Page MenuHomePhabricator
Create Task
Maniphest T375061

InvalidArgumentException: Invalid username: <IP range>
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error
labels.normalized_message
[{reqId}] {exception_url}   InvalidArgumentException: Invalid username: 80.246.136.0/24
FrameLocationCall
from/srv/mediawiki/php-1.43.0-wmf.23/extensions/CentralAuth/includes/User/CentralAuthUser.php(253)
#0/srv/mediawiki/php-1.43.0-wmf.23/extensions/CentralAuth/includes/User/CentralAuthUser.php(230)MediaWiki\Extension\CentralAuth\User\CentralAuthUser::getInstanceByName(string)
#1/srv/mediawiki/php-1.43.0-wmf.23/extensions/CentralAuth/includes/User/CentralAuthIdLookup.php(115)MediaWiki\Extension\CentralAuth\User\CentralAuthUser::getInstance(MediaWiki\User\User)
#2/srv/mediawiki/php-1.43.0-wmf.23/extensions/GlobalPreferences/includes/GlobalUserOptionsStore.php(75)MediaWiki\Extension\CentralAuth\User\CentralAuthIdLookup->isOwned(MediaWiki\User\User)
#3/srv/mediawiki/php-1.43.0-wmf.23/extensions/GlobalPreferences/includes/GlobalUserOptionsStore.php(35)GlobalPreferences\GlobalUserOptionsStore->getStorage(MediaWiki\User\User)
#4/srv/mediawiki/php-1.43.0-wmf.23/includes/user/Options/UserOptionsManager.php(494)GlobalPreferences\GlobalUserOptionsStore->fetch(MediaWiki\User\User, int)
#5/srv/mediawiki/php-1.43.0-wmf.23/includes/user/Options/UserOptionsManager.php(570)MediaWiki\User\Options\UserOptionsManager->loadOptionsFromStore(MediaWiki\User\User, int)
#6/srv/mediawiki/php-1.43.0-wmf.23/includes/user/Options/UserOptionsManager.php(460)MediaWiki\User\Options\UserOptionsManager->loadOriginalOptions(MediaWiki\User\User, int)
#7/srv/mediawiki/php-1.43.0-wmf.23/includes/user/Options/UserOptionsManager.php(169)MediaWiki\User\Options\UserOptionsManager->loadUserOptions(MediaWiki\User\User, int)
#8/srv/mediawiki/php-1.43.0-wmf.23/includes/user/Options/UserOptionsLookup.php(125)MediaWiki\User\Options\UserOptionsManager->getOption(MediaWiki\User\User, string, null, bool, int)
#9/srv/mediawiki/php-1.43.0-wmf.23/extensions/ContentTranslation/includes/PreferenceHelper.php(136)MediaWiki\User\Options\UserOptionsLookup->getBoolOption(MediaWiki\User\User, string)
#10/srv/mediawiki/php-1.43.0-wmf.23/extensions/ContentTranslation/includes/Hooks.php(291)ContentTranslation\PreferenceHelper->isCXEntrypointDisabled(MediaWiki\User\User)
#11/srv/mediawiki/php-1.43.0-wmf.23/includes/HookContainer/HookContainer.php(159)ContentTranslation\Hooks->onSpecialContributionsBeforeMainOutput(int, MediaWiki\User\User, MediaWiki\Specials\SpecialContributions)
#12/srv/mediawiki/php-1.43.0-wmf.23/includes/HookContainer/HookRunner.php(3651)MediaWiki\HookContainer\HookContainer->run(string, array)
#13/srv/mediawiki/php-1.43.0-wmf.23/includes/specialpage/ContributionsSpecialPage.php(304)MediaWiki\HookContainer\HookRunner->onSpecialContributionsBeforeMainOutput(int, MediaWiki\User\User, MediaWiki\Specials\SpecialContributions)
#14/srv/mediawiki/php-1.43.0-wmf.23/includes/specialpage/SpecialPage.php(719)MediaWiki\SpecialPage\ContributionsSpecialPage->execute(string)
#15/srv/mediawiki/php-1.43.0-wmf.23/includes/specialpage/SpecialPageFactory.php(1711)MediaWiki\SpecialPage\SpecialPage->run(string)
#16/srv/mediawiki/php-1.43.0-wmf.23/includes/actions/ActionEntryPoint.php(502)MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#17/srv/mediawiki/php-1.43.0-wmf.23/includes/actions/ActionEntryPoint.php(145)MediaWiki\Actions\ActionEntryPoint->performRequest()
#18/srv/mediawiki/php-1.43.0-wmf.23/includes/MediaWikiEntryPoint.php(200)MediaWiki\Actions\ActionEntryPoint->execute()
#19/srv/mediawiki/php-1.43.0-wmf.23/index.php(58)MediaWiki\MediaWikiEntryPoint->run()
#20/srv/mediawiki/w/index.php(3)require(string)
#21{main}
Notes

Seen after rollout of wmf.23 to groups 0 and 1. Affects multiple wikis, probably a majority of them since it's the CentralAuth extension.

It seems IP address ranges are being interpreted as usernames. Other examples:

Details

Request URL
https://he.wikipedia.org/wiki/מיוחד:תרומות/80.246.136.0/24
SubjectRepoBranchLines /-
Hooks: Re-order checks to verify that request user is same as Special:Contributions usermediawiki/extensions/ContentTranslationmaster 5 -4
Hooks: Return early if user is not namedmediawiki/extensions/ContentTranslationmaster 5 -0
Allow IP ranges in CentralAuth::getInstanceByName()mediawiki/extensions/CentralAuthwmf/1.43.0-wmf.22 4 -2
Allow IP ranges in CentralAuth::getInstanceByName()mediawiki/extensions/CentralAuthwmf/1.43.0-wmf.23 4 -2
Allow IP ranges in CentralAuth::getInstanceByName()mediawiki/extensions/CentralAuthmaster 4 -2
Hooks: Re-order checks to verify that request user is same as Special:Contributions usermediawiki/extensions/ContentTranslationwmf/1.43.0-wmf.23 5 -4
Customize query in gerrit

Related Objects

Event Timeline

jnuche triaged this task as Unbreak Now! priority.Sep 18 2024, 8:36 AM
jnuche created this task.
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 18 2024, 8:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
jnuche added a parent task: T373642: 1.43.0-wmf.23 deployment blockers.Sep 18 2024, 8:37 AM
Lucas_Werkmeister_WMDE renamed this task from InvalidArgumentException: Invalid username: <IP> to InvalidArgumentException: Invalid username: <IP range>.Sep 18 2024, 9:32 AM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)
kostajh subscribed.Sep 18 2024, 9:32 AM

The log entries I am seeing are triggered by ContentTranslation\PreferenceHelper->isCXEntrypointDisabled(MediaWiki\User\User). That is invoked from onSpecialContributionsBeforeMainOutput( $id, $user, $page ) where $user is the user what Special:Contributions is displaying contributions for. If you access Special:Contributions, that's you, the logged-in user. If you're accessing Special:Contributions/{name or ip}, then $user is potentially someone else from the logged-in user viewing Special:Contributions. So we should check isCXEntrypointDisabled using the request user, and we should also verify that the user is named (not temp or anon).

kostajh added a project: ContentTranslation.EditedSep 18 2024, 9:33 AM

As for why this broke just now, I am not sure. The ContentTranslation code has been there for a couple of years already. It's possible that some refactoring that Trust and Safety Product Team has been doing to tighten up validation of IPs has surfaced this.

gerritbot added a comment.Sep 18 2024, 9:37 AM

Change #1073745 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ContentTranslation@master] Hooks: Re-order checks to verify that request user is same as Special:Contributions user

https://gerrit.wikimedia.org/r/1073745

gerritbot added a project: Patch-For-Review.Sep 18 2024, 9:37 AM
gerritbot added a comment.Sep 18 2024, 10:50 AM

Change #1073755 had a related patch set uploaded (by Dreamy Jazz; author: Kosta Harlan):

[mediawiki/extensions/ContentTranslation@wmf/1.43.0-wmf.23] Hooks: Re-order checks to verify that request user is same as Special:Contributions user

https://gerrit.wikimedia.org/r/1073755

gerritbot added a comment.Sep 18 2024, 11:11 AM

Change #1073745 merged by jenkins-bot:

[mediawiki/extensions/ContentTranslation@master] Hooks: Re-order checks to verify that request user is same as Special:Contributions user

https://gerrit.wikimedia.org/r/1073745

gerritbot added a comment.Sep 18 2024, 11:14 AM

Change #1073759 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073759

Tgr subscribed.Sep 18 2024, 11:24 AM

The SpecialContributionsBeforeMainOutput hook can pass a user object that represents an IP or IP range (since one can list the contributions of those). ContentTranslation forces a permission check on that user object. rECAU8c8e144381e8: CentralAuthIdLookup: Treat central users without local accounts as owned / rEGPR7482d88ba54d: Allow lookup of global preferences for users without local accounts modified the CentralAuth handler for permission checks (to look up global rights when the user does not exist locally) so it doesn't fail early for non-existent users. The handler involves getting a CentralAuthUser from the User, which throws on invalid usernames. It had an exemption for IPs but not for IP ranges.

gerritbot added a comment.Sep 18 2024, 11:46 AM

Change #1073755 merged by jenkins-bot:

[mediawiki/extensions/ContentTranslation@wmf/1.43.0-wmf.23] Hooks: Re-order checks to verify that request user is same as Special:Contributions user

https://gerrit.wikimedia.org/r/1073755

Stashbot added a comment.Sep 18 2024, 11:46 AM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T11:46:18Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:1073755|Hooks: Re-order checks to verify that request user is same as Special:Contributions user (T375061)]]

Stashbot added a comment.Sep 18 2024, 11:48 AM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T11:48:28Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:1073755|Hooks: Re-order checks to verify that request user is same as Special:Contributions user (T375061)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Tgr added a subscriber: daniel.Sep 18 2024, 11:52 AM

@daniel food for thought - maybe we should have a dedicated class (UserFilter?) to express (user or IP or IP range), instead of using user objects and then putting an IP or IP range in the username.

gerritbot added a comment.Sep 18 2024, 11:53 AM

Change #1073771 had a related patch set uploaded (by Dreamy Jazz; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.23] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073771

gerritbot added a comment.Sep 18 2024, 11:54 AM

Change #1073772 had a related patch set uploaded (by Dreamy Jazz; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.22] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073772

Stashbot added a comment.Sep 18 2024, 11:55 AM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T11:55:21Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:1073755|Hooks: Re-order checks to verify that request user is same as Special:Contributions user (T375061)]] (duration: 09m 03s)

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.24; 2024-09-24).Sep 18 2024, 12:00 PM
gerritbot added a comment.Sep 18 2024, 12:01 PM

Change #1073759 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073759

gerritbot added a comment.Sep 18 2024, 12:04 PM

Change #1073771 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.23] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073771

gerritbot added a comment.Sep 18 2024, 12:04 PM

Change #1073772 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.22] Allow IP ranges in CentralAuth::getInstanceByName()

https://gerrit.wikimedia.org/r/1073772

Stashbot added a comment.Sep 18 2024, 12:05 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T12:05:18Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:1073772|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]], [[gerrit:1073771|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]]

Stashbot added a comment.Sep 18 2024, 12:07 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T12:07:35Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:1073772|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]], [[gerrit:1073771|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Sep 18 2024, 12:12 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-18T12:12:19Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:1073772|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]], [[gerrit:1073771|Allow IP ranges in CentralAuth::getInstanceByName() (T375061)]] (duration: 07m 00s)

Dreamy_Jazz closed this task as Resolved.Sep 18 2024, 12:14 PM
Dreamy_Jazz subscribed.

Deployed the fixes and https://test.wikipedia.org/wiki/Special:Contributions/1.2.3.4/24 loads without erroring, so should be resolved.

jnuche removed a parent task: T373642: 1.43.0-wmf.23 deployment blockers.Sep 18 2024, 12:30 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 18 2024, 12:30 PM
ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.22; 2024-09-10); removed MW-1.43-notes (1.43.0-wmf.24; 2024-09-24).Sep 18 2024, 1:00 PM
gerritbot added a comment.Sep 18 2024, 3:25 PM

Change #1073831 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ContentTranslation@master] Hooks: Return early if user is not named

https://gerrit.wikimedia.org/r/1073831

gerritbot added a project: Patch-For-Review.Sep 18 2024, 3:25 PM
jnuche mentioned this in T375212: InvalidArgumentException: Invalid username: <username_with_slash>.Sep 19 2024, 3:27 PM
gerritbot added a comment.Sep 19 2024, 8:18 PM

Change #1073831 merged by jenkins-bot:

[mediawiki/extensions/ContentTranslation@master] Hooks: Return early if user is not named

https://gerrit.wikimedia.org/r/1073831

Maintenance_bot removed a project: Patch-For-Review.Sep 19 2024, 8:30 PM
ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.24; 2024-09-24); removed MW-1.43-notes (1.43.0-wmf.22; 2024-09-10).Sep 19 2024, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits