Page MenuHomePhabricator
Create Task
Maniphest T161029

Forward request data in proxied Action API modules
Closed, ResolvedPublic
Actions

Description

Some Action API modules proxy data from another API (e.g. ORES, Pageviews). Such modules should forward the request IP and user agent when making requests to the upstream API so client throttling / banning can be properly done upstream. For IP, this probably means setting X-Forwarded-For (and it would be the upstream's responsibility to have a whitelist of what sources to trust XFF from); for the user agent, maybe add an X-UA-Original header?

Details

SubjectRepoBranchLines +/-
Forward request data to ORES APImediawiki/extensions/ORESmaster+72 -7
Forward request details to upstream APImediawiki/extensions/PageViewInfomaster+21 -1
MWHttpRequest: optionally add original request datamediawiki/coremaster+35 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Mar 21 2017, 8:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2017, 8:07 PM
Tgr added parent tasks: T148997: Implement parallel connection limit for querying ORES, T137962: [Spec] Tracking and blocking specific IP/user-agent combinations .Mar 21 2017, 8:08 PM
Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Mar 21 2017, 8:29 PM
Tgr renamed this task from Forward request data in proxied Action API modiles to Forward request data in proxied Action API modules.Mar 23 2017, 12:25 AM
Halfak moved this task from Parked to Monitor (long term) on the Machine-Learning-Team (Active Tasks) board.Mar 23 2017, 9:25 PM
gerritbot subscribed.Mar 28 2017, 2:19 PM

Change 344809 merged by jenkins-bot:
[mediawiki/core@master] MWHttpRequest: optionally add original request data

https://gerrit.wikimedia.org/r/344809

ReleaseTaggerBot added projects: MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)), MW-1.29-release-notes.Mar 28 2017, 3:00 PM
MZMcBride subscribed.Mar 29 2017, 1:18 PM
gerritbot added a comment.May 19 2017, 8:39 AM

Change 344816 merged by jenkins-bot:
[mediawiki/extensions/PageViewInfo@master] Forward request details to upstream API

https://gerrit.wikimedia.org/r/344816

ReleaseTaggerBot added a project: MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)).May 19 2017, 9:00 AM
Krinkle removed a project: MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)).May 25 2017, 1:00 PM
Krinkle subscribed.

Is this resolved?

Tgr added a comment.May 25 2017, 3:10 PM

https://gerrit.wikimedia.org/r/#/c/344815/ (which was the real point of the exercise) still needs to be merged.

gerritbot added a comment.May 25 2017, 6:35 PM

Change 344815 merged by jenkins-bot:
[mediawiki/extensions/ORES@master] Forward request data to ORES API

https://gerrit.wikimedia.org/r/344815

ReleaseTaggerBot edited projects, added MW-1.30-release-notes (WMF-deploy-2017-05-30_(1.30.0-wmf.3)); removed MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)).May 25 2017, 7:00 PM
Tgr closed this task as Resolved.May 25 2017, 9:33 PM
Tgr claimed this task.
Jdforrester-WMF edited projects, added MW-1.30-release-notes (WMF-deploy-2017-06-06_(1.30.0-wmf.4)); removed MW-1.30-release-notes (WMF-deploy-2017-05-30_(1.30.0-wmf.3)).Jun 6 2017, 8:37 PM
Jdforrester-WMF subscribed.

Mass-moving all items tagged for MediaWiki 1.30.0-wmf.3, as that was never released; instead, we're using -wmf.4.

awight moved this task from Monitor (long term) to Completed on the Machine-Learning-Team (Active Tasks) board.Jul 3 2017, 5:49 PM
Tgr mentioned this in T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324).Oct 22 2021, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL