Last modified: 2014-05-12 14:39:54 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T67081, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 65081 - Preprocessor_DOM::newPartNodeArray returns invalid PPNode_DOM when given invalid UTF-8
Preprocessor_DOM::newPartNodeArray returns invalid PPNode_DOM when given inva...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
1.24rc
All All
: Normal normal (vote)
: ---
Assigned To: Brad Jorsch
:
: 65097 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-09 15:56 UTC by Umherirrender
Modified: 2014-05-12 14:39 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Umherirrender 2014-05-09 15:56:10 UTC 
User PerfektesChaos from dewiki has wrote a example lua module, which produces a fatal in the php preprocessor.

The module is:

-- Cause a server crash.
-- includes/parser/Preprocessor_DOM.php line 1692:
--         "Call to a member function item() on a non-object"
-- Crashes any 1.24wmf1 wiki, not only beta.wmflabs.org
 
local p = { }
 
function p.f( frame )
    local story = "ΓΆ"                  -- non-ASCII char
    local sub   = story:sub( 1, 1 )    -- ASCII substring at half of UTF-8
                                       -- should have been mw.ustring.sub()
    return frame:callParserFunction( "#tag:nowiki", { sub } )
end -- p.f
 
return p


The error is:
includes/parser/Preprocessor_DOM.php line 1692: "Call to a member function item() on a non-object"

I have run it with warnings on on my dev machine and the output is:
Warning: DOMDocument::loadXML() [domdocument.loadxml]: Input is not proper UTF-8, indicate encoding ! Bytes: 0xC3 0x3C 0x2F 0x76 in Entity, line: 1 in \includes\parser\Preprocessor_DOM.php on line 85

Notice: Trying to get property of non-object in \includes\parser\Preprocessor_DOM.php on line 88

Fatal error: Call to a member function item() on a non-object in \includes\parser\Preprocessor_DOM.php on line 1692


See http://de.wikipedia.beta.wmflabs.org/wiki/MakeTheServerCrash for more information and a link to the example page.

Looks like the half byte is mangeled into the builded xml in the preprocessor and than it gives a invalid xml.
Comment 1 Brad Jorsch 2014-05-09 20:21:56 UTC 
You can reproduce it easier with just frame:callParserFunction( "#tag:nowiki", { "\128" } ). And it doesn't happen with PHP >= 5.4.0, since the default for htmlspecialchars changed such that it will ignore the invalid characters.

I think this is a bug in core, though, in that it should throw an exception rather than dying with a fatal error if given invalid input. I'm going to reassign and fix it accordingly.
Comment 2 Gerrit Notification Bot 2014-05-09 20:22:19 UTC 
Change 132503 had a related patch set uploaded by Anomie:
Preprocessor_DOM::newPartNodeArray should check that loadXML succeeded

https://gerrit.wikimedia.org/r/132503
Comment 3 Brad Jorsch 2014-05-10 11:10:31 UTC 
*** Bug 65097 has been marked as a duplicate of this bug. ***
Comment 4 Gerrit Notification Bot 2014-05-12 03:48:38 UTC 
Change 132503 merged by jenkins-bot:
Preprocessor_DOM::newPartNodeArray should check that loadXML succeeded

https://gerrit.wikimedia.org/r/132503
Comment 5 Umherirrender 2014-05-12 14:39:54 UTC 
was successfully merged
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links