Page MenuHomePhabricator

Special:Version produces warning when there's an open_basedir restriction, when checking for $wgGitBin
Open, MediumPublic

Description

Special:Version is using is_file() to check if $wgGitBin is set to a valid git binary path, but that produces a warning if there's an open_basedir restriction in effect. This only happens when there are extensions installed downloaded from git.

We should probably use error handling to prevent that warning from popping up.


Steps to reproduce:

  • Download an extension from Gerrit.
    • Example: go to the extensions directory and use git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/UserMerge
  • Load the extension in LocalSettings.php.
    • Example: wfLoadExtension( 'UserMerge' );
  • Be sure php.ini has open_basedir set to MediaWiki install directory, and probably a temp directory like /tmp
  • Go to Special:Version and it should display the warning (if your error_reporting configuration is not hiding it).
NOTE: The warning will be displayed only once, then the information will be cached. To display the warning again you should clear the object cache. In case the object cache is in database, simply issue a truncate table objectcache; on the database and reload the Special:Version page again to see the warning.

Original Version: 1.23.5
Latest version reproduced: 1.29-rc0
URL: https://www.mediawiki.org/wiki/Thread:Project:Support_desk/Odd_occurrence_when_viewing_Special:Version

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:45 AM
bzimport set Reference to bz72445.
bzimport added a subscriber: Unknown Object (MLST).
Aklapper triaged this task as Lowest priority.Mar 23 2015, 5:15 PM
Aklapper added a project: good first task.
Aklapper set Security to None.
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJan 10 2017, 10:43 AM
samuelguebo added subscribers: D3r1ck01, samuelguebo.EditedJul 4 2017, 1:13 AM

Hello @D3r1ck01, I took a look at https://www.mediawiki.org/wiki/Thread:Project:Support_desk/Odd_occurrence_when_viewing_Special:Version and the issue seems to have been fixed if I am not wrong. If this is the case I'll try to pick another featured task from our list.

Hi @samuelguebo

I've tested it and it's still current in MediaWiki 1.29-rc.0, but maybe not so easy to reproduce, because apparently it only attempts to check for the git bin when there are extensions installed downloaded directly from git. Special:ExtensionDistribution on mediawiki.org already include some git metadata files with all the information, and MediaWiki doesn't need to retrieve this information from git.

I'm going to update the task description with clear steps to reproduce.

Hi @samuelguebo

I've tested it and it's still current in MediaWiki 1.29-rc.0, but maybe not so easy to reproduce, because apparently it only attempts to check for the git bin when there are extensions installed downloaded directly from git. Special:ExtensionDistribution on mediawiki.org already include some git metadata files with all the information, and MediaWiki doesn't need to retrieve this information from git.

I'm going to update the task description with clear steps to reproduce.

@samuelguebo, you now have the steps to reproduce, you can work on this right? Thanks @Ciencia_Al_Poder :)

Hello @D3r1ck01,

Indeed the description is more clear now. I will work on it. Thanks @Ciencia_Al_Poder

@samuelguebo I wish to work on this if you are no more on it. Thanks :)

Sure, you may go on and work on it.

Le 20 janv. 2018 20:16, "rosalieper" <no-reply@phabricator.wikimedia.org> a
écrit :

rosalieper added a comment.

@samuelguebo https://phabricator.wikimedia.org/p/samuelguebo/ I wish to
work on this if you are no more on it. Thanks :)

*TASK DETAIL*
https://phabricator.wikimedia.org/T74445

*EMAIL PREFERENCES*
https://phabricator.wikimedia.org/settings/panel/emailpreferences/

*To: *rosalieper
*Cc: *samuelguebo, D3r1ck01, TerraCodes, Ciencia_Al_Poder, Asad_Ali_Palijo,
JamieTubers, Lsherwinforone, Soteriaspace, RazeSoldier, Jayprakash12345,
JakeTheDeveloper, Eugene233, Ptolusque, Zoranzoki21, Sethakill, Zppix,
rosalieper, MuhammadShuaib, Wong128hk, Flixtey, SimmeD, Jdlrobson

Change 405725 had a related patch set uploaded (by Rosalieper; owner: Rosalieper):
[mediawiki/core@master] Version produces warning when checking for $wgGitBin

https://gerrit.wikimedia.org/r/405725

Le 20 janv. 2018 20:16, "rosalieper" <no-reply@phabricator.wikimedia.org> a
écrit :

@samuelguebo, maybe next time you can reply on the phab ticket itself to avoid email content (when replying via email) to be attached? Thanks :)

My bad, thanks @D3r1ck01 for notifying me.

Noella94 removed rosalieper as the assignee of this task.Feb 19 2018, 8:41 AM
Noella94 added a subscriber: rosalieper.

Change 405725 abandoned by Rosalieper:
Version produces warning when checking for $wgGitBin

https://gerrit.wikimedia.org/r/405725

rosalieper removed rosalieper as the assignee of this task.Feb 27 2018, 4:37 PM
Reedy updated the task description. (Show Details)

@rosalieper Are you still work it? If not, and if I can reproduce this error, I can work it.

RazeSoldier added a comment.EditedMar 3 2018, 1:11 PM

I follow step of the reproduce (except download an extension and load it step), only open_basedir set to MediaWiki install directory in LocalSettings.php, then my wiki was destroyed. I got two error messages:

  1. Warning: is_dir(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (w/) in w/includes/libs/filebackend/fsfile/TempFSFile.php on line 90
  2. Fatal error: Uncaught Error: Call to a member function getIP() on null in w/includes/user/User.php:2398 Stack trace: #0 w/includes/session/SessionBackend.php(712): User->getName() #1 w/includes/session/SessionBackend.php(596): MediaWiki\Session\SessionBackend->save() #2 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}() #3 w/vendor/wikimedia/scoped-callback/src/ScopedCallback.php(76): call_user_func_array(Object(Closure), Array) #4 w/vendor/wikimedia/scoped-callback/src/ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct() #5 w/includes/session/SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL) #6 w/includes/session/SessionManager.php(310): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest)) #7 w/includes/session/SessionManager.php(244): MediaWiki\Session\SessionManager->getEmptySe in w/includes/user/User.php on line 2398

I am not sure this task describe these errors, they seem to affect the entire wiki, not just Special:Version.

I follow step of the reproduce (except download an extension and load it step), only open_basedir set to MediaWiki install directory in LocalSettings.php, then my wiki was destroyed. I got two error messages:

  1. Warning: is_dir(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (w/) in w/includes/libs/filebackend/fsfile/TempFSFile.php on line 90

The temp directory should be inside the open_basedir allowed paths. Or try to define $wgTmpDirectory to a path withing the allowed paths.

I reproduce the error, but it looks like also caused when not load any extensions and skins.

Warning: is_file(): open_basedir restriction in effect. File(/usr/bin/git) is not within the allowed path(s): (/devmw/w:/tmp) in w/includes/GitInfo.php on line 228

D3r1ck01 raised the priority of this task from Lowest to Medium.Mar 5 2018, 8:41 AM
D3r1ck01 updated the task description. (Show Details)
Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptJun 2 2018, 7:44 AM
RazeSoldier reopened this task as Open.Jun 2 2018, 7:45 AM

Oh, misoperation.

Can someone review this simple patch?

Change 416234 had a related patch set uploaded (by Aklapper; owner: 星耀晨曦):
[mediawiki/core@master] Checks if open_basedir include $wgGitBin before is_file()

https://gerrit.wikimedia.org/r/416234

Manually adding Core Platform Team as there is still a 30 line patch waiting for review

eprodromou added a subscriber: eprodromou.

All right, we've intaken it for code review, thanks.