Page MenuHomePhabricator

Disabling JavaScript on Special:Block allows you to enter any positive number as a namespace
Closed, ResolvedPublic3 Story Points

Description

With JavaScript disabled, it is possible to enter a random, positive integer or decimal as a namespace.

For example, I can enter "895894791278749" and that will submit, leaving a blank item under "namespaces" in the Special:BlockList (see screenshot) and an entry of "2147483647" (largest integer allowed?) in the ipblocks_restrictions table.

You can also enter a value like 34783.47847 and that will block namespace 34783 (presumably it just rounds to nearest integer).

This did not appear to have any bad side-effects. The user is still blocked from pages they are partially blocked from and able to edit pages they are not blocked from.

Reproduction Steps:
The mediawiki instance will need to have: "$wgEnablePartialBlocks = true;"

  1. Disable javascript
  2. Go to Special:Block
  3. Type in a valid user (you won't get completion without JS)
  4. Select the "Partial" radio button
  5. In the "Namespaces" input type any positive number
  6. Choose an expiration (you need to type in a value, doesn't seem to matter)
  7. Submit

You can see the settings of the block you have just set in Special:BlockList.

Event Timeline

Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptApr 2 2019, 2:56 PM
Niharika added a subscriber: Niharika.

It seems like we should do some server-side checks here. Thanks for filing the ticket, @dom_walden.

Niharika triaged this task as Normal priority.Apr 4 2019, 6:13 PM
Niharika set the point value for this task to 3.

Change 523775 had a related patch set uploaded (by Tchanders; owner: Tchanders):
[mediawiki/core@master] Check namespace exists in HTMLNamespacesMultiselectField validation

https://gerrit.wikimedia.org/r/523775

Change 523775 merged by jenkins-bot:
[mediawiki/core@master] Check namespace exists in HTMLNamespacesMultiselectField validation

https://gerrit.wikimedia.org/r/523775

With javascript disabled, I am only allowed to enter numbers of valid namespace. I checked that this included both the hardcoded/default namespaces and custom namespaces.

Any other number, including minus and decimal, returns user to the form with "The value you specified is not a valid option." (assuming user has English interface language).

The change only adds one condition to a preexisting if statement, so did not test very thoroughly.

Only tested on Firefox 60 on https://en.wikipedia.beta.wmflabs.org (1.34.0-alpha (5c771bd)).

dbarratt closed this task as Resolved.Jul 17 2019, 3:42 PM
dom_walden reopened this task as Open.Jul 17 2019, 5:17 PM
dom_walden moved this task from Done to In Progress on the Anti-Harassment (The Letter Song) board.

Sorry, moving back as I missed something.

You cannot submit the Special:Block form (for sitewide or partial block; with or without JS) without adding a namespace. Otherwise, you see the validation error ("The value you specified is not a valid option.").

Change 524235 had a related patch set uploaded (by Tchanders; owner: Tchanders):
[mediawiki/core@master] Allow empty input in namespaces multiselect on Special:Block

https://gerrit.wikimedia.org/r/524235

Change 524235 merged by jenkins-bot:
[mediawiki/core@master] Allow empty input in namespaces multiselect on Special:Block

https://gerrit.wikimedia.org/r/524235

I tested that I could submit sitewide blocks and partial blocks with and without namespace restrictions. Both with and without JS.

The namespace restriction behaves as before with and without JS. Without JS, you cannot submit the form if you have an invalid namespace number (or negatives or something that isn't a number).

Mainly tested on beta. Briefly tested on my local machine so I could see if there were any errors in the logs. There were none.

As this is a server-side change, I only tested it on Firefox 60.

dbarratt closed this task as Resolved.Jul 22 2019, 3:36 PM