Page MenuHomePhabricator

Disabling JavaScript on Special:Block allows you to block user from "Special" namespace (namespace=-1)
Closed, ResolvedPublic2 Story Points

Description

With JavaScript disabled, it is possible to enter in the "Namespaces" input the value "-1". Submitting the block will block the specified user from the "Special" namespace.

For example, I have done it here: https://test.wikipedia.org/wiki/Special:BlockList?wpTarget=Drwpb

I am assuming this is not desired because:

  1. You are not allowed to do this with JavaScript enabled (either by typing into the input "Special" or "-1")
  2. You cannot do this via the API (https://www.mediawiki.org/wiki/API:Block shows allowed values)
  3. Tasks like T208355 suggest it should not be possible to block users from "Special:" pages

Reproduction Steps:
The mediawiki instance will need to have: "$wgEnablePartialBlocks = true;"

  1. Disable javascript
  2. Go to Special:Block
  3. Type in a valid user (you won't get completion without JS)
  4. Select the "Partial" radio button
  5. In the "Namespaces" input type "-1"
  6. Choose an expiration (you need to type in a value, doesn't seem to matter)
  7. Submit

You can see the settings of the block you have just set in Special:BlockList.

Environments Reproduced:

https://test.wikipedia.org
MediaWiki 1.33.0-wmf.18 (6deca5e) 20:11, 20 February 2019

My local VM:
MediaWiki 1.33.0-alpha (1900a8a) 15:26, 21 February 2019

Event Timeline

Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptFeb 22 2019, 3:09 PM
TBolliger added a subscriber: TBolliger.

Good find! Harmless, but could lead to long-term confusion and complication.

I also assume the API would accept Special— we should send appropriate error messages in all cases.

TBolliger triaged this task as Low priority.Feb 22 2019, 4:55 PM
TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.
TBolliger set the point value for this task to 2.
dmaza claimed this task.Mar 20 2019, 5:08 PM
dmaza moved this task from Cards ready for development to Vav — ו on the Anti-Harassment board.
dmaza edited projects, added Anti-Harassment (Vav — ו); removed Anti-Harassment.
dmaza moved this task from Ready to In Progress on the Anti-Harassment (Vav — ו) board.

Change 499884 had a related patch set uploaded (by Dmaza; owner: Dmaza):
[mediawiki/core@master] Fix invalid namespace restriction when js is disabled

https://gerrit.wikimedia.org/r/499884

Change 499884 merged by jenkins-bot:
[mediawiki/core@master] Fix invalid namespace restriction when js is disabled

https://gerrit.wikimedia.org/r/499884

I have not been able to submit Special:Block with namespace=-1.

I can enter a random number (e.g. "895894791278749") and that will submit, leaving a blank item under "namespaces" in the Special:BlockList and an entry of "2147483647" in the ipblocks_restrictions table.
E.g.

This behaviour existed before this change.

This did not appear to have any bad side-effects. The user is still blocked from pages they are partially blocked from and able to edit pages they are not blocked from.

dmaza added a comment.Apr 2 2019, 2:05 PM

I feel like that's still a bug. We shouldn't allow for non-existing namespaces to be saved. At the very least we shouldn't display an empty namespace in the BlockList.

I feel like that's still a bug. We shouldn't allow for non-existing namespaces to be saved. At the very least we shouldn't display an empty namespace in the BlockList.

Agreed. I raised T219882.

dbarratt closed this task as Resolved.Apr 2 2019, 4:30 PM