Page MenuHomePhabricator
Create Task
Maniphest T13250

Some typeaheads use nonscalar HTTP parameters, which fatal under new "phutil_build_http_query()" rules
Closed, ResolvedPublic
Actions

Description

See PHI1066. See https://discourse.phabricator-community.org/t/maniphest-is-giving-http-500-error/2385. See D20116. Some datasources currently rely on Datasource->setParameters(...) accepting nonscalar values (usually, lists of PHIDs). This no longer works after D20049 and fatals explicitly after D20116.

Affected typeaheads include:

  • The branch selector in "Land Revision".
  • Some custom field search typeaheads, e.g. on /maniphest/ with particular custom fields configured.

The exception itself is also opaque:

>>> UNRECOVERABLE FATAL ERROR <<<

Method PhutilURI::__toString() must not throw an exception

/home/.../phabricator/src/applications/typeahead/datasource/PhabricatorTypeaheadDatasource.php:0


┻━┻ ︵ ¯\_(ツ)_/¯ ︵ ┻━┻

See also PHI1069.

Revisions and Commits

rPHU libphutil
D20155rPHUda84d9c24445 Update "setQueryParam[s]()" calls in libphutil
D20149rPHUf8b3f480f91a Introduce new PhutilURI API methods to move away from the ambiguity of the…
D20136rPHU70ec97f839b3 (stable) Fix destructive representation of "?x=1&x=2" in PhutilURI so it can…
D20136rPHUc6d02efc62c3 Fix destructive representation of "?x=1&x=2" in PhutilURI so it can raise…
D20143rPHU8151b3a30e7e (stable) Let "phlog()" log Throwables
D20143rPHUf430af3cd431 Let "phlog()" log Throwables
D20139rPHUbbd53c622271 Introduce "phutil_string_cast()" to work around interesting choices in "…
rP Phabricator
D20176rP66060b294bce Fix a URI construction in remarkup macro/meme rules
D20160rPf77942a2d11b (stable) Bump the markup cache version for URI changes
D20162rPbe21dd3b52b8 Fix some "URI->alter(X, null)" callsites
D20154rP5892c7898603 Replace all "setQueryParam()" calls with "remove/replaceQueryParam()"
D20153rP241f06c9ffc6 Clean up final `setQueryParams()` callsites
D20151rP4c124201623a Replace "URI->setQueryParams()" after initialization with a constructor argument
D20160rP991368128e4d Bump the markup cache version for URI changes
D20150rPfcd85b6d7bed Replace "getRequestURI()->setQueryParams(array())" with "getPath()"
D20147rP9e0a954324e5 (stable) Fix "AphrontRequest->getRequestURI()" for requests with "x[]=1"…
D20147rP308c4f240754 Fix "AphrontRequest->getRequestURI()" for requests with "x[]=1" parameters in…
D20142rP187356fea515 Let the top-level exception handler dump a stack trace if we reach debug mode…
D20138rPb9a1260ef5c0 Improve top-level fatal exception handling in PHP 7+
D20137rPe03079aaaad2 Try harder to present display/rendering exceptions to the user using standard…
D20140rP1275326ea6b6 Use "phutil_string_cast()" in TypeaheadDatasource
D20134rP905564db6b6d (stable) Allow typeaheads to pass nonscalar data to datasources
D20134rP711871f6bc74 Allow typeaheads to pass nonscalar data to datasources

Related Objects

Event Timeline

epriestley triaged this task as Normal priority.Feb 11 2019, 2:34 PM
epriestley created this task.
Herald added a subscriber: amckinley. · View Herald TranscriptFeb 11 2019, 2:34 PM
epriestley renamed this task from Some typeaheads use nonscalar HTTP parameters to Some typeaheads use nonscalar HTTP parameters, which fatal under new "phutil_build_http_query()" rules.Feb 11 2019, 2:34 PM
epriestley added a project: Typeahead.
epriestley updated the task description. (Show Details)Feb 11 2019, 2:38 PM

The error is less opaque in PHP 7.3:

>>> UNRECOVERABLE FATAL ERROR <<<

Method PhutilURI::__toString() must not throw an exception, caught Exception: HTTP query parameter (with key &quot;repositoryPHIDs&quot;) is not a scalar. Parameters must all be scalars.

/Users/epriestley/dev/core/lib/phabricator/src/applications/typeahead/datasource/PhabricatorTypeaheadDatasource.php:0


┻━┻ ︵ ¯\_(ツ)_/¯ ︵ ┻━┻
epriestley added a revision: D20134: Allow typeaheads to pass nonscalar data to datasources.Feb 11 2019, 2:54 PM
epriestley added a comment.Feb 11 2019, 3:38 PM

I'm strongly considering allowing phutil_build_http_querystring() to build PHP-flavored query strings out of arrays again.

One problem right now is that this code:

$str = 'http://example.com/?X';
$uri = new PhutilURI($str);
(string)$uri;

...can fatal on the string cast for some values of X. It seems like:

  • If the (string) cast would fatal, the fatal should probably be moved to construction time (new PhutilURI()) instead.
  • No "reasonable" value of X should fatal (maybe NULL bytes or invalid UTF8 are allowed to fatal, but normal character strings should not fatal).

Today, we use the PHP-flavored x[]=1&x[]=2 query string construction in some UIs. For example, the checkboxes in Slowvote approval votes are constructed like this. These aren't exceptionally common, and it's possible we should move away from them, but they're hard to grep for and may be difficult to exorcise decisively. If we shift the fatal to construction time, some actual Phabricator URIs will not be valid PhutilURIs.

Maybe the cleaner approach is to change the PhutilURI parameter representation to allow duplicates and use parseQueryStringToPairList(), not parseQueryString(). I'm leaning in this direction? Then we can shift the fatal without creating any weird contradictions.

epriestley added a revision: D20136: Fix destructive representation of "?x=1&x=2" in PhutilURI so it can raise errors immediately.Feb 11 2019, 5:17 PM
epriestley added a revision: D20137: Try harder to present display/rendering exceptions to the user using standard exception handling.Feb 11 2019, 5:38 PM
epriestley added a revision: D20138: Improve top-level fatal exception handling in PHP 7+.Feb 11 2019, 6:05 PM
epriestley added a revision: D20139: Introduce "phutil_string_cast()" to work around interesting choices in "(string)" behavior.Feb 11 2019, 6:32 PM
epriestley added a revision: D20140: Use "phutil_string_cast()" in TypeaheadDatasource.Feb 11 2019, 6:51 PM
epriestley added a commit: rP711871f6bc74: Allow typeaheads to pass nonscalar data to datasources.Feb 11 2019, 6:53 PM
epriestley added a revision: D20142: Let the top-level exception handler dump a stack trace if we reach debug mode before things go sideways.Feb 11 2019, 9:10 PM
epriestley added a revision: D20143: Let "phlog()" log Throwables.Feb 11 2019, 9:18 PM
epriestley added a commit: rP905564db6b6d: (stable) Allow typeaheads to pass nonscalar data to datasources.Feb 11 2019, 10:27 PM
epriestley added a commit: rPHUbbd53c622271: Introduce "phutil_string_cast()" to work around interesting choices in "….Feb 11 2019, 10:29 PM
epriestley added a commit: rP1275326ea6b6: Use "phutil_string_cast()" in TypeaheadDatasource.Feb 11 2019, 10:39 PM
epriestley added a commit: rPe03079aaaad2: Try harder to present display/rendering exceptions to the user using standard….
epriestley added a commit: rPb9a1260ef5c0: Improve top-level fatal exception handling in PHP 7+.Feb 11 2019, 11:05 PM
epriestley added a commit: rPHUf430af3cd431: Let "phlog()" log Throwables.Feb 11 2019, 11:34 PM
epriestley added a commit: rP187356fea515: Let the top-level exception handler dump a stack trace if we reach debug mode….Feb 11 2019, 11:36 PM
epriestley updated the task description. (Show Details)Feb 11 2019, 11:54 PM
epriestley mentioned this in T13249: 2019 Week 7 - 10 Bonus Content.Feb 11 2019, 11:58 PM
epriestley added a commit: rPHU8151b3a30e7e: (stable) Let "phlog()" log Throwables.Feb 12 2019, 1:20 PM
epriestley added a commit: rPHUc6d02efc62c3: Fix destructive representation of "?x=1&x=2" in PhutilURI so it can raise….
epriestley added a commit: rPHU70ec97f839b3: (stable) Fix destructive representation of "?x=1&x=2" in PhutilURI so it can….
epriestley added a revision: D20147: Fix "AphrontRequest->getRequestURI()" for requests with "x[]=1" parameters in the URI.Feb 12 2019, 1:42 PM
epriestley added a revision: D20149: Introduce new PhutilURI API methods to move away from the ambiguity of the "set" operation.Feb 12 2019, 3:33 PM
epriestley added a revision: D20150: Replace "getRequestURI()->setQueryParams(array())" with "getPath()".Feb 12 2019, 4:09 PM
epriestley added a revision: D20151: Replace "URI->setQueryParams()" after initialization with a constructor argument.Feb 12 2019, 7:02 PM
epriestley added a commit: rP308c4f240754: Fix "AphrontRequest->getRequestURI()" for requests with "x[]=1" parameters in….Feb 12 2019, 7:03 PM
epriestley added a commit: rP9e0a954324e5: (stable) Fix "AphrontRequest->getRequestURI()" for requests with "x[]=1"….
epriestley added a revision: D20153: Clean up final `setQueryParams()` callsites.Feb 12 2019, 9:23 PM
epriestley added a revision: D20154: Replace all "setQueryParam()" calls with "remove/replaceQueryParam()".Feb 12 2019, 9:38 PM
epriestley mentioned this in T13251: Upgrading: PhutilURI Query Parameter Changes.Feb 12 2019, 10:17 PM
epriestley added a revision: D20155: Update "setQueryParam[s]()" calls in libphutil.Feb 12 2019, 10:35 PM
epriestley added a comment.Feb 12 2019, 10:40 PM

There are a very small number of noncritical setQueryParam() callsites in arcanist/ (3), instances/ (1), and services/ (3). Of these 7 callsites, 6 are about building Diviner links. I'm going to leave these as-is for now to generally simplify rolling this out, but they should be updated before setQueryParam() is actually removed.

epriestley added a commit: rPfcd85b6d7bed: Replace "getRequestURI()->setQueryParams(array())" with "getPath()".Feb 12 2019, 10:43 PM
epriestley mentioned this in T6703: Allow multiple copies of the same auth provider type.Feb 12 2019, 10:45 PM
epriestley added a revision: D20160: Bump the markup cache version for URI changes.Feb 13 2019, 4:59 PM
epriestley added a revision: D20162: Fix some "URI->alter(X, null)" callsites.Feb 13 2019, 5:24 PM
epriestley added a commit: rP991368128e4d: Bump the markup cache version for URI changes.Feb 13 2019, 8:25 PM
epriestley added a commit: rPHUf8b3f480f91a: Introduce new PhutilURI API methods to move away from the ambiguity of the….Feb 14 2019, 7:42 PM
epriestley added a commit: rP4c124201623a: Replace "URI->setQueryParams()" after initialization with a constructor argument.Feb 14 2019, 7:46 PM
epriestley added a commit: rP241f06c9ffc6: Clean up final `setQueryParams()` callsites.Feb 14 2019, 7:55 PM
epriestley added a commit: rP5892c7898603: Replace all "setQueryParam()" calls with "remove/replaceQueryParam()".
epriestley added a commit: rPHUda84d9c24445: Update "setQueryParam[s]()" calls in libphutil.Feb 14 2019, 7:58 PM
epriestley added a commit: rPbe21dd3b52b8: Fix some "URI->alter(X, null)" callsites.
epriestley added a commit: rPf77942a2d11b: (stable) Bump the markup cache version for URI changes.Feb 15 2019, 12:40 AM
epriestley added a revision: D20176: Fix a URI construction in remarkup macro/meme rules.Feb 15 2019, 12:56 PM
epriestley added a commit: rP66060b294bce: Fix a URI construction in remarkup macro/meme rules.Feb 15 2019, 10:08 PM
epriestley closed this task as Resolved.Feb 16 2019, 3:19 AM

I believe all (?) of these are now fixed in both master and stable.

epriestley added a comment.Feb 16 2019, 3:20 AM

(See T13251 for followup.)

Phabricator · Built by Phacility