Page MenuHomePhabricator
Create Task
Maniphest T102652

Wikitech (labswiki) is listed in fishbowl.dblist, despite having public account creation and editing enabled for all logged-in users
Closed, ResolvedPublic
Actions

Description

I noticed that a semiprotected page (editing restricted to autoconfirmed users) on Wikitech was spammed by a newly-created account. It turns out the reason is because labswiki is listed in fishbowl.dblist, which is intended for wikis with editing restricted to trusted accounts.

Anti-abuse measures impacted by this are:

  • $wgAutoConfirmAge = 0, meaning all accounts would be auto-confirmed
  • All logged-in accounts are explicitly granted the autoconfirmed and editsemiprotected rights anyway.
  • $wgAccountCreationThrottle = 0, meaning spammers can create accounts without throttle
  • $wgEmailAuthentication = false, which seems to mean that anyone can set any address on their account without confirmation.
  • $wmgEnableCaptcha = false, so no captchas for spam edits.
  • $wmgUseSpamBlacklist = false, so no blocking of blacklisted links.
  • $wgNoFollowLinks = false, allowing SEO spam to potentially work.

Positive/intended effects of labswiki being in fishbowl.dblist seem to be:

  • CentralAuth, GlobalUserPage, and other "global" extensions are disabled there. From a passing comment in T72311, I suspect this was the main reason for it.
  • CentralNotice is disabled there.
  • OAuth is disabled there.
  • Local renameuser is allowed there.

Other effects:

  • $wgUseNPPatrol is disabled there.

I see two sane options to fix this:

  • Explicitly apply the "positive/intended effects" to labswiki.
  • Create a new "nonglobal.dblist" to apply only the "positive/intended effects", with the only current member being labswiki.

Related Objects

Event Timeline

Anomie created this task.Jun 16 2015, 5:10 PM
Anomie raised the priority of this task from to Needs Triage.
Anomie updated the task description. (Show Details)
Anomie added projects: wikitech.wikimedia.org, acl*security.
Anomie changed the visibility from "Public (No Login Required)" to "Custom Policy".
Anomie changed the edit policy from "All Users" to "Custom Policy".
Anomie changed Security from None to Software security bug.
Anomie added subscribers: Anomie, bd808.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2015, 5:10 PM
Anomie added a project: Patch-For-Review.Jun 16 2015, 5:10 PM

Add nonglobal.dblist, for labswiki4 KBDownload

Andrew added a subscriber: Andrew.Jun 16 2015, 5:59 PM

Proposed patch looks good to me!

Krenair added a subscriber: Krenair.Jun 16 2015, 6:18 PM

Why do we need a new dblist for this?

Anomie added a comment.Jun 16 2015, 7:17 PM

We don't actually need it, we could just set labswiki everywhere I'm using the new dblist (including the array_diff in CommonSettings.php). But then next time someone wants a non-globalized wiki that is still publicly editable they might make the same fishbowl mistake.

Krenair added a comment.Jun 16 2015, 7:20 PM

Honestly I think that's accounting for a pretty ridiculous case. We're unlikely to add another wiki like wikitech any time soon. You could just put a comment in fishbowl.dblist if it's really important

csteipp added a subscriber: csteipp.Jun 17 2015, 1:52 PM

@Anomie, thanks for the fix. That looks sane to me. If we don't have any other wikis to pull into the list, we can always go back to how it was with a big additional list of spam flags.

Anomie added a comment.Jun 17 2015, 2:09 PM
In T102652#1374224, @csteipp wrote:

If we don't have any other wikis to pull into the list, we can always go back to how it was with a big additional list of spam flags.

Personally, I'd rather go the other way: let labswiki pick up the usual defaults for most settings, then turn off the SUL-related bits. labswiki doesn't meet the definition of "fishbowl", so putting it in there and then overriding half of the settings inherited from fishbowl back to what would have been inherited from default seems much more confusing than not putting it in there and then overriding the other half to change the default.

Anomie closed this task as Resolved.Jun 17 2015, 3:29 PM
Anomie claimed this task.

Fixed and deployed. Although captcha is still disabled there since the 'global-multiwrite' file backend apparently isn't set up there and I don't know if some other backend would work right.

Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 17 2015, 3:30 PM
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.
Krenair mentioned this in T103653: "Invalid or virtual namespace -1 given" when submitting access request.Jun 24 2015, 3:57 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL