howdy

HTMLForm.php gets auto deleted

Background:

This is by far the oddest issue I’ve ever experienced since I started using MediaWiki – the HTMLForm.php file under MediaWiki’s \includes\htmlform folder got automatically flagged for “having malicious code” by NameCheap’s hosting system and was deleted shortly after being uploaded. I needed to contact their support to get this file whitelisted to be able to properly use MediaWiki.

Symptoms:

During my MediaWiki’s setup and configuration process everything seemed to be smooth, however, after everything seemed to be all set, I wasn’t able to login – it prompted the following errors:

Warning: require(/yourhostingpath/includes/htmlform/HTMLForm.php): failed to open stream: No such file or directory in /yourhostingpath/includes/AutoLoader.php on line 109

Fatal error: require(): Failed opening required '/yourhostingpath/includes/htmlform/HTMLForm.php' (include_path='/yourhostingpath/vendor/pear/console_getopt:/yourhostingpath/vendor/pear/mail:/yourhostingpath/vendor/pear/mail_mime:/yourhostingpath/vendor/pear/net_smtp:/yourhostingpath/vendor/pear/net_socket:/yourhostingpath/vendor/pear/pear-core-minimal/src:/yourhostingpath/vendor/pear/pear_exception:.:/opt/alt/php73/usr/share/pear') in /yourhostingpath/includes/AutoLoader.php on line 109

Solution:

After some research and experimentation I saw that the HTMLForm.php was being removed automatically shortly after being uploaded. No matter what changes I make the file just wouldn’t persist, so I eventually contacted support. Tech support told me that the file was automatically deleted because it contains “malicious code”, which doesn’t make sense to me because I’ve been using it for more than 10 years since its early versions and have never come across this issue before. According to their investigation, a regular expression was flagged by their filter, and they needed to whitelist the file for me. The line in question is:

# Regular expression match = [\*[A-Za-z0-9]{12,130}\*]

I don’t understand why this line would get flagged as “malicious code” and didn’t do further research either, my guess is that they were probably flagging all/any regular expressions. But if someone comes across a similar issue, this might save you some time trying to bird-dog the cause.