Page MenuHomePhabricator

Edits attributed to 127.0.0.1
Closed, DeclinedPublic

Description

On my MW 1.30 wiki, which is public but doesn't allow anonymous contributions nor uninvited registration, we noticed an edit attributed to the local IP address 127.0.0.1. The article in which the change took place was newly created, and the style of the change and the summary suggest they were done by the same user who created the article and was working on it in successive edits.

Upon inspecting the contributions of 127.0.0.1 I noticed that al of them were automatic tasks; vocabulary imports and automatic page creations by [[mw:Extension:AutoCreatePage]]

Is it possible that an edit by a user be attributed to 127.0.0.1 under any circumstances?

Event Timeline

ahmad created this task.Apr 21 2018, 8:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2018, 8:28 AM
ahmad updated the task description. (Show Details)Apr 21 2018, 8:29 AM
Reedy added a subscriber: Reedy.Apr 21 2018, 10:12 AM

It certainly happens due to other bugs https://en.wikipedia.org/wiki/Special:Contributions/127.0.0.1

Does the extension have a setting to tell it to use a user?

You might be better discussing this over at https://github.com/mkroetzsch/AutoCreatePage as it's likely it's a bug with the extension itself as it doesn't seem to do anything to actually determine which user to make the edits as, but is done by the trigger of a parserfunction...

Its fairly common bug when things do stuff via the job queue or cli, without using RequestContext::importScopedSession()

ahmad added a comment.EditedApr 22 2018, 7:03 AM

The incident was not particular to that extension.
It happened with several regular edits by several reasons.
I don't know if this is related to the fact the editors sessions have been expiring so rapidly and frequently.
But thanks for the explanation.

This is not a security issue per-se. Making this bug public and moving out of Security

Bawolff renamed this task from Edit attributed to 127.0.0.1 to Edits made by extension AutoCreatePage attributed to 127.0.0.1.Jul 9 2018, 9:20 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff removed a project: Security.
Restricted Application added a project: Security. · View Herald TranscriptJul 9 2018, 9:20 PM
Bawolff added a subscriber: mkroetzsch.
ahmad added a comment.Jul 9 2018, 10:52 PM

The actions attributed to 127.0.0.1 were not only the result of extension AutoCreatepage's work.
Some of them were human edits that took place at around the same time. See the log https://genderation.xyz/wiki/Special:contributions/127.0.0.1

ahmad renamed this task from Edits made by extension AutoCreatePage attributed to 127.0.0.1 to Edits attributed to 127.0.0.1.Jul 9 2018, 10:52 PM

Can you give steps to reliably reproduce human editors being attributed to the wrong user? Its unlikely we would be able to fix it unless we can reliably reproduce the issue.

ahmad added a comment.Jul 10 2018, 9:21 AM

I see your point of course.
Unfortunately I cannot reproduce this now as it seems to me more complex than what I can do at this time. I will keep monitoring for this behaviour, and add to this ticket later on. Reopening it, if necessary.
Thanks.

Aklapper closed this task as Declined.Jan 21 2019, 1:14 AM

Unfortunately closing this report as no further information has been provided.

@ahmad: After you have provided the information asked for and if this still happens, please set the status of this report back to "Open" via the Add Action...Change Status dropdown. Thanks!