another wiki. The patch above is designed to allow us to instead use a UserIdentity bound to the correct wiki.

gerritbot added a comment.Mar 17 2021, 6:51 PM

Change 673076 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/CentralAuth@master] [Untested, DNM yet] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/673076

gerritbot added a comment.Mar 17 2021, 7:02 PM

Change 668736 merged by jenkins-bot:
[mediawiki/core@master] Make DatabaseBlock::$blocker a UserIdentity

https://gerrit.wikimedia.org/r/668736

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.36; 2021-03-23).Mar 17 2021, 8:00 PM
Zabe moved this task from Untriaged to Mar 2021 on the Wikimedia-production-error board.Mar 18 2021, 9:41 PM
daniel mentioned this in T275531: Make RevisionRecord return a ProperPageIdentity.Mar 25 2021, 1:42 PM
daniel added a comment.Mar 25 2021, 1:50 PM

Still hitting this on php-1.36.0-wmf.36, two instances in the last 8 hours (JJ3HaHgBg_6mGHGhWcbD and 9x3HaHgBfVMx58vqV92i). The stack trace shows UserIdentity instead of User, but still the wrong wiki ID:

Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: 'enwiki', Actual: the local wiki. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId]

from /srv/mediawiki/php-1.36.0-wmf.36/includes/user/UserIdentityValue.php(98)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.36.0-wmf.36/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.36.0-wmf.36/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.36.0-wmf.36/includes/GlobalFunctions.php(1068): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.36.0-wmf.36/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.36.0-wmf.36/includes/user/UserIdentityValue.php(98): MediaWiki\User\UserIdentityValue->deprecateInvalidCrossWiki(string, string)
#6 /srv/mediawiki/php-1.36.0-wmf.36/includes/user/ActorStore.php(489): MediaWiki\User\UserIdentityValue->getId(string)
#7 /srv/mediawiki/php-1.36.0-wmf.36/includes/ActorMigration.php(319): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlockStore.php(379): ActorMigration->getInsertValues(Wikimedia\Rdbms\DBConnRef, string, MediaWiki\User\UserIdentityValue)
#9 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlockStore.php(165): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.36.0-wmf.36/includes/block/DatabaseBlock.php(524): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1950): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#12 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#13 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#14 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#15 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#16 /srv/mediawiki/php-1.36.0-wmf.36/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
daniel triaged this task as High priority.Mar 25 2021, 2:06 PM
Pchelolo closed this task as a duplicate of T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128).May 5 2021, 5:56 PM
taavi raised the priority of this task from High to Needs Triage.May 5 2021, 5:57 PM
taavi set Security to Software security bug.
taavi added projects: Security, Security-Team.
taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".
taavi changed the subtype of this task from "Production Error" to "Security Issue".
taavi subscribed.

protecting per T281972

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".May 10 2021, 11:45 AM
gerritbot added a comment.May 10 2021, 4:42 PM

Change 688289 had a related patch set uploaded (by Urbanecm; author: Ppchelko):

[mediawiki/extensions/CentralAuth@REL1_36] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/688289

gerritbot added a comment.May 12 2021, 11:16 AM

Change 688289 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/688289

Zabe subscribed.May 15 2021, 2:43 PM
Zabe mentioned this in T286490: PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'enwiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId].Jul 12 2021, 5:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL