Page MenuHomePhabricator
Create Task
Maniphest T223195

Invalid IPv6 URL on page causes all non-autoconfirmed edits to trigger CAPTCHA
Open, Needs TriagePublic
Actions

Description

  1. On enwiki, create a page containing this invalid link: http://ABCD:0000:0000:0000:0000:0000:0000:0000
  2. With a non-autoconfirmed account, add more text to the page. Do not add any more links.

The expected result is no CAPTCHA. The actual result is a CAPTCHA, even though no new external links were added.

Example: this edit required a CAPTCHA to save.

If the URL is instead formatted correctly, as http://[ABCD:0000:0000:0000:0000:0000:0000:0000], other edits do not trigger the CAPTCHA.

Example: this edit required no CAPTCHA, as expected.

Event Timeline

suffusion_of_yellow created this task.May 14 2019, 5:38 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2019, 5:38 AM
suffusion_of_yellow updated the task description. (Show Details)May 14 2019, 5:40 AM
Galobtter subscribed.May 14 2019, 7:20 AM
Anomie subscribed.May 14 2019, 8:35 PM

Here's the series of events going on there:

  • The page is saved containing the bad link.
    • The Parser's output includes the bad link in the ParserOutput metadata.
    • The job for inserting the externallinks table rows for the page runs. For our bad link it gets 0 indexes from LinkFilter::makeIndexes(), so makes no insertion for this bad link.
      • The 0 index entries comes because wfParseUrl() returns false, which in turn is because PHP's built-in parse_url() returns false, which seems to be because it tries to interpret the ":0000" at the end as a port number and finds that invalid.
  • The subsequent edit is made, not modifying the bad link.
    • Again, the Parser's output includes the bad link in the ParserOutput metadata.
    • ConfirmEdit checks the externallinks table to find the existing links in the page. to detect whether any new links have been added in the edit being made. Since there's no externallinks entry for this bad link, it thinks it's new and so triggers a captcha.
suffusion_of_yellow added a comment.Jul 16 2020, 10:14 PM

I also get a captcha request if the string tel:// is already on the page. See https://en.wikipedia.org/w/index.php?title=User:Suffusion_of_Yellow/CaptchaBug&diff=968045535&oldid=968045267.

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
suffusion_of_yellow added a comment.Jan 29 2022, 3:45 AM

And another one: http://Draft:Getscreen.me. I got a CAPTCHA (from a non-AC account) even for a null edit on Wikipedia:Teahouse until I made this change.

GeneralNotability subscribed.Jan 29 2022, 4:16 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL