Missing session_start in SpecialUpload?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing session_start in SpecialUpload?

Stephen Warren
I recently installed mediawiki 1.5.6 on apache 2.0.53 and php 4.3.11 on
Fedora Core 3.

I've been having issues with the Special:Upload page, when attempting to
upload a new version of a file that already exists. It seems that some
data is passed from the file upload the first time it's hit (which saves
the upload to a temp file) to the confirmation page via the $_SESSION
variable.

However, $_SESSION isn't getting set on the confirmation page (or
rather, the page that's invoked when I click the "save anyway" button on
the "do you really want to save over the existing file" page)

It seems that there's a missing call to session_start...

If I edit includes/SpecialUpload.php, class UploadForm, function
UploadForm (constructor) and add "session_start();" prior to first
referencing $_SESSION, then everything works just fine.

Is this really a bug, or do I have something horribly screwed in my
configuration? Looking back at the CVS history, the usage of $_SESSION,
especially isset( $_SESSION['wsUploadData'][$this->mSessionKey] ) dates
back about 14 months, which seems a long time for this to have gone
unnoticed?

Any pointers appreciated. Thanks.
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Missing session_start in SpecialUpload?

Brion Vibber
Stephen Warren wrote:
> It seems that there's a missing call to session_start...
>
> If I edit includes/SpecialUpload.php, class UploadForm, function
> UploadForm (constructor) and add "session_start();" prior to first
> referencing $_SESSION, then everything works just fine.

session_start() is called in Setup.php if a session cookie is present. Check if
you have a bogus session name or something.

-- brion vibber (brion @ pobox.com)



_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Missing session_start in SpecialUpload?

Stephen Warren
Brion Vibber wrote:
> Stephen Warren wrote:
>> It seems that there's a missing call to session_start...
>>
>> If I edit includes/SpecialUpload.php, class UploadForm, function
>> UploadForm (constructor) and add "session_start();" prior to first
>> referencing $_SESSION, then everything works just fine.
>
> session_start() is called in Setup.php if a session cookie is present. Check if
> you have a bogus session name or something.

OK. Here's the problem then:

session_start is only called from User::SetupSession (includes/User.php)

SetupSession is called in 3 scenarios:

1) includes/Setup.php *if* the user already has a valid session cookie,
to "restart" the session.

2) index.php *if* the users performs form action 'submit' on a page (or
at least, some kinds of pages)

3) in function wfSpecialUserlogin in includes/SpecialUserlogin.php,
which doesn't seem to be used anywhere.

Now, on my current test computer, I have never submitted an edit to the
wiki; I'm just trying to upload a new version of an image to test this.
As such, I don't already have a session cookie.

I think that SpecialUpload should be calling User::SetupSession(), to
ensure that there's a session cookie, just like index.php does upon page
submit.

Note: I actually have 3 test machines; 2 fail and 1 works. On the
working machine, the browser has been open a while, and I suppose must
have session cookie.

On a failing machine, I did a dummy edit on a page, so as to obtain a
session cookie, then retried the reupload, and everything worked.

Note: I'm running extensions/Auth_remoteuser.php to re-use HTTP AUTH in
the web server. I'm hoping that's not causing this problem?



_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

signature.asc (258 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Missing session_start in SpecialUpload?

Brion Vibber
Stephen Warren wrote:
> Now, on my current test computer, I have never submitted an edit to the
> wiki; I'm just trying to upload a new version of an image to test this.
> As such, I don't already have a session cookie.

You got one when you logged in.

> Note: I'm running extensions/Auth_remoteuser.php to re-use HTTP AUTH in
> the web server. I'm hoping that's not causing this problem?

Sounds like.

-- brion vibber (brion @ pobox.com)



_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Missing session_start in SpecialUpload?

Stephen Warren
Brion Vibber wrote:
>> Note: I'm running extensions/Auth_remoteuser.php to re-use HTTP AUTH in
>> the web server. I'm hoping that's not causing this problem?
>
> Sounds like.

OK. I've tracked down where wfSpecialUserlogin is called -
includes/SpecialPage.php does it when executing a special page, but grep
wasn't finding it, because the function is looked up at run-time by name
from a value in a string!

So, I see wfSpecialUserlogin will create a session the very first time
you hit the Special:Userlogin page. However, with Auth_remoteuser.php
(since authentication is inherited from the webserver login, without a
separate MediaWiki login), the user never hits this page, and hence
never has a session setup.

For a simple fix, I'll modify Auth_remoteuser.php to do the same thing
that SpecialPage.php does:

if( !$wgCommandLineMode && !isset( $_COOKIE[session_name()] )  ) {
    User::SetupSession();
}

However, I wonder if Auth_remoteuser.php shouldn't do something more
like below, so it automatically uses whatever code is in
wfSpecialUserlogin, rather than pasting it into the hook function...

if no session key:
  if at Special:Userlogin page
    display error
  # whatever Userlogin wants to redirect back here after acces
  args = "redirect_to=current_page"
  force redirect to Special:Userlogin?args



_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

signature.asc (258 bytes) Download Attachment