Page MenuHomePhabricator

Global block status displaying on the Contributions pages of non-existent users
Closed, ResolvedPublic

Description

https://en.wikipedia.org/wiki/Special:Contributions/newbies shows a global block warning, but there is no ip shown where the block matched.

It should not be shown there.

Was added with https://gerrit.wikimedia.org/r/#/c/133986/

3yBgtVd.png (700×1 px, 112 KB)

Event Timeline

It is also shown for non existing users, because the code just checks for User::isAnon, not if is a valid ip. But users without user account also gives true for User::isAnon

I don't remember this happening previously but this patch has been live on the projects since 2014.

Weird. This is the query which it's supposed to do on that page but it doesn't return any result on labs.

MariaDB [centralauth_p]> SELECT * FROM `globalblocks` WHERE (gb_range_start like '%') AND (gb_range_start <= '') AND (gb_range_end >= '') AND (gb_expiry > '20161007150458') ORDER BY gb_timestamp DESC LIMIT 2;
Empty set (0.01 sec)
matmarex set Security to Software security bug.Oct 7 2016, 6:32 PM
matmarex added a project: acl*security.
matmarex changed the visibility from "Public (No Login Required)" to "Custom Policy".
matmarex added a subscriber: matmarex.

This is caused by the change described at T147537. That bug is secret so I'm hiding this too.

IP::toHex returnig false in GlobalBlocking::getRangeCondition could cause this, but I don't see how that would happen. Also this affects logged-in users as well, despite the $user->isAnon() check at the beginning of the hook.

I don't know either, but I ran the query @Glaisher posted above on stat1003:

SELECT * FROM `globalblocks` WHERE (gb_range_start like '%') AND (gb_range_start <= '') AND (gb_range_end >= '') AND (gb_expiry > '20161007150458') ORDER BY gb_timestamp DESC LIMIT 2;

And this query I made up:

SELECT * FROM `globalblocks` WHERE (gb_range_start like '%') AND (gb_range_start <= 0) AND (gb_range_end >= 0) AND (gb_expiry > '20161007150458') ORDER BY gb_timestamp DESC LIMIT 2;

And the made-up query returned results consistent with the behavior we see.

This made up query correctly returns nothing:

SELECT * FROM `globalblocks` WHERE (gb_range_start like '%') AND (gb_range_start <= '0') AND (gb_range_end >= '0') AND (gb_expiry > '20161007150458') ORDER BY gb_timestamp DESC LIMIT 2;

The only thing I can think of is that something messes with the user object and sets its id to 0, despite the user being logged in. The the isAnon check passes, toHex gets the username and fails, and you get boolean values in the range conditions. Which probably matches some IPv6 block in the DB since where the ranges do not start with integers.

(OTOH then you would have to be logged in to see the notice, and I see it when logged out as well.)

Just add a IP::isIPAddress check beside the User::isAnon check and this is not happen again.

The ApiQueryGlobalBlocks.php needs also a check

The isAnon/isLogged is called on the User object which you want see the contributions, it is not the session user

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptOct 7 2016, 8:59 PM

Please consider adding a more descriptive tittle. I read the title and you can't really tell what the problem is by reading it.
Additional keywords to those searching:
Tegel
205.160.165.76
Screenshot so we know what the problem looked like after it gets fixed: http://i.imgur.com/3yBgtVd.png

jrbs renamed this task from Do not show global block status on Special:Contribs/newbies to Global block status displaying on the Contributions pages of non-existent users.Oct 7 2016, 9:17 PM
jrbs added a subscriber: jrbs.

Probably obvious, but this bug is global. See, for example, https://de.wikipedia.org/wiki/Spezial:Beitr%C3%A4ge/Thisuserdoesnotexistforreal

After updating core, I am able to reproduce locally. Something seems to have changed the behavior of IP::toHex()(?) so it now returns false instead of empty string.

SELECT * FROM `globalblocks` WHERE (gb_range_start like '%') AND (gb_range_start <= 0) AND (gb_range_end >= 0) AND (gb_expiry > '20161007152532') ORDER BY gb_timestamp DESC LIMIT 2

What is T147537 about? In any case, we can fix the condition checked in the hook handler to make it so that query is not run in the first place.

https://gerrit.wikimedia.org/r/#/c/314802/

This is also causing all IP ranges to appear as globally blocked in Special:Block too (under other blocks) due to the wrong query being run.

matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 11 2016, 4:49 PM
matmarex changed Security from Software security bug to None.

No longer a problem in production after T147537 was fixed

Change 314802 merged by jenkins-bot:
Do not query if the target is not an IP address in SpecialContributionsBeforeMainOutput

https://gerrit.wikimedia.org/r/314802

matmarex assigned this task to Glaisher.
matmarex removed a project: Patch-For-Review.