Page MenuHomePhabricator
Create Task
Maniphest T224046

$wgProxyList allows account create
Open, Needs TriagePublicBUG REPORT
Actions

Description

What is the problem?

If an IP is in $wgProxyList, it can still create an account (Special:CreateAccount).

$wgDnsBlacklistUrls prevents a user creating an account, which makes me think perhaps $wgProxyList should do also.

I believe it is AuthManager.php which is responsible, and much of that was written before $wgProxyList existed. Perhaps it was never updated.

I cannot find any documentation saying it should be one way or another and I have no strong feelings either. Someone did complain about this issue in T36385#391818, but that was in 2012.

I am raising this here just so someone is aware.

Related Objects

Event Timeline

dom_walden created this task.May 21 2019, 5:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 21 2019, 5:06 PM
Reedy added a project: MediaWiki-General.May 21 2019, 5:32 PM
Aklapper edited projects, added MediaWiki-User-login-and-signup, MediaWiki-User-management; removed MediaWiki-General.May 22 2019, 1:33 PM
Tchanders subscribed.May 30 2019, 9:24 PM

AuthManager is calling BlockManager::isDnsBlacklisted directly, independently of checking the user's block. This leads to some odd effects:
(1) An unblocked user with the 'ipblock-exempt' right can still be blocked from creating an account from an affected IP, even though they will be unaffected by the block otherwise.
(2) As @dom_walden points out, DNS blacklisted IPs get special treatment, whereas proxy list IPs don't.

It looks like the DNS blacklist check for account creation was added some time ago (52f18d86dc41), before individual blocks could prevent account creation. It's difficult to find any obvious evidence that (1) and (2) are intentional.

We could clean this up - and make it easier to infer intent - by doing the following:

  • Have AuthManager::checkAccountCreatePermissions check for a block just once (after T206163, the strictest features of all the blocks found will be applied).
  • Have the SystemBlock for an IP in the DNS blacklist explicitly disallow account creation.
  • Have the SystemBlock for an IP in the proxy list explicitly disallow account creation.

This would mean (1) and (2) are not the case any more. We could instead clean this up in a way that preserves (1) and (2), if anyone knows of a reason why we should do that.

Tchanders moved this task from Backlog to User blocking on the MediaWiki-User-management board.Jun 5 2019, 8:49 PM
DannyS712 edited projects, added MediaWiki-Blocks; removed MediaWiki-User-management.Apr 25 2020, 12:10 AM
Restricted Application added a project: MediaWiki-User-management. · View Herald TranscriptApr 25 2020, 12:10 AM
Aklapper removed a project: MediaWiki-User-management.Apr 25 2020, 12:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL