Page MenuHomePhabricator

Thumbor URLs are too permissive
Open, MediumPublicBUG REPORT

Description

List of steps to reproduce (step by step, including full links if applicable):
Access these image URLs:

What happens?:
They all work. That is, they all produce the same PNG.

What should have happened instead?:
Only the first URL should have worked.

MW has a fixed format for .../langzh-300px-... that uses lowercase letters. We should never see anything but lang and px. The IETF langtag should be lowercased before inserting it into the URL. Permitting mixed case specification can lead to redundant entries in the client and server caches. Mixed case requests should err.

See also T310235.

Event Timeline

The last part of URLs should already be normalized by the upload-frontend proxy, rOPUP modules/varnish/templates/upload-frontend.inc.vcl.erb:155, so there's no affect on server-side caching. I see no reason to error here, though a redirect to the canonical may be appropriate.

This shouldn't be a problem as long as MediaWiki only generates url fragments that are lowercase (which is what it should be doing). In general, thumbor is a tad more permissive than MediaWiki (you can request any language you want, even if it is invalid or plain non-existing) (thumbor is decoupled from MediaWiki state and logic, as it should be). What matters is that MediaWiki shouldn't be requesting such things, and I don't think it does.

SLyngshede-WMF removed a project: SRE.