In AbuseFilter
is_in_range(ip, range)
will give true, if ip is not an ip and range is not a range.
The reason seems to be that
IP::isInRange($ip, $range)
in mediawiki-core(?), see https://doc.wikimedia.org/mediawiki-core/master/php/IP_8php_source.html#l00637, uses
strcmp(. , .) >= 0 && strcmp(. , .) <= 0,
which is always true, if the params are not defined, because strcmp results in 0.
This can lead to big problems, if somebody makes a minor error in using the AbuseFilter extension, e.g.
is_in_range(user_name, "127.0.1/16") is_in_range("127.0.1/16", user_name) is_in_range(user_name, "wtf")