Page MenuHomePhabricator
Create Task
Maniphest T369974

Auth_remoteuser: Allowed memory size exhausted
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Upgrade MediaWiki 1.40.3 -> 1.42.1
  • Navigate to wiki

What happens?:

Browser spends ~30s 'thinking' then displays a blank page.

What should have happened instead?:

Normal wiki content.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

MediaWiki	1.42.1
PHP	8.3.8 (apache2handler)
ICU	74.2
MariaDB	10.6.18-MariaDB

Auth_remoteuser REL1_42

Other information (browser name/version, screenshots, etc.):

Checking the web server error log I see entries like:

PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 16384 bytes) in /data/webs/wikirw/includes/libs/rdbms/database/DatabaseMySQL.php on line 756

but it looks like DatabaseMySLQ.pgp:756 is an innocent bystander because the amount of memory allocation attempted, the current script, and the line all vary:

PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/libs/rdbms/database/DatabaseMySQL.php on line 764,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/exception/MWExceptionHandler.php on line 391,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/Request/HeaderCallback.php on line 81,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/libs/rdbms/database/DatabaseMySQL.php on line 763,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/exception/MWExceptionHandler.php on line 391,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/Request/HeaderCallback.php on line 81,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/libs/rdbms/database/DatabaseMySQL.php on line 763,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/exception/MWExceptionHandler.php on line 391,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/Request/HeaderCallback.php on line 81,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/libs/rdbms/database/DatabaseMySQL.php on line 763,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/exception/MWExceptionHandler.php on line 391,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 2097152 bytes) in /data/webs/wikirw/includes/Request/HeaderCallback.php on line 81,
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /data/webs/wikirw/includes/libs/rdbms/platform/SQLPlatform.php on line 1042,

If I comment out "wfLoadExtension( 'Auth_remoteuser' );" in LocalSettings.php, the wiki behaves fine, but without the user logged in.

Using curl(1) to fetch a wiki page with the extension loaded, I see an HTTP 500 response after ~17s, and zero content.

This may be related to the problem described in T368904.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Check local config to avoid infinite loopmediawiki/extensions/Auth_remoteuserREL1_42+17 -2
Check local config to avoid infinite loopmediawiki/extensions/Auth_remoteuserREL1_43+18 -2
Check local config to avoid infinite loopmediawiki/extensions/Auth_remoteuserREL1_44+18 -2
Check local config to avoid infinite loopmediawiki/extensions/Auth_remoteusermaster+18 -2
Fix infinite loop when checking permissionsmediawiki/extensions/Auth_remoteuserREL1_42+19 -15
Fix infinite loop when checking permissionsmediawiki/extensions/Auth_remoteusermaster+19 -15
Fix infinite loop when checking permissionsmediawiki/extensions/Auth_remoteuserREL1_44+19 -15
Fix infinite loop when checking permissionsmediawiki/extensions/Auth_remoteuserREL1_43+19 -15
Customize query in gerrit

Related Objects

Event Timeline

Kerb5wikE created this task.Jul 13 2024, 3:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2024, 3:31 AM
Pppery added a project: MediaWiki-extensions-Auth_remoteuser.Jul 13 2024, 4:35 AM
Kerb5wikE added a comment.Aug 28 2024, 5:45 AM

Loaded the latest release: Auth_remoteuser-REL1_42-f44911a.tar.gz and still have blank wiki pages (white screen) and memory exhaustion messages in the web server error log as above. This is after having upgraded:

MariaDB10.6.18 -> 10.6 19
PHP8.3.8 -> 8.3.10
Auth_remoteuserREL1_42-87be927 -> REL1_42-f44911a
MediaWiki 1.42.1 works (read-only/no login) if I disable Auth_remoteuser in LocalSettings.php
Auth_remoteuser works if I downgrade to MediaWiki 1.41.2
jrchamp subscribed.Aug 31 2024, 8:32 AM

Regression was caused by dfc691bfc52 "Migrate callers of deprecated method BlockManager::getUserBlock()" (T345683). In includes/Permissions/PermissionManager.php, the user rights cache was modified. My guess is that the caching stopped working and now the user rights checks run multiple times when a permission check is done within a SessionProvider.

So my bad idea right now is to add the following to the top of the UserNameSessionProvider::refreshSessionInfo method:

static $loaded = false;
if ($loaded) {
    return true;
}
$loaded = true;

The web page displays, but I'm worried that things won't be initialized correctly. I need help! Is it a bug in Mediawiki core? Or am I not allowed to User->isAllowed() inside of a SessionProvider's refreshSessionInfo method?

jrchamp mentioned this in T368904: Extension:Auth_remoteuser leads to timeouts when using mediawiki 1.42.x.Sep 17 2024, 7:39 PM
jrchamp added a comment.Sep 17 2024, 10:15 PM

Here's a much safer temporary workaround: Replace !$user->isAllowed( 'createaccount' ) with true or false within the refreshSessionInfo() method in UserNameSessionProvider.php. true would mean "Users are not allowed to create accounts".

Kerb5wikE added a comment.Sep 17 2024, 10:43 PM
In T369974#10155491, @jrchamp wrote:

Here's a much safer temporary workaround…

@jrchamp Thanks for the workaround!

Willertr subscribed.Sep 30 2024, 1:38 PM
Jeroenr subscribed.Oct 1 2024, 9:25 PM
Tnbrutton subscribed.Oct 10 2024, 6:19 AM
amginea subscribed.Jan 1 2025, 10:45 PM
HamAndEggsAndCheese subscribed.Feb 8 2025, 1:12 PM
80686 subscribed.Jul 6 2025, 6:35 PM

Hi, I came back to confirm that this bug still exists in the Auth_remoteuser-REL1_43-c985d52.tar.gz release which I just installed when upgrading to 1.43.3.

JeredF subscribed.Jul 30 2025, 5:29 PM
Onlygecko subscribed.Jul 31 2025, 10:03 AM

The bug still exists with Mediawiki version 1.43.7.

Is there a (known) way to fix that bug?

JeredF added a comment.Jul 31 2025, 11:19 AM
In T369974#11049266, @Onlygecko wrote:

The bug still exists with Mediawiki version 1.43.7.

Is there a (known) way to fix that bug?

The workaround from @jrchamp dated September 17, 2024 above works for me. I would suggest this is just checked in (or, rather, a separate global config variable is added and used here) so this stops biting people, as there doesn't seem to be the interest/experience in "fixing it" in the equivalent way.

jrchamp added a comment.Aug 4 2025, 5:23 PM

@JeredF It's definitely the experience piece that's the limiting factor. Between true and false, the temporary workaround would be to "show the link even if people can't use the link". I'm living in a figurative construction zone right now, so if someone can open a change in the software system, I can review and approve it.

JeredF added a comment.Aug 5 2025, 4:44 PM

@jrchamp Thanks; I'm flagging this for my "todo" pile unfortunately -- I know nothing about the MW codebase and am currently a bit overcommitted also. :-/

gerritbot added a comment.Aug 22 2025, 1:24 PM

Change #1181135 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_43] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1181135

gerritbot added a project: Patch-For-Review.Aug 22 2025, 1:24 PM
Osnard subscribed.Aug 22 2025, 1:25 PM

I have created a patch at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1181135

Maybe someone can confirm it works?

Metaldaze80 subscribed.Aug 22 2025, 3:45 PM
In T369974#11110587, @Osnard wrote:

I have created a patch at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1181135

Maybe someone can confirm it works?

Thank you for your effort. Unfortunately it only half works. In my case it works if the remote user also exists in MediaWiki, but it doesn't work otherwise. Consider that I have "autocreateaccount" disabled, because I want a remote user to have read only permissions if the same user doesn't exist in MediaWiki, and read-write permissions if the user exists in MediaWiki too.

jrchamp added a comment.EditedAug 27 2025, 2:39 PM

@Osnard @Metaldaze80 I have updated https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1181135 to try and complete the patch. If the infinite loop is resolved and turning the createaccount setting on/off has an effect, then I think this is an overall improvement over the current version. Thank you for your efforts!

Osnard added a comment.Sep 8 2025, 6:44 AM

Thank you. I can not believe I missed this line. How embarrassing.

gerritbot added a comment.Sep 9 2025, 1:58 PM

Change #1181135 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_43] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1181135

Maintenance_bot removed a project: Patch-For-Review.Sep 9 2025, 2:31 PM
gerritbot added a comment.Sep 10 2025, 3:00 PM

Change #1187013 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_44] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187013

gerritbot added a project: Patch-For-Review.Sep 10 2025, 3:00 PM
gerritbot added a comment.Sep 10 2025, 3:03 PM

Change #1187015 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@master] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187015

gerritbot added a comment.Sep 10 2025, 3:07 PM

Change #1187013 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_44] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187013

gerritbot added a comment.Sep 10 2025, 4:05 PM

Change #1187015 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@master] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187015

Maintenance_bot removed a project: Patch-For-Review.Sep 10 2025, 4:31 PM
jrchamp closed this task as Resolved.Sep 10 2025, 5:58 PM
jrchamp assigned this task to Osnard.

Thank you @Osnard for the fix and everyone else who discussed the issue. The fix has been merged and should be available now in the 1.43, 1.44 and master branches.

gerritbot added a comment.Sep 10 2025, 5:59 PM

Change #1187054 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_42] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187054

gerritbot added a project: Patch-For-Review.Sep 10 2025, 5:59 PM
gerritbot added a comment.Sep 11 2025, 8:04 PM

Change #1187054 merged by Jrchamp:

[mediawiki/extensions/Auth_remoteuser@REL1_42] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187054

Maintenance_bot removed a project: Patch-For-Review.Sep 11 2025, 8:31 PM
Metaldaze80 added a comment.Sep 12 2025, 4:09 PM

Unfortunately, it only half works for me.

I have

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;

because I want to grant read-only access to remote users who do not have a MediaWiki account. When such a user tries to log in, the same memory error appears.

To make things working I need to change the following

381c381
<                               if ( $anon->isAllowedAny( 'autocreateaccount', 'createaccount' ) ) {
---
>                               if ( false ) {

I cannot figure out why. Do you have any suggestions?

jrchamp reopened this task as Open.Sep 14 2025, 9:06 PM

Sorry about that! That check should also be moved like the other one.

Osnard added a comment.EditedSep 15 2025, 9:13 AM

because I want to grant read-only access to remote users who do not have a MediaWiki account. When such a user tries to log in, the same memory error appears.

Wouldn't

$wgGroupPermissions['*']['createaccount'] = false; // Disallow user registration via web UI
$wgGroupPermissions['*']['autocreateaccount'] = true; // Only applies in case Extension:Auth_remoteuser wants to create a user
$wgGroupPermissions['*']['edit'] = false;

be suitable in this case as well?

gerritbot added a comment.Sep 15 2025, 9:31 AM

Change #1188293 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@master] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1188293

gerritbot added a project: Patch-For-Review.Sep 15 2025, 9:31 AM
Osnard added a comment.Sep 15 2025, 9:33 AM

FYI: I have created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1188293 as an proposal. Have set it to WIP, as I didn't have time to test it yet. Open for discussion.

Osnard added a comment.Sep 15 2025, 9:38 AM

Hint: I am not entirely sure if the original check is still valid in modern MediaWiki. Description says

Our parent class provided a session info, but the $wgGroupPermission for creating user accounts was changed while using this extension.

AFAIK, currently a change in $wgGroupPermission will not be possible anymore once GroupPermissionsLookup has been initialized. So I don't see how this situation can happen in MediaWiki 1.43+

jrchamp added a comment.Sep 15 2025, 4:02 PM
In T369974#11180246, @Osnard wrote:

FYI: I have created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1188293 as an proposal. Have set it to WIP, as I didn't have time to test it yet. Open for discussion.

This looks great! If it passes your tests, I'm happy to +2.

Metaldaze80 added a comment.Sep 15 2025, 10:00 PM

I tried the patch, but I've got the following error

PHP message: PHP Fatal error:  Type of MediaWiki\\Extension\\Auth_remoteuser\\UserNameSessionProvider::$config must not be defined (as in class MediaWiki\\Session\\SessionProvider) in /var/www/wiki.inturri.net/extensions/Auth_remoteuser/src/UserNameSessionProvider.php on line 6

What does the following line means?

protected Config $config;

Because removing that line, the code seems to be working.

I'm sorry if I cannot be more helpful, but I don't have enough knowledge to fully understand the problem.

Osnard added a comment.Sep 16 2025, 11:57 AM

Sorry, my bad. As mentioned in the discussion on the change, this object member is not required, as it is already declared in the base class. So, yes, one can safely remove this line.

Metaldaze80 added a comment.Sep 16 2025, 12:11 PM

So I can say that it works perfectly with my configuration.

Thank you very much!

gerritbot added a comment.Sep 16 2025, 7:09 PM

Change #1188293 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@master] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1188293

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2025, 7:30 PM
gerritbot added a comment.Sep 16 2025, 8:52 PM

Change #1188883 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_44] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1188883

gerritbot added a project: Patch-For-Review.Sep 16 2025, 8:52 PM
gerritbot added a comment.Sep 18 2025, 9:26 PM

Change #1189583 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_43] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1189583

gerritbot added a comment.Sep 18 2025, 9:28 PM

Change #1189584 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_42] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1189584

gerritbot added a comment.Sep 18 2025, 9:29 PM

Change #1188883 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_44] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1188883

gerritbot added a comment.Sep 18 2025, 9:30 PM

Change #1189583 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_43] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1189583

gerritbot added a comment.Sep 18 2025, 9:41 PM

Change #1189584 merged by Jrchamp:

[mediawiki/extensions/Auth_remoteuser@REL1_42] Check local config to avoid infinite loop

https://gerrit.wikimedia.org/r/1189584

jrchamp closed this task as Resolved.EditedSep 18 2025, 9:43 PM

@Osnard @Metaldaze80 Thank you both for your development and testing on this issue. I believe all of the permission checks are happening in ways that do not produce an infinite loop now.

Maintenance_bot removed a project: Patch-For-Review.Sep 18 2025, 10:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits