Page MenuHomePhabricator
Create Task
Maniphest T59467

Invalid IP given in XFF 'unknown, 10.64.0.126' during favicon.php requests
Closed, ResolvedPublic
Actions

Description

2013-11-23 01:02:07 mw1037 enwiki: [889271a1] /favicon.ico Exception from line 1183 of /usr/local/apache/common-local/php-1.23wmf4/includes/WebRequest.php: Invalid IP given in XFF 'unknown, 10.64.0.126'.
#0 /usr/local/apache/common-local/php-1.23wmf4/includes/ProxyTools.php(59): WebRequest->getIP()
#1 /usr/local/apache/common-local/wmf-config/throttle.php(65): wfGetIP()
#2 [internal function]: efRaiseAccountCreationThrottle()
#3 /usr/local/apache/common-local/php-1.23wmf4/includes/Setup.php(592): call_user_func('efRaiseAccountC...')
#4 /usr/local/apache/common-local/php-1.23wmf4/includes/WebStart.php(153): require_once('/usr/local/apac...')
#5 /usr/local/apache/common-local/w/favicon.php(5): require('/usr/local/apac...')
#6 {main}

Version: unspecified
Severity: major

Details

Reference
bz57467

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:38 AM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz57467.
bzimport added a subscriber: Unknown Object (MLST).
Reedy created this task.Nov 23 2013, 1:04 AM
saper added a comment.Nov 23 2013, 1:09 AM

(1) we trust a header too much
(2) a bug in the IP canon code, maybe

MZMcBride added a comment.Dec 30 2013, 2:15 AM

(In reply to comment #0)

Are you sure this is a MediaWiki bug? Given the involvement of favicon.php and throttle.php, this seems like a Wikimedia bug. Though maybe you think the issue is somewhere in MediaWiki core's includes/?

Reedy added a comment.Dec 30 2013, 4:18 PM

(In reply to comment #2)

(In reply to comment #0)

Are you sure this is a MediaWiki bug? Given the involvement of favicon.php
and
throttle.php, this seems like a Wikimedia bug. Though maybe you think the
issue
is somewhere in MediaWiki core's includes/?

The quoted string of 'unknown, 10.64.0.126' looks like the results of bad parsing. But it could easily be a bad header like Marcin said.

According to squid.php, 10.64.0.126 or cp1004 is an API caching server.. Slightly confused why that is serving favicon requests, but whatever.

gerritbot added a comment.Jan 27 2014, 8:03 PM

Change 109721 had a related patch set uploaded by Umherirrender:
Ignore 'unknown' in XFF

https://gerrit.wikimedia.org/r/109721

gerritbot added a comment.Jan 28 2014, 12:44 AM

Change 109721 merged by jenkins-bot:
Ignore 'unknown' in XFF

https://gerrit.wikimedia.org/r/109721

Umherirrender added a comment.Jan 28 2014, 4:25 PM

successfully merged

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL