Page MenuHomePhabricator
Create Task
Maniphest T216831

Disabling JavaScript on Special:Block allows you to block user from "Special" namespace (namespace=-1)
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

With JavaScript disabled, it is possible to enter in the "Namespaces" input the value "-1". Submitting the block will block the specified user from the "Special" namespace.

For example, I have done it here: https://test.wikipedia.org/wiki/Special:BlockList?wpTarget=Drwpb

I am assuming this is not desired because:

  1. You are not allowed to do this with JavaScript enabled (either by typing into the input "Special" or "-1")
  2. You cannot do this via the API (https://www.mediawiki.org/wiki/API:Block shows allowed values)
  3. Tasks like T208355 suggest it should not be possible to block users from "Special:" pages

Reproduction Steps:
The mediawiki instance will need to have: "$wgEnablePartialBlocks = true;"

  1. Disable javascript
  2. Go to Special:Block
  3. Type in a valid user (you won't get completion without JS)
  4. Select the "Partial" radio button
  5. In the "Namespaces" input type "-1"
  6. Choose an expiration (you need to type in a value, doesn't seem to matter)
  7. Submit

You can see the settings of the block you have just set in Special:BlockList.

Environments Reproduced:

https://test.wikipedia.org
MediaWiki 1.33.0-wmf.18 (rMW6deca5eb7521) 20:11, 20 February 2019

My local VM:
MediaWiki 1.33.0-alpha (1900a8a) 15:26, 21 February 2019

Details

SubjectRepoBranchLines +/-
Fix invalid namespace restriction when js is disabledmediawiki/coremaster+4 -0
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Feb 22 2019, 3:09 PM
Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptFeb 22 2019, 3:09 PM
TBolliger moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Feb 22 2019, 4:55 PM
TBolliger added a project: MediaWiki-User-management.
TBolliger subscribed.

Good find! Harmless, but could lead to long-term confusion and complication.

I also assume the API would accept Special— we should send appropriate error messages in all cases.

TBolliger triaged this task as Low priority.Feb 22 2019, 4:55 PM
TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.
TBolliger moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Mar 7 2019, 6:56 PM
TBolliger set the point value for this task to 2.
dmaza claimed this task.Mar 20 2019, 5:08 PM
dmaza moved this task from Cards ready for development to Vav — ו on the Anti-Harassment board.
dmaza edited projects, added Anti-Harassment (Vav — ו); removed Anti-Harassment.
dmaza moved this task from Ready to In Progress on the Anti-Harassment (Vav — ו) board.
Niharika edited projects, added Anti-Harassment (Zayin - ז); removed Anti-Harassment (Vav — ו).Mar 27 2019, 6:52 PM
dmaza moved this task from Ready to In Progress on the Anti-Harassment (Zayin - ז) board.Mar 27 2019, 6:53 PM
gerritbot added a comment.Mar 28 2019, 8:07 PM

Change 499884 had a related patch set uploaded (by Dmaza; owner: Dmaza):
[mediawiki/core@master] Fix invalid namespace restriction when js is disabled

https://gerrit.wikimedia.org/r/499884

gerritbot added a project: Patch-For-Review.Mar 28 2019, 8:07 PM
dmaza moved this task from In Progress to Review on the Anti-Harassment (Zayin - ז) board.Mar 28 2019, 8:25 PM
Tchanders moved this task from Review to QA/Testing on the Anti-Harassment (Zayin - ז) board.Mar 29 2019, 12:47 PM
gerritbot added a comment.Mar 29 2019, 8:18 PM

Change 499884 merged by jenkins-bot:
[mediawiki/core@master] Fix invalid namespace restriction when js is disabled

https://gerrit.wikimedia.org/r/499884

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.24; 2019-04-02).Mar 29 2019, 9:02 PM
dom_walden moved this task from QA/Testing to Done on the Anti-Harassment (Zayin - ז) board.Apr 2 2019, 1:02 PM

I have not been able to submit Special:Block with namespace=-1.

I can enter a random number (e.g. "895894791278749") and that will submit, leaving a blank item under "namespaces" in the Special:BlockList and an entry of "2147483647" in the ipblocks_restrictions table.
E.g.

blank_space.png (185×1 px, 12 KB)

This behaviour existed before this change.

This did not appear to have any bad side-effects. The user is still blocked from pages they are partially blocked from and able to edit pages they are not blocked from.

dmaza added a comment.Apr 2 2019, 2:05 PM

I feel like that's still a bug. We shouldn't allow for non-existing namespaces to be saved. At the very least we shouldn't display an empty namespace in the BlockList.

dom_walden added a comment.Apr 2 2019, 2:57 PM
In T216831#5077452, @dmaza wrote:

I feel like that's still a bug. We shouldn't allow for non-existing namespaces to be saved. At the very least we shouldn't display an empty namespace in the BlockList.

Agreed. I raised T219882.

dbarratt closed this task as Resolved.Apr 2 2019, 4:30 PM
dom_walden mentioned this in T205130: QA the no-JS experience of Partial Blocks by filing all defects in Phab.Apr 9 2019, 5:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL