Page MenuHomePhabricator

Stop CommonsDelinker
Closed, InvalidPublic

Description

Look at https://bitbucket.org/magnusmanske/commons-delinquent/issues – maintainers are inactive since May, 2018. Three critical-level issues are pending without any reaction at all, including such with dollar signs that potentially can lead to exploit of the CommonsDelinker bot to wreck havoc. Please, stop the bot until appointment of more responsible maintainers.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 27 2018, 5:29 AM
revi moved this task from Incoming to Third-party software on the Commons board.
revi removed a subscriber: Tools.

Have you talked to Commons administrators and bureaucrats about this?

Not to Steinsplitter – we don’t communicate due to personal reasons. Other Wikimedia Commons guys AFAIK don’t support this software. Moreover, edits by CommonsDelinker threaten all Wikimedia, not Commons specifically.

If you're worried about edits causing a problem on other projects, Stewards are probably the right people to reach out to.

The $ issue just looks like regexes not being escaped properly.

Can’t “regexes not being escaped properly” be used—at very least—for injection of arbitrary data into the edit? As for Wikimedia stewards, how many of them have necessary access to the Toolforge platform? Of course, any of the stewards can globally lock the account of CommonsDelinker, but the bot software could be used—while running—for making harm in other ways.

If CommonsDelinker edits are problematic on Wikidata, can’t it just be blocked there until the bugs are fixed?

Hi,

First of all: Thanks for reporting the issue and sorry for the late reply - i am actually busy with other stuff!

The reported issues seems to be a regex replacement issue, which was caused while $ can be used to parse the matched pattern. I cannot reproduce a injection of evil code.

Unfortunately, i have no time to fix all the bugs reported on Bitbucked because Delinker is not my main project (and as far i know Magnus is busy with other stuff as well).

Patches to fix existing bugs are very welcome :-).

Urbanecm added a subscriber: Urbanecm.EditedSep 28 2018, 11:56 AM

Okay. A bot which is _mostly useful_ and makes 1 bad edit out of 1000 useful is proposed to be globally stopped. No program can be working in all cases, under all circumstances. All programs have its own edge cases causing incorrect behaviour.

In another words, I have no problem with stopping the bot globally, provided you (@Incnis_Mrsi) will perform the work of the bot manually with LESS percentage of said incorrect behaviour (to be honest, I have never noticed such a bug in the bot's work in Czech Wikipedia). Otherwise I must oppose it.

PS: I think the maintainers of the bot are volunteers, just as most of others bot-owners. They really cannot spend each day with maintaining bots, they gotta to eat something ;). Maybe if you have enough money to cover enough technicans, all the bots and tools and whatever will work 1000% better, as the technicans would have more time they can spend on the bots ;).

Of course, it isn’t my job to make bot edits manually. Nor anybody here should hire professional engineers at own expense, and Ī̲’m astonished that such sophistry is encouraged here. At the end, Ī̲ could manage such software myself, but it is full of PHP. Nowadays an Internet dweller may have impression that half of the world is coding PHP – can’t the Wikimedia Labs community co-opt some of these guys for this task?

MaxSem added a subscriber: MaxSem.Sep 29 2018, 6:54 AM

Sure - do you want to help finding developers? ;) Anyway, if particular communities don't like this bot they can always block it. If too many communities are affected, stewards can lock the account globally. As far as I can see here is not the bug tracker for this software - do we need to keep this ticket open?

JJMC89 closed this task as Invalid.Sep 29 2018, 6:56 AM
JJMC89 added a subscriber: JJMC89.

Stopping the bot is out of scope for Phabricator. Bugs for this bot are not tracked in Phabricator.