AuthRemoteuserFilterUserName hook not working in 1.43
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	Cjknapp12epic
	Jan 15 2025, 3:21 PM

Project Tags

Referenced Files

None

Subscribers

Aklapper

Cjknapp12epic

Osnard

Description

Steps to replicate the issue (include links if applicable):

Deploy new MediaWiki site on 1.43 and initialize database using install.php
Install Auth_remoteuser extension from REL1_43 branch
Add the following to LocalSettings.php and try browsing to the site:

wfLoadExtension( 'Auth_remoteuser');
$wgGroupPermissions['*']['createaccount']= false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['edit'] = false;
if( function_exists('apache_request_headers') ) {
    $wgAuthRemoteuserUserName = apache_request_headers()['REMOTE_USER'];
    } else {
    $wgAuthRemoteuserUserName = '';
    }
$wgAuthRemoteuserUserNameReplaceFilter = [
    '@MYDOMAIN.COM$'           =>''
];
ini_set( 'display_errors', 1 );
$wgShowDBErrorBacktrace = true;
$wgShowExceptionDetails = true;

What happens?:

Browsing to a page results in this message:

[e0395375db81ffbf0540d309] /main/Main_Page Error: Typed property MediaWiki\Extension\Auth_remoteuser\AuthRemoteuserSessionProvider::$hookContainer must not be accessed before initialization

Backtrace:

from /var/www/html/extensions/Auth_remoteuser/src/AuthRemoteuserSessionProvider.php(247)
#0 /var/www/html/extensions/Auth_remoteuser/src/AuthRemoteuserSessionProvider.php(113): MediaWiki\Extension\Auth_remoteuser\AuthRemoteuserSessionProvider->setUserNameReplaceFilter(array)
#1 /var/www/html/vendor/wikimedia/object-factory/src/ObjectFactory.php(240): MediaWiki\Extension\Auth_remoteuser\AuthRemoteuserSessionProvider->__construct(MediaWiki\Config\GlobalVarConfig, MediaWiki\HookContainer\HookContainer, MediaWiki\User\Options\UserOptionsManager)
#2 /var/www/html/vendor/wikimedia/object-factory/src/ObjectFactory.php(149): Wikimedia\ObjectFactory\ObjectFactory::getObjectFromSpec(array, array)
#3 /var/www/html/includes/session/SessionManager.php(482): Wikimedia\ObjectFactory\ObjectFactory->createObject(array)
#4 /var/www/html/includes/session/SessionManager.php(541): MediaWiki\Session\SessionManager->getProviders()
#5 /var/www/html/includes/session/SessionManager.php(248): MediaWiki\Session\SessionManager->getSessionInfoForRequest(MediaWiki\Request\WebRequest)
#6 /var/www/html/includes/Request/WebRequest.php(867): MediaWiki\Session\SessionManager->getSessionForRequest(MediaWiki\Request\WebRequest)
#7 /var/www/html/includes/session/SessionManager.php(167): MediaWiki\Request\WebRequest->getSession()
#8 /var/www/html/includes/Setup.php(492): MediaWiki\Session\SessionManager::getGlobalSession()
#9 /var/www/html/includes/WebStart.php(85): require_once(string)
#10 /var/www/html/index.php(50): require(string)
#11 {main}

What should have happened instead?:

UserNameReplaceFilter works and strips Kerberos principal from my username.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
1.43.0, using REL1_43 branch of Auth_remoteuser extension

Other information (browser name/version, screenshots, etc.):

Encountered this while testing an upgrade from 1.39 to 1.43 of a site using this extension, but was able to reproduce the issue on a fresh install with no other extensions enabled.

Confirmed that removing $wgAuthRemoteuserUserNameReplaceFilter avoids the problem, and also confirmed that $wgAuthRemoteuserUserNameBlacklistFilter and
$wgAuthRemoteuserUserNameWhitelistFilter both appear to result in the same behavior, so I am generalizing my issue to the AuthRemoteuserFilterUserName hook.

Looking through code history, f2ed3cc seems like it may be relevant, but I'm not familiar enough with the underlying HookContainer functionality to determine what exactly is going wrong.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Fix order or execution: assign hookContainer before using	mediawiki/extensions/Auth_remoteuser	REL1_44	+2 -1
Fix order or execution: assign hookContainer before using	mediawiki/extensions/Auth_remoteuser	REL1_43	+3 -2
Fix order or execution: assign hookContainer before using	mediawiki/extensions/Auth_remoteuser	master	+3 -2

Customize query in gerrit

Related Objects

Mentioned Here: rEARUf2ed3cc1bfd5: Inject services into AuthRemoteuserSessionProvider

Event Timeline

Cjknapp12epic created this task.Jan 15 2025, 3:21 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2025, 3:21 PM

Change #1111705 had a related patch set uploaded (by Wargo; author: Wargo):

[mediawiki/extensions/Auth_remoteuser@master] Fix order or execution: assign hookContainer before using

https://gerrit.wikimedia.org/r/1111705

gerritbot added a project: Patch-For-Review.Jan 15 2025, 9:01 PM

Wargo claimed this task.Jan 15 2025, 9:05 PM

Thanks. It looks like this patch fixes the issue for me on a fresh install.

I also tried applying this to the site I had initially set up for testing, where I had already allowed an account to get created for my full Kerberos principal name (e.g. Myname@MYDOMAIN.COM) to verify that things worked without the filter. I found that if I re-enable the filter and browse to the site (from the same browser session), expecting it to create a new account for Myname, I instead get into an infinite loop in the SessionManager code (which times out after 30 seconds). I suspect this is because my browser session has cookies referring to a session (for what is now a different user) that's still in the session cache, because if I browse to the site from a browser with an empty cache, it succeeds at creating a new account for Myname.

I'm not sure how important this is, but it seems like it could cause issues if the filters are changed on a live site where users have sessions open (which I would not plan on doing), ~~or potentially when users have their usernames changed in the remote auth system (which does happen in our environment)~~. I can supply an example of the backtrace of this issue if you think it's worth investigating.

EDIT: Actually I take back my concern about name changes in the external auth system -- the user would have to reauthenticate against that system with a new name and would hopefully end up with a browser session that looks different enough to avoid this problem.

[...] I instead get into an infinite loop in the SessionManager code (which times out after 30 seconds) [...]

I was facing the same issue when having $wgAuthRemoteuserAllowUserSwitch set to false (default). It resulted in a loop when calling User::isAllowed in https://github.com/wikimedia/mediawiki-extensions-Auth_remoteuser/blob/a3162066599b94ab4e5fb4a4ccdddda8ddccdbd9/src/UserNameSessionProvider.php#L528

Change #1111705 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@master] Fix order or execution: assign hookContainer before using

https://gerrit.wikimedia.org/r/1111705

Maintenance_bot removed a project: Patch-For-Review.Aug 26 2025, 10:31 PM

jrchamp closed this task as Resolved.Sep 19 2025, 5:07 PM

Change #1189909 had a related patch set uploaded (by Jrchamp; author: Wargo):

[mediawiki/extensions/Auth_remoteuser@REL1_44] Fix order or execution: assign hookContainer before using

https://gerrit.wikimedia.org/r/1189909

Change #1189910 had a related patch set uploaded (by Jrchamp; author: Wargo):

[mediawiki/extensions/Auth_remoteuser@REL1_43] Fix order or execution: assign hookContainer before using

https://gerrit.wikimedia.org/r/1189910

Change #1189910 merged by jenkins-bot: