Page MenuHomePhabricator
Create Task
Maniphest T199540

Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API
Closed, ResolvedPublic
Actions

Assigned To
Legoktm
Authored By
Trijnstel
Jul 13 2018, 2:14 PM
Tags
Referenced Files
F27679696: 0001-SECURITY-API-Respect-wgBlockCIDRLimit-in-action-bloc.patch
Dec 20 2018, 9:44 AM
F27267288: 0001-API-Respect-wgBlockCIDRLimit-in-action-block.patch
Nov 21 2018, 3:58 AM
F23718953: 0001-SECURITY-API-Respect-wgBlockCIDRLimit-in-action-bloc.patch
Jul 13 2018, 3:17 PM
Subscribers
Aklapper
alaa
DerHexer
hoo
Jalexander
Legoktm
Liuxinyu970226
View All 12 Subscribers

Description

Coincidently I found out that an adminbot blocked IP ranges on ruwikiquote as big as /1 and /2. That's almost everyone...

ru.wikiquote.org
2018-Jun-20 — 2023-Jun-20: 128.0.0.0/1 blocked by QBA-bot ({{BlockedHosting}})
2018-Jun-20 — 2023-Jun-20: 128.0.0.0/2 blocked by QBA-bot ({{BlockedHosting}})
https://tools.wmflabs.org/meta/stalktoy/183.198.0.0%2F16

It shouldn't be possible on Wikimedia wikis to block such huge ranges. Probably a bug, so please correct it.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coreREL1_33+16 -41
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coreREL1_32+23 -1
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coreREL1_31+23 -1
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coreREL1_30+31 -0
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coremaster+23 -1
SECURITY: API: Respect $wgBlockCIDRLimit in action=blockmediawiki/coreREL1_27+24 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Trijnstel created this task.Jul 13 2018, 2:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2018, 2:14 PM
TheresNoTime awarded a token.Jul 13 2018, 2:15 PM
TheresNoTime subscribed.
Liuxinyu970226 added a project: Russian-Sites.Jul 13 2018, 2:15 PM
TheresNoTime removed a project: Russian-Sites.Jul 13 2018, 2:18 PM

This task doesn't only affect Russian Sites, nor is it a consequence of the site being Russian

Legoktm set Security to Software security bug.Jul 13 2018, 2:24 PM
Legoktm added a project: acl*security.
Legoktm changed the visibility from "Public (No Login Required)" to "Custom Policy".
Legoktm subscribed.
$wgBlockCIDRLimit = [
	'IPv4' => 16, # Blocks larger than a /16 (64k addresses) will not be allowed
	'IPv6' => 19,
];

Somehow the limits are being bypassed?

alaa subscribed.Jul 13 2018, 2:27 PM
DerHexer subscribed.Jul 13 2018, 2:28 PM
Legoktm claimed this task.Jul 13 2018, 2:42 PM
Legoktm added a project: MediaWiki-Action-API.

Looks like action=block in the API is no longer checking against $wgBlockCIDRLimit.

revi edited subscribers, added: acl*stewards; removed: Stewards-and-global-tools.Jul 13 2018, 2:49 PM
Anomie subscribed.Jul 13 2018, 2:53 PM

It looks like it was broken by rMWb11b0c798d6f: * Moved Target field validation into a field validation callback to show erros… back in 2011, when the validation was moved out of SpecialBlock::processForm().

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-Action-API board.Jul 13 2018, 2:54 PM
Legoktm added projects: Core-Platform-Team-Old (CPT-Q1-Jul-Sep-2018), Patch-For-Review.Jul 13 2018, 3:17 PM

0001-SECURITY-API-Respect-wgBlockCIDRLimit-in-action-bloc.patch2 KBDownload

I didn't git blame/bisect to see when this was introduced.

Anomie added a comment.Jul 13 2018, 3:31 PM
In T199540#4422951, @Legoktm wrote:

0001-SECURITY-API-Respect-wgBlockCIDRLimit-in-action-bloc.patch2 KBDownload

Code-Review+1

As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by the API, but that can probably be cleaned up at another time.

The call in ApiBlock results in an error message with the block info included, which the call from SpecialBlock::validateTarget() wouldn't. We want to keep that block info.

$this->mUser = User::newFromName( '128.0.0.0/16', false );

Eew. But I guess ok for a security patch to avoid further rewriting of the test class.

MarcoAurelio subscribed.Jul 15 2018, 6:45 PM
revi subscribed.Jul 25 2018, 7:46 PM
Legoktm moved this task from Backlog to Waiting for Review on the Core-Platform-Team-Old (CPT-Q1-Jul-Sep-2018) board.Aug 18 2018, 3:39 AM

Ping? Should I go ahead and deploy this?

Legoktm added a subscriber: tstarling.Nov 5 2018, 3:16 AM
CCicalese_WMF edited projects, added Platform Team Workboards (Doing), Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)); removed Core-Platform-Team-Old (CPT-Q1-Jul-Sep-2018).Nov 6 2018, 10:08 PM
CCicalese_WMF edited projects, added Platform Team Workboards (Waiting for Review); removed Platform Team Workboards (Doing).
tstarling added a comment.Nov 21 2018, 3:58 AM

I think it's ready to deploy. I rebased it on to master since it didn't apply against the current deployment branch.

0001-API-Respect-wgBlockCIDRLimit-in-action-block.patch2 KBDownload

Anomie added a comment.Nov 21 2018, 4:52 PM
In T199540#4764735, @tstarling wrote:

I think it's ready to deploy. I rebased it on to master since it didn't apply against the current deployment branch.

0001-API-Respect-wgBlockCIDRLimit-in-action-block.patch2 KBDownload

Code-Review+1. Tests pass locally, let's get this deployed.

Legoktm added a comment.Dec 20 2018, 9:44 AM

Deployed and verified on test.wikipedia.org. Final patch I used (just added SECURITY: to the commit message) is attached.

0001-SECURITY-API-Respect-wgBlockCIDRLimit-in-action-bloc.patch2 KBDownload

Legoktm renamed this task from Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote to Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API.Dec 20 2018, 9:45 AM
Legoktm closed this task as Resolved.
Legoktm added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.
CCicalese_WMF moved this task from Waiting for Review to Done with CPT on the Platform Team Workboards board.Jan 17 2019, 5:53 PM
CCicalese_WMF edited projects, added Platform Team Workboards (Done with CPT); removed Platform Team Workboards (Waiting for Review).
Legoktm mentioned this in T205048: Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.Apr 7 2019, 11:48 PM
Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.May 28 2019, 2:50 PM
Reedy mentioned this in T224499: RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2.May 29 2019, 12:32 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:01 PM
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptJun 6 2019, 4:01 PM
gerritbot added a comment.Jun 6 2019, 4:06 PM

Change 514765 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@REL1_27] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514765

gerritbot added a comment.Jun 6 2019, 4:07 PM

Change 514765 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514765

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514776 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@REL1_30] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514776

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514776 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514776

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.30-release-notes.Jun 6 2019, 5:00 PM
gerritbot added a comment.Jun 6 2019, 6:59 PM

Change 514756 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514756

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 6 2019, 7:00 PM
gerritbot added a comment.Jun 6 2019, 7:02 PM

Change 514852 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@REL1_31] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514852

Reedy mentioned this in T225251: ApiBlockTest::testBlockingToManyPageRestrictions Failed asserting that exception of type "ApiUsageException" is thrown..Jun 6 2019, 8:50 PM
gerritbot added a comment.Jun 6 2019, 8:51 PM

Change 514952 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@REL1_32] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514952

gerritbot added a comment.Jun 6 2019, 10:53 PM

Change 514852 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514852

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jun 6 2019, 11:00 PM
gerritbot added a comment.Jun 6 2019, 11:01 PM

Change 514976 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@REL1_33] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514976

gerritbot added a comment.Jun 6 2019, 11:05 PM

Change 514952 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514952

gerritbot added a comment.Jun 6 2019, 11:37 PM

Change 514976 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: API: Respect $wgBlockCIDRLimit in action=block

https://gerrit.wikimedia.org/r/514976

ReleaseTaggerBot added projects: MW-1.33-notes, MW-1.32-notes.Jun 7 2019, 12:01 AM
MarcoAurelio mentioned this in T243980: Find rangeblocks exceeding $wgBlockCIDRLimit to review/lift them.Jan 31 2020, 1:02 AM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Aklapper removed a subscriber: acl*stewards.Jun 29 2023, 2:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits