Page MenuHomePhabricator
Create Task
Maniphest T159889

Per-consumer XFF trust settings
Open, LowPublic
Actions

Description

Intermediaries that transmit edits in some way sometimes cause problems by MediaWiki seeing their IP instead of the actual editor's. OAuth applications might have this problem. The usual solution is to set X-Forwarded-For headers and whitelist the intermediary IPs for which MediaWiki should trust those headers. This does not work well with intermediaries on some kind of shared hosting (such as Tool Labs). OAuth could offer a superior alternative, where the OAuth consumer identity can be used to decide whether the XFF headers are trustworthy.

Related Objects

Event Timeline

Tgr created this task.Mar 7 2017, 11:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 7 2017, 11:05 PM
Tgr triaged this task as Low priority.Mar 7 2017, 11:07 PM
Tgr mentioned this in T116893: OAuth-authorised editing to log with the respective editor's IP address, and review user agent details.
Tgr moved this task from Backlog to Tool User wants on the MediaWiki-extensions-OAuth board.
zhuyifei1999 subscribed.Mar 20 2017, 4:07 PM

Tool Labs proxy hides the IP addresses from users. If a tool on tool labs were to send an XFF, what you get would be the IP address of the web proxies, instead of the actual user, from the viewpoint of the gridengine or k8s workers, and I don't think this information is useful at all...

I'd suggest somehow use the data from the time when the user access [[Special:OAuth/authenticate]] (and perhaps mark it so), which is far more reliable than XFF.

Tgr added a comment.Mar 20 2017, 4:57 PM
In T159889#3114793, @zhuyifei1999 wrote:

Tool Labs proxy hides the IP addresses from users. If a tool on tool labs were to send an XFF, what you get would be the IP address of the web proxies, instead of the actual user, from the viewpoint of the gridengine or k8s workers, and I don't think this information is useful at all...

We could probably encrypt that and pass it on if we really wanted to. Probably not worth the effort though.

I'd suggest somehow use the data from the time when the user access [[Special:OAuth/authenticate]] (and perhaps mark it so), which is far more reliable than XFF.

That seems pretty confusing (e.g. for checkusers who see old IPs on new edits without any warning or explanation), plus authorizations can last forever but we cannot store IP addresses indefinitely.

zhuyifei1999 mentioned this in T74501: Need a way for trusted OAuth apps to make edits from blocked IPs.May 13 2017, 6:25 PM
jayvdb subscribed.May 14 2017, 4:18 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:16 AM
Tgr mentioned this in T221162: System Adminstrator limits rate of MediaWiki REST API calls per client.Apr 19 2019, 5:08 PM
Tgr added a comment.Jun 10 2019, 8:02 PM

Note that the OAuth app would have to be thoroughly trusted for this; a malicious app could use fake XSS headers to e.g. test which IP address triggers an autoblock and thus guess the IP of the blocked user. (In the case of Toolforge, the encrypted XFF approach would prevent this.)

Aklapper removed projects: acl*security, MediaWiki-extensions-OAuth.Nov 27 2019, 1:30 PM
Aklapper edited projects, added acl*security, MediaWiki-extensions-OAuth; removed Security-Extensions.Dec 2 2019, 1:03 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
edwardbetts subscribed.Apr 22 2020, 10:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL