API list=blocks reveals private data
Closed, ResolvedPublic


The current implementation of the IP block list reveals the IP address(es) of users who are autoblocked in breach of [[wikimedia:Privacy policy]]. See http://en.wikipedia.org/w/api.php?action=query&list=blocks&bklimit=500 for an example query where this problem occurs.

Expected behaviour: list the autoblock id only in the user attribute as in [[Special:Ipblocklist]] (#xxxxxx) for the entries that deal with autoblocks. Example: user="#123".

Actual behaviour: the IP of the autoblocked users is shown in the user attribute instead.

Version: 1.12.x
Severity: blocker
URL: http://en.wikipedia.org/w/api.php?action=query&list=blocks

bzimport added a project: MediaWiki-API.Via ConduitNov 21 2014, 9:55 PM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz12321.
MER-C created this task.Via LegacyDec 16 2007, 7:33 AM
tstarling added a comment.Via ConduitDec 16 2007, 7:59 AM

Disabled list=blocks on Wikimedia pending a fix.

werdna added a comment.Via ConduitDec 16 2007, 9:44 AM

Fixed by VasilievVV in r28533.

Add Comment