Page MenuHomePhabricator
Create Task
Maniphest T245094

Abusefilter: restricted action blockautopromotion is available, shouldn't be
Closed, InvalidPublicSecurity
Actions

Description

On enwiki, an admin was able to create a filter that would block autopromotion[1].
While admins do have abusefilter-modify-restricted rights, the ability to block autopromotion doesn't appear to be enabled on enwiki[2].

Tested on enwikiversity, which has no restricted actions enabled - was able to block autopromotion as well, but neither block nor rangeblock.[3]

[1] See filter history and noticeboard discussion
[2] See that enwiki doesn't enable it
[3] See https://en.wikiversity.org/wiki/Special:AbuseFilter/history/20

Details

Author Affiliation
Wikimedia Communities

Event Timeline

DannyS712 created this task.Feb 13 2020, 1:08 AM
Restricted Application added projects: User-DannyS712, Security. · View Herald TranscriptFeb 13 2020, 1:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 changed Author Affiliation from N/A to Wikimedia Communities.Feb 13 2020, 1:09 AM
DannyS712 added a project: AbuseFilter.
DannyS712 moved this task from Unsorted to Abuse Filter on the User-DannyS712 board.
DannyS712 added subscribers: Daimona, suffusion_of_yellow, Reaper_Eternal.Feb 13 2020, 1:12 AM
DannyS712 renamed this task from Abusefilter: Restricted actions checks failing to Abusefilter: restricted action blockautopromotion / degroup is available, shouldn't be.Feb 13 2020, 1:19 AM
DannyS712 updated the task description. (Show Details)
DannyS712 renamed this task from Abusefilter: restricted action blockautopromotion / degroup is available, shouldn't be to Abusefilter: restricted action blockautopromotion is available, shouldn't be.Feb 13 2020, 1:26 AM
DannyS712 updated the task description. (Show Details)Feb 13 2020, 1:31 AM
suffusion_of_yellow added a comment.Feb 13 2020, 2:31 AM

It looks like the only actions that are disabled by default are block, rangeblock, and degroup. The reason blockautopromote is available on enwiki is that no one's ever explicitly disabled it with $wgAbuseFilterActions['blockautopromote'] = false;, yes? The question is, do we need "community consenus" to get that line added, given that AFAIK no one has used that option in years on enwiki?

DannyS712 added a comment.EditedFeb 13 2020, 2:45 AM

...sorry, didn't see that those were different. I guess this isn't a security issue then?
I would suggest that it be disabled by default, like (range)block and degroup.

To avoid breaking wikis that currently use this, the following query can be used: (this can also be done via api by anyone with global af helper rights):

DB query
SELECT afa_filter
FROM abuse_filter_action
WHERE afa_consequence = 'blockautopromote'

Those wikis can then by individually reenabled

Daimona added a comment.Feb 13 2020, 1:49 PM
In T245094#5879368, @suffusion_of_yellow wrote:

It looks like the only actions that are disabled by default are block, rangeblock, and degroup. The reason blockautopromote is available on enwiki is that no one's ever explicitly disabled it with $wgAbuseFilterActions['blockautopromote'] = false;, yes?

Exactly.

The question is, do we need "community consenus" to get that line added, given that AFAIK no one has used that option in years on enwiki?

I believe yes, but probably you don't need much participation.

In T245094#5879382, @DannyS712 wrote:

...sorry, didn't see that those were different. I guess this isn't a security issue then?

Indeed. I'm going to close this as invalid and make it public.

I would suggest that it be disabled by default, like (range)block and degroup.

Not convinced by this one, I don't think it causes any harm to leave it enabled. OTOH, we may have to re-enable it later for whatever wiki wants to opt-in.

Daimona closed this task as Invalid.Feb 13 2020, 1:49 PM
Daimona added a comment.Feb 13 2020, 1:52 PM
In T245094#5880780, @Daimona wrote:

I'm going to close this as invalid and make it public.

Huh, apparently I can't. @Aklapper could you do that, please? Thanks!

sbassett triaged this task as Lowest priority.Feb 13 2020, 3:26 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
DannyS712 removed a project: User-DannyS712.May 27 2020, 8:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits