https://bugzilla.wikimedia.org/show_bug.cgi?id=52206
Brad Jorsch <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #13 from Brad Jorsch <[email protected]> --- This coincidentally happened in one of the logs posted at bug 54119. The reconstructed headers appear to be as follows (note the ordering of the neaders is probably wrong, due to the way the log is structured). Request to https://login.wikimedia.org/wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=enwikibooks&proto=https&type=1x1&from=itwiktionary GET /wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=enwikibooks&proto=https&type=1x1&from=itwiktionary HTTP/1.1 Accept-Encoding: gzip,deflate,sdch Host: login.wikimedia.org Accept-Language: en,en-US;q=0.8,it-IT;q=0.6,it;q=0.4 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 Accept: */* Referer: https://it.wiktionary.org/wiki/Pagina_principale Cookie: centralauth_Session=95bfdea3c79796f1ff880e9e6422e722; centralauth_User=Bug+54119+test Connection: keep-alive Response: HTTP/1.1 301 Moved Permanently Date: Tue, 17 Sep 2013 22:50:28 GMT Via: 1.1 sq63.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq42.esams.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq46.esams.wikimedia.org:80 (squid/2.7.STABLE9) X-Cache-Lookup: MISS from sq63.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq42.esams.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq46.esams.wikimedia.org:80 Server: nginx/1.1.19 X-Cache: MISS from sq63.wikimedia.org X-Cache: MISS from amssq42.esams.wikimedia.org X-Cache: MISS from amssq46.esams.wikimedia.org Content-Type: text/html; charset=iso-8859-1 Location: http://wikimediafoundation.org/wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=enwikibooks&proto=https&type=1x1&from=itwiktionary Connection: keep-alive Content-Length: 352 There are several things about this response that are inconsistent with it being generated by CentralAuth: * The status code is 301. CentralAuth generates 302 redirects. * There are no Vary or X-Vary-Options or Cache-Control headers. CentralAuth's redirects go through OutputPage, which always adds these headers on WMF wikis. * There is no X-Content-Type-Options header either. This header is added almost first thing in WebStart.php. * The charset in the Content-Type is iso-8859-1. I'd have expected utf-8. * The redirects generated by OutputPage have an empty body, so I'd expect to see Content-Length: 0, or Content-Length: 20 with Content-Encoding: gzip. But here we have Content-Length: 352 with no Content-Encoding. I also note that other redirects in the log do have the "signature" of being generated by OutputPage. For a similar request to https://login.wikimedia.org/wiki/Special:CentralAutoLogin/validateSession?token=4a8e68b9dc93ea933d38d6e83c01aba41bae8e5&wikiid=mediawikiwiki&type=1x1&from=itwiktionary&proto=https, the response was: HTTP/1.1 301 Moved Permanently Date: Tue, 17 Sep 2013 22:50:31 GMT Via: 1.1 sq63.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq31.esams.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq46.esams.wikimedia.org:80 (squid/2.7.STABLE9) X-Cache-Lookup: MISS from sq63.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq31.esams.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq46.esams.wikimedia.org:80 Server: nginx/1.1.19 X-Cache: MISS from sq63.wikimedia.org X-Cache: MISS from amssq31.esams.wikimedia.org X-Cache: MISS from amssq46.esams.wikimedia.org Content-Type: text/html; charset=iso-8859-1 Location: http://wikimediafoundation.org/wiki/Special:CentralAutoLogin/validateSession?token=4a8e68b9dc93ea933d38d6e83c01aba41bae8e5&wikiid=mediawikiwiki&type=1x1&from=itwiktionary&proto=https Connection: keep-alive Content-Length: 406 For a similar request to https://login.wikimedia.org/wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=enwikivoyage&proto=https&type=1x1&from=itwiktionary: HTTP/1.1 301 Moved Permanently Date: Tue, 17 Sep 2013 22:50:33 GMT Via: 1.1 sq63.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq37.esams.wikimedia.org:3128 (squid/2.7.STABLE9), 1.0 amssq45.esams.wikimedia.org:80 (squid/2.7.STABLE9) X-Cache-Lookup: MISS from sq63.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq37.esams.wikimedia.org:3128 X-Cache-Lookup: MISS from amssq45.esams.wikimedia.org:80 Server: nginx/1.1.19 X-Cache: MISS from sq63.wikimedia.org X-Cache: MISS from amssq37.esams.wikimedia.org X-Cache: MISS from amssq45.esams.wikimedia.org Content-Type: text/html; charset=iso-8859-1 Location: http://wikimediafoundation.org/wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=enwikivoyage&proto=https&type=1x1&from=itwiktionary Connection: keep-alive Content-Length: 353 I note that the Content-Lengths seem to correspond to the lengths of the Location, and in fact the differences in the lengths exactly match the differences in the lengths of the Location value after htmlspecialchars() or urlencode() is applied, which would be consistent with a non-empty body that includes a link to the redirect target (i.e. *not* the empty body generated by OutputPage). All this makes me skeptical that this is being caused by something in CentralAuth. And given the lack of a X-Content-Type-Options header too, I suspect the problem is not even in MediaWiki. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
