Page MenuHomePhabricator
Create Task
Maniphest T52919

Error for invalid on-wiki JavaScript can show wrong filename
Closed, ResolvedPublic
Actions

Description

When on-wiki JavaScript fails JSMin's (JSParser to be exact) validation, it makes the minified script file just throw an error. This error thrown includes the page name (e.g. User:Example/common.js).

This output is cached, which means if someone copies the JavaScript (e.g. to debug the problem), it will show the wrong filename/page name for that subsequent user.

This usually won't be too hard for a user to figure out (particularly if there's only one copy). However, the page name could be added to the cache key to fix this. I don't think this will have too much of a performance impact. There generally shouldn't be many identical copies of a script (there are certainly scripts widely imported, though).

Version: 1.22.0
Severity: enhancement

Details

Reference
bz50919
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
resourceloader: Simplify validateScriptFile() with getWithSetCallbackmediawiki/coremaster+21 -25
resourceloader: Add filename to validateScriptFile cache keymediawiki/coremaster+3 -2
Customize query in gerrit

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:56 AM
bzimport added a project: MediaWiki-ResourceLoader.
bzimport set Reference to bz50919.
bzimport added a subscriber: Unknown Object (MLST).
Mattflaschen-WMF created this task.Jul 8 2013, 3:23 AM
brooke added a comment.Jul 8 2013, 5:55 PM

Sounds reasonable...

Krinkle moved this task from Inbox to Accepted Enhancement on the MediaWiki-ResourceLoader board.Apr 28 2015, 6:44 PM
Krinkle set Security to None.Sep 4 2015, 3:59 AM
Krinkle removed a subscriber: wikibugs-l-list.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2015, 3:59 AM
Krinkle added a comment.EditedSep 4 2015, 4:01 AM

This relates to ResourceLoaderModule::validateScriptFile which takes filename as argument but uses a hash of the script content for the cache key. Since the "parse error" message will reference e.g. "foo.js on line 5" it is cached along.

However when different users have the same script in their user space, it would potentially show the wrong filename.

Krinkle moved this task from Accepted Enhancement to Confirmed Problem on the MediaWiki-ResourceLoader board.Sep 18 2015, 9:13 PM
Krinkle claimed this task.May 12 2017, 6:03 PM
Krinkle moved this task from Confirmed Problem to Assigned on the MediaWiki-ResourceLoader board.
Krinkle added a project: Performance-Team.
gerritbot subscribed.May 12 2017, 6:06 PM

Change 353590 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] resourceloader: Simplify validateScriptFile() with getWithSetCallback

https://gerrit.wikimedia.org/r/353590

gerritbot added a project: Patch-For-Review.May 12 2017, 6:06 PM

Change 353591 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] resourceloader: Add filename to validateScriptFile cache key

https://gerrit.wikimedia.org/r/353591

gerritbot added a comment.May 13 2017, 12:32 AM

Change 353590 merged by jenkins-bot:
[mediawiki/core@master] resourceloader: Simplify validateScriptFile() with getWithSetCallback

https://gerrit.wikimedia.org/r/353590

gerritbot added a comment.May 13 2017, 12:36 AM

Change 353591 merged by jenkins-bot:
[mediawiki/core@master] resourceloader: Add filename to validateScriptFile cache key

https://gerrit.wikimedia.org/r/353591

ReleaseTaggerBot added a project: MW-1.30-release-notes.May 13 2017, 1:00 AM
Gilles moved this task from Inbox, needs triage to Doing (old) on the Performance-Team board.May 17 2017, 6:40 PM
Krinkle closed this task as Resolved.May 25 2017, 3:04 PM
Krinkle removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits