Page MenuHomePhabricator
Create Task
Maniphest T230262

Run DB query in production for abuse filters using variable variables
Closed, ResolvedPublic
Actions

Description

We want to make a breaking change in T229947. To make sure that we're not breaking anything in production (very unlikely anyway), we'd need the following query to be executed for all wikis:

SELECT af_id FROM abuse_filter WHERE af_pattern RLIKE "set(_var)?\\(\\s*([^'\"\\s]|['\"][^'\"]+['\"]\\s*[^,\\s])"

I know that the query is not good looking (mostly because of the RLIKE), but the abuse_filter table is very small.

This task is non-public because some of the affected filters may be private. I don't think this information is exploitable in any way, though, so feel free to make it public.

As for the tags, since I don't know of any clear process to get query results in production, I've copied them from T193894.

Related Objects
Search...

Event Timeline

Daimona created this task.Aug 10 2019, 12:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 10 2019, 12:03 PM
Daimona added projects: AbuseFilter, Wikimedia-Site-requests, DBA.Aug 10 2019, 12:04 PM
Daimona added a parent task: T229947: Dynamic variable names shouldn't be allowed.
Daimona added a subscriber: Huji.
Daimona updated the task description. (Show Details)Aug 10 2019, 1:21 PM
Daimona updated the task description. (Show Details)
Urbanecm closed this task as Resolved.Aug 10 2019, 5:07 PM
Urbanecm claimed this task.
Urbanecm subscribed.

See P8894 for the actual data. Going to make this task public, since the fact that the request was made can definitelly be public, and the data are in restricted paste.

Restricted Application added a project: User-Urbanecm. · View Herald TranscriptAug 10 2019, 5:07 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2019, 5:07 PM
Daimona added a comment.Aug 10 2019, 5:18 PM

Thanks! All of the results for wikidata are false positives, due to the frequent usage of "setlabel" inside regexps. So we can say no usages in production.

Daimona mentioned this in T229947: Dynamic variable names shouldn't be allowed.Aug 10 2019, 5:19 PM
Urbanecm removed a project: acl*security.Aug 10 2019, 5:25 PM
Restricted Application added a project: acl*security. · View Herald TranscriptAug 10 2019, 5:25 PM
Urbanecm set Security to None.Aug 10 2019, 5:27 PM
Urbanecm removed a project: acl*security.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits