API list=blocks reveals private data
Closed, ResolvedPublic


The current implementation of the IP block list reveals the IP address(es) of users who are autoblocked in breach of [[wikimedia:Privacy policy]]. See http://en.wikipedia.org/w/api.php?action=query&list=blocks&bklimit=500 for an example query where this problem occurs.

Expected behaviour: list the autoblock id only in the user attribute as in [[Special:Ipblocklist]] (#xxxxxx) for the entries that deal with autoblocks. Example: user="#123".

Actual behaviour: the IP of the autoblocked users is shown in the user attribute instead.

Version: 1.12.x
Severity: blocker
URL: http://en.wikipedia.org/w/api.php?action=query&list=blocks


bzimport set Reference to bz12321.
bzimport added a subscriber: Unknown Object (MLST).
MER-C created this task.Dec 16 2007, 7:33 AM

Disabled list=blocks on Wikimedia pending a fix.

Fixed by VasilievVV in r28533.

Add Comment