Maniphest T199153

Blocks should not return status 200
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	Smalyshev
	Jul 9 2018, 8:52 PM

Tags

Referenced Files

None

Subscribers

Description

As discovered when investigating T199146: "Blocked" response when trying to access constraintsrdf action from production host, if the IP of the user is blocked by Mediawiki, the HTTP response still carries status 200. This is very wrong - if we did not do the action requested, and/or declined to perform the action requested, we should not return status 200.

Related Objects

Mentioned Here: T199146: "Blocked" response when trying to access constraintsrdf action from production host

Event Timeline

Smalyshev created this task.Jul 9 2018, 8:52 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2018, 8:53 PM

• TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.Aug 17 2018, 6:44 PM

DannyS712 edited projects, added MediaWiki-Blocks; removed MediaWiki-User-management.Apr 25 2020, 12:10 AM

Restricted Application added a project: MediaWiki-User-management. · View Herald TranscriptApr 25 2020, 12:10 AM

Aklapper removed a project: MediaWiki-User-management.Apr 25 2020, 12:23 PM

Oppose, since this can leak whether the user is blocked to other sites. See https://xsleaks.dev/docs/attacks/error-events/