Page MenuHomePhabricator

Security Review For SpamRegex extension
Open, LowPublic


Project Information

Description of the tool/project

The SpamRegex extension creates a new page, "Special:SpamRegex", to filter out unwanted links or text. A full list of currently blocked links or text can be viewed on this same special page. The spamregexed expressions cannot be used in page content, edit summaries or page move summaries, depending on what was chosen by the user who blocked links or text.

Description of how the tool will be used at WMF

Allow privileged users to restrict addition of spam phrases without making the list of phrases public


No other dependencies than an up-to-date MW core installation.

Has this project been reviewed before?

Not by the WMF.

Working test environment

Check out the extension files from git, add wfLoadExtension( 'SpamRegex' ); to LocalSettings.php and also consider granting the spamregex permission to an existing user group, like sysop or bureaucrat (e.g. $wgGroupPermissions['bureaucrat']['spamregex'] = true;), then rerun maintenance/update.php to have it generate the spam_regex database table. Note that on ShoutWiki this table is shared between all wikis; WMF may or may not want to do the same.


Name of WMF team responsible for tool/project after deployment and primary contact.
Primary contact: @ashley (extension maintainer @ ShoutWiki)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ashley added a subscriber: ashley.
sbassett triaged this task as Low priority.EditedJan 6 2020, 5:11 PM
sbassett added a subscriber: sbassett.

@DannyS712 - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into wmf production? If so, does it have any sponsoring wmf team or collective of individuals within Tech or Product? While I personally think this extension could be useful on production wikis, if there isn't a wmf sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now.

Jcross added a subscriber: Jcross.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.