Page MenuHomePhabricator
Create Task
Maniphest T106732

[Regression] PHP files in /static (and /w/static) on text domains should not execute
Closed, ResolvedPublic
Actions

Description

https://en.wikipedia.org/static/current/resources/Resources.php
https://en.wikipedia.org/w/static/current/resources/Resources.php
https://en.wikipedia.org/w/resources/Resources.php

Not an entry point.

Which indicates PHP code did execute.

https://en.wikipedia.org/static/current/extensions/VisualEditor/includes/VisualEditorDataModule.php
https://en.wikipedia.org/w/static/current/extensions/VisualEditor/includes/VisualEditorDataModule.php

PHP fatal error:
unknown class ResourceLoaderModule

The /w/extensions directory has php-engine flag Off. And bits.wikimedia.org used to as well. But this new /static and /w/static do not have that setting.

Details

SubjectRepoBranchLines +/-
Remove inaccessible symlinks at /w/extensions and /w/skinsoperations/mediawiki-configmaster+0 -2
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Jul 23 2015, 6:51 PM
Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added projects: Deployments, Varnish, Security-General, Regression.
Krinkle changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".
Krinkle changed the edit policy from "All Users" to "WMF-NDA (Project)".
Krinkle added subscribers: Krinkle, mmodell, ori.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 23 2015, 6:51 PM
mmodell moved this task from To Triage to Externally Blocked on the Deployments board.Aug 5 2015, 4:08 PM
mmodell added a comment.Aug 5 2015, 4:33 PM

Does this get set via .htaccess? I'm not sure how to go about fixing this.

Krinkle added a comment.Sep 8 2015, 5:13 AM

May be related to this:
https://github.com/wikimedia/operations-puppet/blob/9ce8cafd06382c58008045f1cf30a35c1f29051c/modules/mediawiki/files/apache/beta/sites/remnant.conf#L12
https://github.com/wikimedia/operations-puppet/blob/b594142c040b5a239604871186ae6bbea7c45830/modules/mediawiki/files/apache/sites/wikimedia-common.incl#L8

<IfDefine HHVM>
    ProxyPass       /wiki                fcgi://127.0.0.1:9000/srv/mediawiki/docroot/commons/w/index.php retry=0
    ProxyPass       /w/extensions        !
    ProxyPassMatch  ^/w/(.*\.(php|hh))$  fcgi://127.0.0.1:9000/srv/mediawiki/docroot/commons/w/$1

Before migration to HHVM, we used to specify Directory w/extensions php-engine flag Off somewhere in apache config.

Krinkle updated the task description. (Show Details)Sep 8 2015, 5:14 AM
Krinkle set Security to None.
Krinkle updated the task description. (Show Details)
Krinkle renamed this task from The /static (and /w/static) directories no longer set php-engine=Off to [Regression] PHP files in /static (and /w/static) on text domains should not execute.Feb 5 2016, 5:07 PM
Krinkle triaged this task as High priority.

This is probably caused by puppet:///modules/mediawiki/files/apache/configs/hhvm_catchall.conf

<IfDefine HHVM>
    <FilesMatch "\.(php|hh)$">
        RewriteRule ^(.*)$ fcgi://127.0.0.1:9000$1 [P]
    </FilesMatch>
</IfDefine>
greg mentioned this in T126631: Further cleanup of #Deployment-Systems.Feb 11 2016, 5:41 PM
Aklapper added a project: Traffic.May 4 2016, 9:14 AM
Restricted Application added a project: SRE. · View Herald TranscriptMay 4 2016, 9:14 AM
Krinkle updated the task description. (Show Details)May 10 2016, 4:46 PM
Krinkle updated the task description. (Show Details)
BBlack moved this task from Backlog to Radar/Not for service by Traffic on the Traffic board.Oct 4 2016, 1:19 PM
Krinkle removed a project: Varnish.Mar 28 2017, 12:14 AM
Joe subscribed.Jun 18 2018, 2:56 PM

I think this would be fixed by specifying better the catchall.

Joe added a project: User-Joe.Jun 18 2018, 2:56 PM
Aklapper added a project: acl*security.Sep 20 2018, 9:19 AM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
Krinkle updated the task description. (Show Details)Feb 10 2020, 11:27 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Krinkle added a subscriber: dancy.Sep 14 2021, 7:35 PM
Joe mentioned this in T285232: The restricted/mediawiki-webserver image should include skins and resources.Oct 25 2021, 5:41 AM
Krinkle updated the task description. (Show Details)Apr 7 2022, 2:17 PM
BBlack moved this task from Backlog to Close or Untag? on the Traffic-Icebox board.Apr 7 2022, 9:06 PM
BCornwall subscribed.Mar 16 2023, 6:40 PM

Hi, @Krinkle! This is a really old bug so I'm sorry if you cannot remember, but do you know if this is still an issue? These links are giving me 404s, which gives me the impression that this has been fixed (either incidentally with the myriad changes in the past decade or by your patch which was merged).

BCornwall closed this task as Resolved.Mar 30 2023, 8:30 PM
BCornwall claimed this task.

Setting as resolved for the reasons detailed above. If this is in error, please feel free to re-open! Thanks for the work on this ticket. :)

Krinkle added a comment.Apr 12 2023, 6:22 AM

Thanks @BCornwall. This is indeed resolved. The paths did change a bit so in this case the (expected) 404 Not Found is not (only) because the problem was solved meanwhile.

The fix for this issue happened as part of T302465. Specifically we added a rewrite rule for a new /w/{skins,resources,extensions}/* route that proxies through /w/static.php, which only serves files statically, never executing anything. The /static/current/* URLs, which unlike the name suggested were not static, were deprecated in favour of the new /w/* URLs. Once all usage was updated, we removed support for those /static/current/ URLs by removing the symlink that exposed those directories from the docroot in https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/779944/.

Krinkle changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".Apr 12 2023, 6:22 AM
Krinkle changed the edit policy from "WMF-NDA (Project)" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits