Page MenuHomePhabricator
Create Task
Maniphest T312888

PHP Warning: fopen(): Filename cannot be empty
Open, Needs TriagePublicPRODUCTION ERROR
Actions

Description

Error
  • mwversion: 1.39.0-wmf.19
  • reqId: e3394ccc-84f9-455f-9f09-b2de319de057
  • Find reqId in Logstash
  • URL: https://commons.wikimedia.org/w/api.php?centralauthtoken=***&origin=https%3A%2F%2Fen.wikipedia.org
normalized_message
[{reqId}] {exception_url}   PHP Warning: fopen(): Filename cannot be empty
exception.trace
from /srv/mediawiki/php-1.39.0-wmf.19/includes/upload/UploadBase.php(1322)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
#1 /srv/mediawiki/php-1.39.0-wmf.19/includes/upload/UploadBase.php(1322): fopen(string, string)
#2 /srv/mediawiki/php-1.39.0-wmf.19/includes/upload/UploadBase.php(570): UploadBase::detectScript(boolean, NULL, string)
#3 /srv/mediawiki/php-1.39.0-wmf.19/includes/upload/UploadBase.php(492): UploadBase->verifyPartialFile()
#4 /srv/mediawiki/php-1.39.0-wmf.19/includes/upload/UploadBase.php(395): UploadBase->verifyFile()
#5 /srv/mediawiki/php-1.39.0-wmf.19/includes/api/ApiUpload.php(642): UploadBase->verifyUpload()
#6 /srv/mediawiki/php-1.39.0-wmf.19/includes/api/ApiUpload.php(114): ApiUpload->verifyUpload()
#7 /srv/mediawiki/php-1.39.0-wmf.19/includes/api/ApiMain.php(1901): ApiUpload->execute()
#8 /srv/mediawiki/php-1.39.0-wmf.19/includes/api/ApiMain.php(875): ApiMain->executeAction()
#9 /srv/mediawiki/php-1.39.0-wmf.19/includes/api/ApiMain.php(846): ApiMain->executeActionWithErrorHandling()
#10 /srv/mediawiki/php-1.39.0-wmf.19/api.php(90): ApiMain->execute()
#11 /srv/mediawiki/php-1.39.0-wmf.19/api.php(45): wfApiMain()
#12 /srv/mediawiki/w/api.php(3): require(string)
#13 {main}
Impact

Seems to affect cross-wiki uploads as well, e.g. API calls from within the upload dialog in WikiEditor or VisualEditor.

Notes

Event Timeline

Krinkle created this task.Jul 12 2022, 6:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 12 2022, 6:27 PM
Krinkle changed Request URL from https://commons.wikimedia.org/w/api.php to https://commons.wikimedia.org/w/api.php?centralauthtoken=***&origin=https%3A%2F%2Fen.wikipedia.org.Jul 12 2022, 6:27 PM
Krinkle updated the task description. (Show Details)
Krinkle removed Request URL.
Krinkle updated the task description. (Show Details)
Krinkle added a project: Structured Data Engineering.Jul 13 2022, 8:33 PM
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptJul 13 2022, 8:33 PM
Etonkovidova subscribed.Jul 18 2022, 11:11 PM

(1) There was a high number of hits between July 11-July 15 (the last timestamp is Jul 15, 2022 @ 00:25:49.807 (all happens on commonswiki, although referer might be a different wiki):
normalized_message:" PHP Warning: fopen(): Filename cannot be empty"

Screen Shot 2022-07-18 at 3.52.26 PM.png (482×2 px, 74 KB)

The sample request -
https://en.wikipedia.org/w/api.php?action=centralauthtoken&format=json&origin=https%3A%2F%2Fen.wikipedia.org - will return 403 error ('origin' parameter does not match Origin header ) since origin header is not present among request headers ( the non-authenticated request - https://en.wikipedia.org/w/api.php?action=centralauthtoken&format=json will be fine).

(2) Inserting an image on testwiki wmf.19 will produce a warning

Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://commons.wikimedia.org/w/api.php?action=query&format=json&origin=*&generator=allimages&gaisort=timestamp&gaidir=descending&iiurlheight=200&iiprop=dimensions%7Curl%7Cmediatype%7Cextmetadata%7Ctimestamp%7Cuser&prop=imageinfo&gaiuser=Zilant18&iiurlwidth=400&gailimit=15

and the Console error Image corrupt or truncated. (although Publishing seems to be fine).

Krinkle added a comment.Jul 27 2022, 3:33 AM
In T312888#8086343, @Etonkovidova wrote:

(1) There was a high number of hits between July 11-July 15 […]
normalized_message:" PHP Warning: fopen(): Filename cannot be empty"

This link doesn't work for others. Check Link sharing docs.

The sample request -
https://en.wikipedia.org/w/api.php?action=centralauthtoken&format=json&origin=https%3A%2F%2Fen.wikipedia.org - will return 403 error ('origin' parameter does not match Origin header ) since origin header is not present among request headers ( the non-authenticated request - https://en.wikipedia.org/w/api.php?action=centralauthtoken&format=json will be fine).

This error is not what happened for the error sample requests. Instead, this error is because the request is invalid, due to being different from how the sample requests were made.

  • The error was from a POST request (as made by submitting forms, or by JavaScript). These are different from GET requests (as from opening or typing links).
  • The error was when requesting to commons.wikimedia.org, not en.wikipedia.org.
  • The error was with a request to a domain name other than the current page view. E.g. a request to commons, while viewing a page on enwiki. This is significant as browsers send headers like like Referer and Origin automatically for forms and JavaScript requests. Manually making such a request is not the same. Manually opening links will generally work to reproduce an errors for a page view or special page link, but not for API requests.

Because the request is for a cross-origin feature, but was made manually without any Referer set, our API rejects it (correctly) with a 403 error. (40x are client errors as opposed to server errors).

(2) Inserting an image on testwiki wmf.19 will produce a warning

Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request

This is a verbose message from the browser vendor about the "Referrer Policy", whicih is unrelated to this task or the "origin" API feature. The warning is there because Google incorrectly assumes websites will only want to support the latest Google browser and so (wrongly) encourages through this warning that we drop support for older browsers. Google supports the old and new value, and we set the old value for compatibility, which behaves exactly the same.

Krinkle moved this task from Untriaged to Jul 2022 on the Wikimedia-production-error board.Jul 29 2022, 10:57 PM
Etonkovidova added a comment.Jul 29 2022, 11:12 PM

https://logstash.wikimedia.org/goto/f313dcc9bf6244bf889e08a758558a94

In T312888#8106940, @Krinkle wrote:
In T312888#8086343, @Etonkovidova wrote:

(1) There was a high number of hits between July 11-July 15 […]
normalized_message:" PHP Warning: fopen(): Filename cannot be empty"

This link doesn't work for others. Check Link sharing docs.

Sorry, this link shows the same info that I mentioned in my comment : the errors stopped on Jul 15, 2022 @ 00:25:49.807

CBogen moved this task from Triage to Multimedia on the Structured-Data-Backlog board.Aug 2 2022, 4:43 PM
Ammarpad subscribed.Nov 3 2023, 10:32 AM

There's uptick of these warnings. In PHP 8 they will be elevated to ValueError exception

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL