Page MenuHomePhabricator

CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries
Closed, ResolvedPublic1 Estimated Story PointsSecurity

Description

This is showing up in log of really slow queries: https://logstash.wikimedia.org/app/discover#/doc/logstash-*/logstash-mediawiki-1-7.0.0-1-2022.10.08?id=I8C3toMBp2kibf73MYW3

The query is not that bad but clearly lacks the index hint core's db query has.

Generally the whole query making in SpecialMobileHistory needs rework (using query builder etc.)

For example https://en.wikipedia.org/wiki/Special:History/Wikipedia:Requests_for_page_protection is quite slow and can easily bring down databases.

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept

Event Timeline


^

Someone from reading web please review this.

Jdlrobson set the point value for this task to 1.Nov 3 2022, 5:04 PM
Jdlrobson renamed this task from Mobile frontend's history makes really slow db queries to (Unplanned, S) Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM
Jdlrobson renamed this task from (Unplanned, S) Mobile frontend's history makes really slow db queries to [Unplanned, S] Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM

@Mabualruz will take a look.
Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.
@Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

sbassett added a project: SecTeam-Processed.
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed Risk Rating from N/A to Medium.

@Mabualruz will take a look.
Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.
@Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

Indeed. It feels like re-inventing the wheel. I don't mind pushing for the removal of the mobile special page. I don't think it'd be much work.

LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

I removed the phpdocs because it wasn't giving any extra information and already handled by typehints

Thanks! I will deploy it first thing tomorrow morning.

Deployed now. For what it's worth, it had a small issue that I fixed in this:

sbassett changed the task status from Open to In Progress.EditedNov 15 2022, 4:45 PM
sbassett lowered the priority of this task from Medium to Low.
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.
sbassett subscribed.

Thanks, @Ladsgroup. Since ext:MobileFrontend isn't bundled, I'll track this one for the next supplemental security release at T318974. And within the list of currently-deployed security patches at T276237.

I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Web-Team-Backlog .

I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Web-Team-Backlog .

We can, sure. But that likely wouldn't happen until closer to the end of the quarter, when we prep the upcoming supplemental security release (T318974). Since this is patched in wikimedia production, and ext:MF isn't bundled, we can definitely make this task public and folks can start working on any relevant backports if they'd like. But as stated, the Security-Team typically doesn't do that right away, but closer to the actual end-of-quarter supplemental release.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 16 2022, 10:49 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
MoritzMuehlenhoff renamed this task from [Unplanned, S] Mobile frontend's history makes really slow db queries to [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22911).Jan 12 2023, 2:47 PM
MoritzMuehlenhoff subscribed.

This was assigned CVE-2023-22909

MoritzMuehlenhoff renamed this task from [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22911) to [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909).Jan 12 2023, 2:47 PM
mmartorana renamed this task from [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909) to CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909).Jan 12 2023, 6:25 PM
mmartorana renamed this task from CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909) to CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries.