Page MenuHomePhabricator
Create Task
Maniphest T321471

MWException: HTML attribute value can not contain a list of values (in Special:ListFiles)
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error
normalized_message
[{reqId}] {exception_url}   MWException: HTML attribute value can not contain a list of values
exception.trace
from /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(556)
#0 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(310): Html::expandAttributes(array)
#1 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(215): Html::openElement(string, array)
#2 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(240): Html::rawElement(string, array, string)
#3 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(710): Html::element(string, array)
#4 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(852): Html::input(string, array, string, array)
#5 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1396): Html::hidden(string, array, array)
#6 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1294): HTMLForm->getHiddenFields()
#7 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1245): HTMLForm->getHTML(string)
#8 /srv/mediawiki/php-1.40.0-wmf.6/includes/specials/pagers/ImageListPager.php(564): HTMLForm->displayForm(string)
#9 /srv/mediawiki/php-1.40.0-wmf.6/includes/specials/SpecialListFiles.php(124): ImageListPager->getForm()
#10 /srv/mediawiki/php-1.40.0-wmf.6/includes/specialpage/SpecialPage.php(701): SpecialListFiles->execute(NULL)
#11 /srv/mediawiki/php-1.40.0-wmf.6/includes/specialpage/SpecialPageFactory.php(1451): SpecialPage->run(NULL)
#12 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#13 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(904): MediaWiki->performRequest()
#14 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(562): MediaWiki->main()
#15 /srv/mediawiki/php-1.40.0-wmf.6/index.php(50): MediaWiki->run()
#16 /srv/mediawiki/php-1.40.0-wmf.6/index.php(46): wfIndexMain()
#17 /srv/mediawiki/w/index.php(3): require(string)
#18 {main}
Impact
Notes

Four such requests happened at the same time all targeting aawiki, I suspect it is part of a penetration testing script similar to T321267 or T321133.

They all had the same url path: /wiki/Special:ListFiles?acx[[%24{98991*97996}]]xca&limit=20&user=<someusername>

A couple additional one tried to do some JavaScript injection.

Details

Request URL
https://aa.wikipedia.org/wiki/Special:ListFiles?acx%5B%5B%24%7B98991*97996%7D%5D%5Dxca=*&limit=*&user=*
SubjectRepoBranchLines +/-
htmlform: Skip array query parameter on HtmlForm::addHiddenFieldmediawiki/coremaster+16 -2
Customize query in gerrit

Related Objects

Event Timeline

hashar created this task.Oct 24 2022, 8:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 24 2022, 8:15 AM
Umherirrender subscribed.Oct 24 2022, 7:11 PM

The functionality was added in d7b6ad563c2a846f9f9f9b9e2f7639f18e46daed and allows to resubmit every query parameter. This is useful for this special page to ensure the sort order in the result table is not lost when resubmiting the form. But it returns all query parameter, even the unknown one and for array parameter that is problematic.

Html::hidden value is typehinted as mixed, but the used Html::input only as string

Not sure how to change that.

Krinkle moved this task from Untriaged to Oct 2022 on the Wikimedia-production-error board.Oct 29 2022, 12:35 AM
Krinkle subscribed.Oct 29 2022, 12:41 AM

I think long-term, it might be good for the supported options to be registered in the constructor of Pager subclasses so that this can iterate known values only, and those would then presumably already be normalised to strings or validated/rejected before this point.

@Umherirrender For now, given it is a generic method that handles any/all parameters, I propose limiting it to string values and thus silently discard anything else in TablePager::getHiddenFields(). From what I can tell, that does not cause any unwanted side-effects as any array values are by definition either invalid input from URL mangling, or genuine fields that can't be roundtripped this way anyway so it's simply not supported and never was.

I suggest documenting in the method that array parameters are not supported through this and will not be preserved.

gerritbot added a comment.Oct 31 2022, 9:42 PM

Change 851136 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/core@master] htmlform: Skip array query parameter on HtmlForm::addHiddenField

https://gerrit.wikimedia.org/r/851136

gerritbot added a project: Patch-For-Review.Oct 31 2022, 9:42 PM
Umherirrender claimed this task.Nov 20 2022, 6:58 PM
gerritbot added a comment.Mar 10 2023, 11:59 PM

Change 851136 merged by jenkins-bot:

[mediawiki/core@master] htmlform: Skip array query parameter on HtmlForm::addHiddenField

https://gerrit.wikimedia.org/r/851136

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.27; 2023-03-13).Mar 11 2023, 12:00 AM
Maintenance_bot removed a project: Patch-For-Review.Mar 11 2023, 12:10 AM
Umherirrender closed this task as Resolved.Mar 11 2023, 12:45 AM
Umherirrender merged a task: T196040: A MWException occurred when access index.php?title=Special:ListFiles/星耀晨曦&a[].Nov 12 2024, 9:41 PM
Umherirrender added subscribers: RazeSoldier, zhuyifei1999.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits