Page MenuHomePhabricator
Create Task
Maniphest T287625

Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki.
Closed, ResolvedPublicSecurity
Actions

Description

Error
normalized_message
[{reqId}] {exception_url}   PHP Deprecated: Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki. [Called from MediaWiki\User\ActorStore::validateActorForInsertion]
exception.trace
from /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(626)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.37.0-wmf.15/includes/debug/MWDebug.php(376): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.37.0-wmf.15/includes/debug/MWDebug.php(352): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.37.0-wmf.15/includes/GlobalFunctions.php(1030): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(762): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(626): MediaWiki\User\ActorStore->deprecateInvalidCrossWikiParam(MediaWiki\User\UserIdentityValue)
#6 /srv/mediawiki/php-1.37.0-wmf.15/includes/user/ActorStore.php(409): MediaWiki\User\ActorStore->validateActorForInsertion(MediaWiki\User\UserIdentityValue)
#7 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlockStore.php(401): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlockStore.php(202): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#9 /srv/mediawiki/php-1.37.0-wmf.15/includes/block/DatabaseBlock.php(527): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1954): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#11 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#12 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#13 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
#14 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#15 /srv/mediawiki/php-1.37.0-wmf.15/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
#16 /srv/mediawiki/php-1.37.0-wmf.15/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
#17 /srv/mediawiki/php-1.37.0-wmf.15/includes/specialpage/SpecialPageFactory.php(1363): SpecialPage->run(NULL)
#18 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#19 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(925): MediaWiki->performRequest()
#20 /srv/mediawiki/php-1.37.0-wmf.15/includes/MediaWiki.php(559): MediaWiki->main()
#21 /srv/mediawiki/php-1.37.0-wmf.15/index.php(53): MediaWiki->run()
#22 /srv/mediawiki/php-1.37.0-wmf.15/index.php(46): wfIndexMain()
#23 /srv/mediawiki/w/index.php(3): require(string)
#24 {main}
Impact
Notes

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept
Request URL
https://meta.wikimedia.org/w/index.php?title=*&target=*
ProjectBranchLines +/-Subject
mediawiki/extensions/CentralAuthmaster+6 -3CentralAuthUser: use WikiAwareEntity::LOCAL for local wiki suppression
Customize query in gerrit

Related Objects

Event Timeline

mmodell created this task.Jul 28 2021, 6:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 28 2021, 6:39 PM
mmodell renamed this task from PHP Deprecated: Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki. [Called from MediaWiki\User\ActorStore::validateActorForInsertion] to Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki..Jul 28 2021, 6:41 PM
thcipriani moved this task from Untriaged to July 2021 on the Wikimedia-production-error board.Jul 28 2021, 6:42 PM
thcipriani added a project: Release-Engineering-Team (Logspam).Jul 28 2021, 6:44 PM
mmodell mentioned this in T287630: PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'loginwiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId].Jul 28 2021, 7:23 PM
taavi added a subscriber: taavi.Jul 28 2021, 7:50 PM
mmodell set Security to Software security bug.Jul 28 2021, 7:58 PM
mmodell added projects: Security, Security-Team.
mmodell changed the visibility from "Public (No Login Required)" to "Custom Policy".
mmodell changed the subtype of this task from "Production Error" to "Security Issue".

protecting: maybe related to T281972

Krinkle edited projects, added MediaWiki-User-management, Platform Engineering; removed Release-Engineering-Team (Logspam).Jul 29 2021, 8:23 PM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.Aug 2 2021, 3:37 PM
daniel triaged this task as High priority.Aug 19 2021, 4:21 PM
daniel edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
dancy added a subscriber: dancy.Oct 13 2021, 7:14 PM

Still seeing this in wmf.4: There's also another variant:

Error
normalized_message
[{reqId}] {exception_url}   PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'metawiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId]
exception.trace
from /srv/mediawiki/php-1.38.0-wmf.4/includes/user/UserIdentityValue.php(144)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, string, array)
#1 /srv/mediawiki/php-1.38.0-wmf.4/includes/debug/MWDebug.php(375): trigger_error(string, integer)
#2 /srv/mediawiki/php-1.38.0-wmf.4/includes/debug/MWDebug.php(351): MWDebug::sendRawDeprecated(string, boolean, string)
#3 /srv/mediawiki/php-1.38.0-wmf.4/includes/GlobalFunctions.php(1030): MWDebug::deprecatedMsg(string, string, string, integer)
#4 /srv/mediawiki/php-1.38.0-wmf.4/includes/dao/WikiAwareEntityTrait.php(78): wfDeprecatedMsg(string, string)
#5 /srv/mediawiki/php-1.38.0-wmf.4/includes/user/UserIdentityValue.php(144): MediaWiki\User\UserIdentityValue->deprecateInvalidCrossWiki(boolean, string)
#6 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlockStore.php(391): MediaWiki\User\UserIdentityValue->getId()
#7 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlockStore.php(202): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#8 /srv/mediawiki/php-1.38.0-wmf.4/includes/block/DatabaseBlock.php(498): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
#9 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1936): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
#10 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1863): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
#11 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1841): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
#12 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/CentralAuthUser.php(1792): CentralAuthUser->suppress(string, string)
#13 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/Special/SpecialCentralAuth.php(280): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
#14 /srv/mediawiki/php-1.38.0-wmf.4/extensions/CentralAuth/includes/Special/SpecialCentralAuth.php(180): MediaWiki\Extension\CentralAuth\Special\SpecialCentralAuth->doSubmit()
#15 /srv/mediawiki/php-1.38.0-wmf.4/includes/specialpage/SpecialPage.php(647): MediaWiki\Extension\CentralAuth\Special\SpecialCentralAuth->execute(NULL)
#16 /srv/mediawiki/php-1.38.0-wmf.4/includes/specialpage/SpecialPageFactory.php(1377): SpecialPage->run(NULL)
#17 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#18 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(925): MediaWiki->performRequest()
#19 /srv/mediawiki/php-1.38.0-wmf.4/includes/MediaWiki.php(559): MediaWiki->main()
#20 /srv/mediawiki/php-1.38.0-wmf.4/index.php(53): MediaWiki->run()
#21 /srv/mediawiki/php-1.38.0-wmf.4/index.php(46): wfIndexMain()
#22 /srv/mediawiki/w/index.php(3): require(string)
#23 {main}
Dsharpe added a subscriber: Zabe.Jan 20 2022, 9:30 PM
Zabe claimed this task.Jan 23 2022, 2:41 AM
Zabe added a subscriber: gerritbot.Jan 23 2022, 3:05 AM

Global blocks are issued on metawiki. So Expected: 'metawiki', Actual: the local wiki. shows us that there is no real mismatch, since metawiki is local wiki here (and logstash confirms this deprecation warning only shows up for metawiki). So the problem is that here 'metawiki' is used instead of WikiAwareEntity::LOCAL for the local wiki.

gerritbot added a comment.Jan 23 2022, 3:05 AM

Change 756137 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] CentralAuthUser: use WikiAwareEntity::LOCAL for local wiki suppression

https://gerrit.wikimedia.org/r/756137

gerritbot added a project: Patch-For-Review.Jan 23 2022, 3:05 AM
dancy removed a subscriber: dancy.Jan 24 2022, 4:11 PM
Zabe mentioned this in T298223: Global suppressions throw 'Deprecated cross-wiki access' warnings.Jan 27 2022, 4:50 PM
gerritbot added a comment.Jan 31 2022, 9:24 PM

Change 756137 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] CentralAuthUser: use WikiAwareEntity::LOCAL for local wiki suppression

https://gerrit.wikimedia.org/r/756137

Zabe closed this task as Resolved.Feb 2 2022, 2:48 PM
Zabe added a subscriber: sbassett.

Should be fixed in wmf.20.

@sbassett this can be made public.

sbassett added a comment.Feb 2 2022, 2:59 PM
In T287625#7671292, @Zabe wrote:

Should be fixed in wmf.20.

@sbassett this can be made public.

Thanks, I'll do that now. Just FYI - when a bug is security-protected out of an abundance of caution (as seems to be the justification for this bug, in T287625#7244428), feel free to ping someone on the Security-Team to have a quick look and make it public. On this task, it was totally fine, but there might be a reason not to just push a quick fix through gerrit for some bugs like this. Thanks.

sbassett lowered the priority of this task from High to Low.Feb 2 2022, 2:59 PM
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL