Page MenuHomePhabricator

Special:MathStatus exception error on Wikifunctions
Open, LowestPublicBUG REPORT

Description

Steps to replicate the issue (include links if applicable):

What happens?:
Error message:
[380cfbca-13af-401b-9e85-d97b901582e2] 2023-08-14 22:27:56: Fatal exception of type "MediaWiki\Extension\Math\InvalidTeXException"

What should have happened instead?:
Output similar to that at other wikis, e.g. https://www.mediawiki.org/wiki/Special:MathStatus

(Reported by Ebrahim on Telegram)

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
OpenBUG REPORTNone
OpenNone

Event Timeline

This is because:

  • WF doesn't feature in RESTBase's list of known wikis (see T342865)
  • Math still calls RESTBase despite years of effort (see T334842)
  • MathStatus is enabled in production even though it's a sysadmin-facing test page (no task yet)

Each of these should be fixed, but the first is a good-enough-for-us fix.

Change 998489 had a related patch set uploaded (by Jforrester; author: Jforrester):

[mediawiki/extensions/Math@master] MathStatus: Unlist, only allow bigdelete users to use

https://gerrit.wikimedia.org/r/998489

  • MathStatus is enabled in production even though it's a sysadmin-facing test page (no task yet)

This is T252362 . According to this discussion, it should be restricted to those with purge rights. Otherwise, the page will let you do more things than before.

  • MathStatus is enabled in production even though it's a sysadmin-facing test page (no task yet)

This is T252362 . According to this discussion, it should be restricted to those with purge rights. Otherwise, the page will let you do more things than before.

There's no such thing as purge rights any more (see e.g. https://meta.wikimedia.org/wiki/Special:ListGroupRights), but also it should be more restricted than that anyway, and really just not available at all in production.

The intention was to create something like https://www.githubstatus.com/ (which does not require any login). However, as the page generates requests to the rendering back end, it might be a bit simpler for a malicious party to use this special page for a DDoS-attack. That is why the access was restricted. The section for custom input was added recently, as an alternative to create sandbox pages. We can switch that off in production if it's not desired.