Page MenuHomePhabricator

Wikitech (labswiki) is listed in fishbowl.dblist, despite having public account creation and editing enabled for all logged-in users
Closed, ResolvedPublic

Description

I noticed that a semiprotected page (editing restricted to autoconfirmed users) on Wikitech was spammed by a newly-created account. It turns out the reason is because labswiki is listed in fishbowl.dblist, which is intended for wikis with editing restricted to trusted accounts.

Anti-abuse measures impacted by this are:

  • $wgAutoConfirmAge = 0, meaning all accounts would be auto-confirmed
  • All logged-in accounts are explicitly granted the autoconfirmed and editsemiprotected rights anyway.
  • $wgAccountCreationThrottle = 0, meaning spammers can create accounts without throttle
  • $wgEmailAuthentication = false, which seems to mean that anyone can set any address on their account without confirmation.
  • $wmgEnableCaptcha = false, so no captchas for spam edits.
  • $wmgUseSpamBlacklist = false, so no blocking of blacklisted links.
  • $wgNoFollowLinks = false, allowing SEO spam to potentially work.

Positive/intended effects of labswiki being in fishbowl.dblist seem to be:

  • CentralAuth, GlobalUserPage, and other "global" extensions are disabled there. From a passing comment in T72311, I suspect this was the main reason for it.
  • CentralNotice is disabled there.
  • OAuth is disabled there.
  • Local renameuser is allowed there.

Other effects:

  • $wgUseNPPatrol is disabled there.

I see two sane options to fix this:

  • Explicitly apply the "positive/intended effects" to labswiki.
  • Create a new "nonglobal.dblist" to apply only the "positive/intended effects", with the only current member being labswiki.

Event Timeline

Anomie created this task.Jun 16 2015, 5:10 PM
Anomie raised the priority of this task from to Needs Triage.
Anomie updated the task description. (Show Details)
Anomie changed the visibility from "Public (No Login Required)" to "Custom Policy".
Anomie changed the edit policy from "All Users" to "Custom Policy".
Anomie changed Security from None to Software security bug.
Anomie added subscribers: Anomie, bd808.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2015, 5:10 PM

Andrew added a subscriber: Andrew.Jun 16 2015, 5:59 PM

Proposed patch looks good to me!

Why do we need a new dblist for this?

We don't actually need it, we could just set labswiki everywhere I'm using the new dblist (including the array_diff in CommonSettings.php). But then next time someone wants a non-globalized wiki that is still publicly editable they might make the same fishbowl mistake.

Honestly I think that's accounting for a pretty ridiculous case. We're unlikely to add another wiki like wikitech any time soon. You could just put a comment in fishbowl.dblist if it's really important

@Anomie, thanks for the fix. That looks sane to me. If we don't have any other wikis to pull into the list, we can always go back to how it was with a big additional list of spam flags.

If we don't have any other wikis to pull into the list, we can always go back to how it was with a big additional list of spam flags.

Personally, I'd rather go the other way: let labswiki pick up the usual defaults for most settings, then turn off the SUL-related bits. labswiki doesn't meet the definition of "fishbowl", so putting it in there and then overriding half of the settings inherited from fishbowl back to what would have been inherited from default seems much more confusing than not putting it in there and then overriding the other half to change the default.

Anomie closed this task as Resolved.Jun 17 2015, 3:29 PM
Anomie claimed this task.

Fixed and deployed. Although captcha is still disabled there since the 'global-multiwrite' file backend apparently isn't set up there and I don't know if some other backend would work right.

Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 17 2015, 3:30 PM
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM