| Ladsgroup | |
| Oct 17 2022, 4:50 PM |
| F35785427: image.png | |
| Nov 16 2022, 10:09 AM |
| F35782269: T320987(2).patch | |
| Nov 15 2022, 4:36 PM |
| F35676993: T320987.patch | |
| Oct 31 2022, 10:32 AM |
This is showing up in log of really slow queries: https://logstash.wikimedia.org/app/discover#/doc/logstash-*/logstash-mediawiki-1-7.0.0-1-2022.10.08?id=I8C3toMBp2kibf73MYW3
The query is not that bad but clearly lacks the index hint core's db query has.
Generally the whole query making in SpecialMobileHistory needs rework (using query builder etc.)
For example https://en.wikipedia.org/wiki/Special:History/Wikipedia:Requests_for_page_protection is quite slow and can easily bring down databases.
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| mediawiki/extensions/MobileFrontend | master | +26 -34 | [SECURITY] Use rev_page_timestamp in SpecialMobileHistory |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Restricted Task | |||||
| Resolved | Security | Ladsgroup | T320987 CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries |
@Mabualruz will take a look.
Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.
@Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?
Indeed. It feels like re-inventing the wheel. I don't mind pushing for the removal of the mobile special page. I don't think it'd be much work.
LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.
I removed the phpdocs because it wasn't giving any extra information and already handled by typehints
@Ladsgroup +2 this is good to be merged and deployed https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Security_patches
Thanks, @Ladsgroup. Since ext:MobileFrontend isn't bundled, I'll track this one for the next supplemental security release at T318974. And within the list of currently-deployed security patches at T276237.
I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .
We can, sure. But that likely wouldn't happen until closer to the end of the quarter, when we prep the upcoming supplemental security release (T318974). Since this is patched in wikimedia production, and ext:MF isn't bundled, we can definitely make this task public and folks can start working on any relevant backports if they'd like. But as stated, the Security-Team typically doesn't do that right away, but closer to the actual end-of-quarter supplemental release.
This has now been merged into master: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/857762
