Last modified: 2006-10-04 18:25:50 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T8538, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 6538 - PHP warnings on bad session_id cookie input with error_reporting(E_ALL)
PHP warnings on bad session_id cookie input with error_reporting(E_ALL)
Status: RESOLVED WORKSFORME
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.7.x
PC All
: Normal minor (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-04 07:12 UTC by Nick Jenkins
Modified: 2006-10-04 18:25 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nick Jenkins 2006-07-04 07:12:02 UTC 
This CURL command:
===========================================
curl --silent --include \
 --cookie 'wikidb_session=../../../../../../../etc/passwd ; select user_name
from user;'\
 -F 'wpName'='XXX'\
 -F 'wpPassword'='YYY'\
 '192.168.0.64/wiki/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=small'
===========================================

(Or like this for the Wikipedia, where errors are being logged so there won't be
anything in the HTML output):
==========================================
curl --silent --include \
 --cookie 'enwiki_session=../../../../../../../etc/passwd ; select user_name
from user;'\
 -F 'wpName'='XXX'\
 -F 'wpPassword'='YYY'\
 'en.wikipedia.org/w/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=small'
===========================================

Gives output that includes these PHP warnings at the end (on a current SVN wiki
with E_ALL enabled):
===========================================
<br />
<b>Warning</b>:  Unknown: The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/var/lib/php5) in
<b>Unknown</b> on line <b>0</b><br />
===========================================

Online at http://nickj.org/MediaWiki as Parser51, althought actually a more
accurate name would be non-parser51 ;-) Not sure if this can be fixed, but
probably best to log it anyway.
Comment 1 Nick Jenkins 2006-10-03 04:52:51 UTC 
I think this _may_ be fixed upstream in PHP by
http://bugs.php.net/bug.php?id=38224 ; However I don't have PHP >= 5.1.5
installed to run this test against a wiki with E_ALL enabled, so can't be sure.
Comment 2 Brion Vibber 2006-10-03 18:59:18 UTC 
Haven't had any luck with the curl test here; lighttpd returns a 417 
error.
Comment 3 Nick Jenkins 2006-10-04 00:26:35 UTC 
Bugzilla ate some of the whitespace in the original test (specifically the
spaces at the start of each line), maybe that stuffed it up?

Here's the test with the whitespace hopefully okay. This was run against Apache,
with PHP 5.1.2, and on a wiki where the cookie prefix is "wikidb", and where all
E_ALL warnings are enabled :

================================
curl --silent --include --globoff \
 --cookie 'wikidb_session=&#124;90928345' \
 -F 'wpName'='nickj' \
 -F 'wpPassword'='&#0000060' \
 -F 'wpRemember'='XXX' \
 'localhost/wiki/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto='
================================

For me returns this output:
================================
HTTP/1.1 200 OK
Date: Wed, 04 Oct 2006 00:09:16 GMT
Server: Apache
Set-Cookie: wikidb_session=&#124; path=/
Content-language: en
Vary: Accept-Encoding,User-Agent
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

[ ... snip page content ... ]

</div>
<!-- Served by bling in 0.211 secs. --></body></html>
<br />
<b>Warning</b>:  Unknown: The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/var/lib/php5) in
<b>Unknown</b> on line <b>0</b><br />
================================

Equivalent for the Wikipedia if you want to tail -f the apache error log and the
see if it barfs there:
================================
curl --silent --include --globoff \
 --cookie 'enwiki_session=&#124;90928345' \
 -F 'wpName'='XXX' \
 -F 'wpPassword'='YYY' \
 -F 'wpRemember'='XXX' \
 'en.wikipedia.org/w/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto='
================================

However if neither of those tests works for you then it's probably just
something specific to my system, and this bug should be closed as WORKSFORME.
Comment 4 Brion Vibber 2006-10-04 18:25:50 UTC 
I haven't been able to reproduce it either with 5.2.0RC4 or 5.1.2 under Apache.
Still get the 417 responses under lighty.

Going to go ahead and WORKSFORME it since the issue's allegedly fixed upstream.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links