Page MenuHomeMiraheze

Editing wiki request allows for inserting uppercase characters into database name
Closed, ResolvedPublic

Description

Editing a wiki request (code) does not perform any validation or standardization upon input. It must be as stringent as the original RequestWiki checks.

Wiki: metawiki

Error:

Sorry! This site is experiencing technical difficulties.
Try waiting a few minutes and reloading. For more information on this error please check out our twitter page (https://twitter.com/Miraheze) or contact the system administrators by connecting to #miraheze on irc.libera.chat.

(Cannot access the database: Cannot access the database: Unknown error (db11.miraheze.org))

Note(s): Appears localised to this wiki request.

I don't have time to link the prior task(s), but seems related and to be a reoccurrence of a prior issue. @Void or @Universal_Omega should be able to provide the remediation and link the prior task.

Thanks.

Event Timeline

Dmehus triaged this task as High priority.Jun 30 2021, 12:07
Dmehus created this task.
Dmehus updated the task description. (Show Details)
Dmehus moved this task from Incoming to Short Term on the Infrastructure (SRE) board.

@Dmehus You say linked to #19059 but when is the error actually happening?

These are the kinds of errors persisting in the MySQL error log:

2021-06-30 12:10:58 0 [ERROR] InnoDB: (Duplicate key) writing word node to FTS auxiliary index table.
2021-06-30 12:11:26 1171539054 [Warning] Aborted connection 1171539054 to db: 'mhglobal' user: 'mediawiki' host: '2001:41d0:800:178a::8' (Got an error reading communication packets)
2021-06-30 12:11:26 1171539062 [Warning] Aborted connection 1171539062 to db: 'commonswiki' user: 'mediawiki' host: '2001:41d0:800:178a::8' (Got an error reading communication packets)

Prior task is T7549#151608, might be related

@Reception123 Yep, that's the one! Thanks :)

Doesn't seem related to prior task. In this case, the wiki request was declined. I'm not sure how it's broken, but I notice that the request does not seem to match the farmer log.

Bug is caused by a wiki request having been edited to have a database name of Musicwiki, which matches against musicwiki, but the former does not actually exist, which is what is causing this error.

In T7566#152019, @Void wrote:

Bug is caused by a wiki request having been edited to have a database name of Musicwiki, which matches against musicwiki, but the former does not actually exist, which is what is causing this error.

Should we not require lowercase for DB names?

Void renamed this task from Persistent cannot connect to database server (db11.miraheze.org) on metawiki to Editing wiki request allows for inserting uppercase characters into database name.Jun 30 2021, 14:49
Void lowered the priority of this task from High to Normal.
Void updated the task description. (Show Details)
In T7566#152019, @Void wrote:

Bug is caused by a wiki request having been edited to have a database name of Musicwiki, which matches against musicwiki, but the former does not actually exist, which is what is causing this error.

Should we not require lowercase for DB names?

We should, but see updated task description. RequestWikiQueue does not perform any validation when you edit a request.

RhinosF1 changed the visibility from "Public (No Login Required)" to "Custom Policy".Jun 30 2021, 14:51
RhinosF1 changed the edit policy from "All Users" to "Custom Policy".

By definition this is a security issue. We've got missing validation with the ability to take the site partially down.

RhinosF1 removed a subscriber: Bukkit.

Void has also raised blacklisted subdomains etc

Void has also raised blacklisted subdomains etc

Subdomain blacklist can also be bypassed.

For the security aspect, you've got the above and a slight DoS vector.

https://github.com/miraheze/CreateWiki/blob/master/includes/WikiManager.php#L253 - has a check in place for technical limitations it seems.

Blacklist domains aren’t included above but that makes sense as they would be blacklisted against common user requests.

I’m recording here that I do not believe this is a security issue.

When asked for further details on how this is a security issue, I did not received sufficient rationale to justify this decision as there’s a serious lack of technical understanding of the issue to be able to classify it as a security issue.

In T7566#152061, @Owen wrote:

https://github.com/miraheze/CreateWiki/blob/master/includes/WikiManager.php#L253 - has a check in place for technical limitations it seems.

Blacklist domains aren’t included above but that makes sense as they would be blacklisted against common user requests.

I’m recording here that I do not believe this is a security issue.

The check for an initial submit is done https://github.com/miraheze/CreateWiki/blob/master/includes/RequestWiki/SpecialRequestWiki.php#L121 but when editing the form that check isn't happening.

In T7566#152061, @Owen wrote:

https://github.com/miraheze/CreateWiki/blob/master/includes/WikiManager.php#L253 - has a check in place for technical limitations it seems.

Blacklist domains aren’t included above but that makes sense as they would be blacklisted against common user requests.

I’m recording here that I do not believe this is a security issue.

The check for an initial submit is done https://github.com/miraheze/CreateWiki/blob/master/includes/RequestWiki/SpecialRequestWiki.php#L121 but when editing the form that check isn't happening.

This keeps getting said. I have stated above there is a check in place at the end. This does not justify a security issue.

Unknown Object (User) added a comment.Jun 30 2021, 16:45

This is not really a security issue. There is validation upon attempting to create the wiki that will fail if validation fails.

Unknown Object (User) moved this task from Backlog to Bugs on the CreateWiki board.Jun 30 2021, 17:00
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.
Unknown Object (User) removed a project: Extensions.
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.

Merged fix, and modified the dbname of the affected request.

Void changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 30 2021, 20:34
Void changed the edit policy from "Custom Policy" to "All Users".