MWException: HTML attribute value can not contain a list of values (in Special:ListFiles)
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Assigned To

Authored By

	hashar
	Oct 24 2022, 8:15 AM

Description

Error

mwversion: 1.40.0-wmf.6
reqId: 7990957f-608e-473a-8ef2-c3d976d1be1d
Find reqId in Logstash

normalized_message

[{reqId}] {exception_url}   MWException: HTML attribute value can not contain a list of values

exception.trace

from /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(556)
#0 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(310): Html::expandAttributes(array)
#1 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(215): Html::openElement(string, array)
#2 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(240): Html::rawElement(string, array, string)
#3 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(710): Html::element(string, array)
#4 /srv/mediawiki/php-1.40.0-wmf.6/includes/Html.php(852): Html::input(string, array, string, array)
#5 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1396): Html::hidden(string, array, array)
#6 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1294): HTMLForm->getHiddenFields()
#7 /srv/mediawiki/php-1.40.0-wmf.6/includes/htmlform/HTMLForm.php(1245): HTMLForm->getHTML(string)
#8 /srv/mediawiki/php-1.40.0-wmf.6/includes/specials/pagers/ImageListPager.php(564): HTMLForm->displayForm(string)
#9 /srv/mediawiki/php-1.40.0-wmf.6/includes/specials/SpecialListFiles.php(124): ImageListPager->getForm()
#10 /srv/mediawiki/php-1.40.0-wmf.6/includes/specialpage/SpecialPage.php(701): SpecialListFiles->execute(NULL)
#11 /srv/mediawiki/php-1.40.0-wmf.6/includes/specialpage/SpecialPageFactory.php(1451): SpecialPage->run(NULL)
#12 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#13 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(904): MediaWiki->performRequest()
#14 /srv/mediawiki/php-1.40.0-wmf.6/includes/MediaWiki.php(562): MediaWiki->main()
#15 /srv/mediawiki/php-1.40.0-wmf.6/index.php(50): MediaWiki->run()
#16 /srv/mediawiki/php-1.40.0-wmf.6/index.php(46): wfIndexMain()
#17 /srv/mediawiki/w/index.php(3): require(string)
#18 {main}

Impact

Notes

Four such requests happened at the same time all targeting aawiki, I suspect it is part of a penetration testing script similar to T321267 or T321133.

They all had the same url path: /wiki/Special:ListFiles?acx[[%24{98991*97996}]]xca&limit=20&user=<someusername>

A couple additional one tried to do some JavaScript injection.

Details

Request URL: https://aa.wikipedia.org/wiki/Special:ListFiles?acx%5B%5B%24%7B98991*97996%7D%5D%5Dxca=*&limit=*&user=*

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	htmlform: Skip array query parameter on HtmlForm::addHiddenField	mediawiki/core	master	+16 -2

Customize query in gerrit

Related Objects

Mentioned Here: rMWd7b6ad563c2a: Revamped Special:Imagelist. Implemented generic table-based data display.
T321133: PHP Notice: Array to string conversion (in SpecialNewFiles.php)
T321267: [subtask] PHP Warning: preg_match() expects parameter 2 to be string, array given (in Vector Hooks::shouldDisableMaxWidth)

Event Timeline

hashar created this task.Oct 24 2022, 8:15 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 24 2022, 8:15 AM

The functionality was added in d7b6ad563c2a846f9f9f9b9e2f7639f18e46daed and allows to resubmit every query parameter. This is useful for this special page to ensure the sort order in the result table is not lost when resubmiting the form. But it returns all query parameter, even the unknown one and for array parameter that is problematic.

Html::hidden value is typehinted as mixed, but the used Html::input only as string

Not sure how to change that.

Krinkle moved this task from Untriaged to Oct 2022 on the Wikimedia-production-error board.Oct 29 2022, 12:35 AM

I think long-term, it might be good for the supported options to be registered in the constructor of Pager subclasses so that this can iterate known values only, and those would then presumably already be normalised to strings or validated/rejected before this point.

@Umherirrender For now, given it is a generic method that handles any/all parameters, I propose limiting it to string values and thus silently discard anything else in TablePager::getHiddenFields(). From what I can tell, that does not cause any unwanted side-effects as any array values are by definition either invalid input from URL mangling, or genuine fields that can't be roundtripped this way anyway so it's simply not supported and never was.

I suggest documenting in the method that array parameters are not supported through this and will not be preserved.

Change 851136 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/core@master] htmlform: Skip array query parameter on HtmlForm::addHiddenField

https://gerrit.wikimedia.org/r/851136

gerritbot added a project: Patch-For-Review.Oct 31 2022, 9:42 PM

Umherirrender claimed this task.Nov 20 2022, 6:58 PM

Change 851136 merged by jenkins-bot:

[mediawiki/core@master] htmlform: Skip array query parameter on HtmlForm::addHiddenField

https://gerrit.wikimedia.org/r/851136

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.27; 2023-03-13).Mar 11 2023, 12:00 AM

Maintenance_bot removed a project: Patch-For-Review.Mar 11 2023, 12:10 AM

Umherirrender closed this task as Resolved.Mar 11 2023, 12:45 AM

Umherirrender merged a task: T196040: A MWException occurred when access index.php?title=Special:ListFiles/星耀晨曦&a[].Nov 12 2024, 9:41 PM

Umherirrender added subscribers: RazeSoldier, zhuyifei1999.

MWException: HTML attribute value can not contain a list of values (in Special:ListFiles)Closed, ResolvedPublicPRODUCTION ERRORActions