Page MenuHomePhabricator

Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki.
Closed, ResolvedPublicSecurity

Description

Error
normalized_message
[{reqId}] {exception_url}   PHP Deprecated: Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki. [Called from MediaWiki\User\ActorStore::validateActorForInsertion]
exception.trace
from /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(626)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.37.0-wmf.15/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.37.0-wmf.15/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.37.0-wmf.15/includes/GlobalFunctions.php(1030): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(762): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(626): MediaWiki\User\ActorStore->deprecateInvalidCrossWikiParam(MediaWiki\User\UserIdentityValue)
#6 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(409): MediaWiki\User\ActorStore->validateActorForInsertion(MediaWiki\User\UserIdentityValue)
#7 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlockStore.php(401): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlockStore.php(202): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#9 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlock.php(527): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1954): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#12 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#13 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#14 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#15 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
#16 /srv/mediawiki/php-1.37.0-wmf.15/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
#17 /srv/mediawiki/php-1.37.0-wmf.15/includes/specialpage/SpecialPageFactory.php(1363): SpecialPage->run(NULL)
#18 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#19 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(925): MediaWiki->performRequest()
#20 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(559): MediaWiki->main()
#21 /srv/mediawiki/php-1.37.0-wmf.15/index.php(53): MediaWiki->run()
#22 /srv/mediawiki/php-1.37.0-wmf.15/index.php(46): wfIndexMain()
#23 /srv/mediawiki/w/index.php(3): require(string)
#24 {main}
Impact
Notes

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept
Request URL
https://meta.wikimedia.org/w/index.php?title=*&target=*

Event Timeline

mmodell renamed this task from PHP Deprecated: Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki. [Called from MediaWiki\User\ActorStore::validateActorForInsertion] to Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki..Jul 28 2021, 6:41 PM
mmodell set Security to Software security bug.Jul 28 2021, 7:58 PM
mmodell added projects: Security, Security-Team.
mmodell changed the visibility from "Public (No Login Required)" to "Custom Policy".
mmodell changed the subtype of this task from "Production Error" to "Security Issue".

protecting: maybe related to T281972

Still seeing this in wmf.4: There's also another variant:

Error
normalized_message
[{reqId}] {exception_url}   PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'metawiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId]
exception.trace
from /srv/mediawiki/php-1.38.0-wmf.4/includes/user/UserIdentityValue.php(144)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.38.0-wmf.4/includes/debug/MWDebug.php(375): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.38.0-wmf.4/includes/debug/MWDebug.php(351): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.38.0-wmf.4/includes/GlobalFunctions.php(1030): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.38.0-wmf.4/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.38.0-wmf.4/includes/user/UserIdentityValue.php(144): MediaWiki\User\UserIdentityValue->deprecateInvalidCrossWiki(boolean, string)
#6 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlockStore.php(391): MediaWiki\User\UserIdentityValue->getId()
#7 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlockStore.php(202): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlock.php(498): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#9 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1936): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1863): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#11 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1841): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#12 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1792): CentralAuthUser->suppress(string, string)
#13 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/Special/SpecialCentralAuth.php(280): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#14 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/Special/SpecialCentralAuth.php(180): MediaWiki\Extension\CentralAuth\Special\SpecialCentralAuth->doSubmit()
#15 /srv/mediawiki/php-1.38.0-wmf.4/includes/specialpage/SpecialPage.php(647): MediaWiki\Extension\CentralAuth\Special\SpecialCentralAuth->execute(NULL)
#16 /srv/mediawiki/php-1.38.0-wmf.4/includes/specialpage/SpecialPageFactory.php(1377): SpecialPage->run(NULL)
#17 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#18 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(925): MediaWiki->performRequest()
#19 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(559): MediaWiki->main()
#20 /srv/mediawiki/php-1.38.0-wmf.4/index.php(53): MediaWiki->run()
#21 /srv/mediawiki/php-1.38.0-wmf.4/index.php(46): wfIndexMain()
#22 /srv/mediawiki/w/index.php(3): require(string)
#23 {main}

Global blocks are issued on metawiki. So Expected: 'metawiki', Actual: the local wiki. shows us that there is no real mismatch, since metawiki is local wiki here (and logstash confirms this deprecation warning only shows up for metawiki). So the problem is that here 'metawiki' is used instead of WikiAwareEntity::LOCAL for the local wiki.

Change 756137 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] CentralAuthUser: use WikiAwareEntity::LOCAL for local wiki suppression

https://gerrit.wikimedia.org/r/756137

Change 756137 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] CentralAuthUser: use WikiAwareEntity::LOCAL for local wiki suppression

https://gerrit.wikimedia.org/r/756137

Zabe added a subscriber: sbassett.

Should be fixed in wmf.20.

@sbassett this can be made public.

Should be fixed in wmf.20.

@sbassett this can be made public.

Thanks, I'll do that now. Just FYI - when a bug is security-protected out of an abundance of caution (as seems to be the justification for this bug, in T287625#7244428), feel free to ping someone on the Security-Team to have a quick look and make it public. On this task, it was totally fine, but there might be a reason not to just push a quick fix through gerrit for some bugs like this. Thanks.

sbassett lowered the priority of this task from High to Low.Feb 2 2022, 2:59 PM
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Low.