One can register a username with an equals sign in it
Closed, ResolvedPublic
Actions

Description

It would be desirable for the equal sign to also be included in the forbidden symbols for use in usernames.

Of all the special characters of the template engine {}[]<>|=#, only the equal sign is valid for use as a username character in Wikipedia.

This leads to the fact that when using the username as an unnumbered argument, part of it is perceived as a key, and part as a parameter value. If the name begins with an equal sign, the parameter is also incorrectly passed. For example, {{ping|=KOMENDANT=}} is turning into [[:Template:KOMENDANT=]] and not into <span class="template-ping">@[[User:=KOMENDANT=|=KOMENDANT=]]:</span> as {{ping|1==KOMENDANT=}} will do.

I'm not sure if this is possible and makes sense, but in cases where the template parameter starts with =, all further characters up to | or }} could be escaped.

Details

	Subject	Repo	Branch	Lines +/-
	Revert "Prevent new accounts from using = in their usernames"	mediawiki/core	master	+3 -6
	Prevent new accounts from using = in their usernames	mediawiki/core	master	+6 -3

Customize query in gerrit

Related Objects

Mentioned In: T357830: One can’t register a username with an equals sign in it
T238285: Pages whose title ends with semicolon (;) are intermittently inaccessible (likely due to ATS)

Event Timeline

Carn created this task.May 29 2020, 10:27 PM

Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptMay 29 2020, 10:27 PM

SerDIDG subscribed.May 29 2020, 10:29 PM

Jack_who_built_the_house subscribed.May 29 2020, 10:36 PM

Best we could do is prevent new usernames from being registered, unless someone takes it on themselves to rename all the users who have an equal sign in their name (which probably requires a global discussion first since the existing rename policy is pretty narrow).

RhinosF1 subscribed.May 29 2020, 11:08 PM

DannyS712 subscribed.May 29 2020, 11:27 PM

Peachey88 subscribed.May 29 2020, 11:33 PM

As this don't think a technical requirement (i.e. creating new accounts will not make these accounts unusable), I propose to only add it to https://meta.wikimedia.org/wiki/Title_blacklist. Other MediaWiki may not have ping template, and those having it can easily workaround via 1=Username.

30 wikisites have a template Checkuser, 88 wikisites - User link, etc. Not so many users are aware of a workaround like this.

So adding to global Title blacklist will make it unusable in new accounts but does not require any change in MediaWiki software or Wikimedia config.

It would probably be better to do it with wgInvalidUsernameCharacters and maybe add it to the mediawiki default as well.

"Not so many users are aware of a workaround like this" is only a social problem, so I oppose any technical solution.

Aklapper updated the task description. (Show Details)May 30 2020, 6:49 AM

Bugreporter — adding a character to the global Title blacklist should be the first step to contaminate this problem. But not everybody thinks that should be done — https://meta.wikimedia.org/wiki/Talk:Title_blacklist#Usernames_with_%22=%22

The situation when the equal sign is at the beginning (and at the end) of the username can be more common than the situation when the equal sign is in the center of the username (the last situation cannot be unambiguously recognized and it does not have a technical solution). In en.wp there are 368 users whose account name begins with "=" — https://en.wikipedia.org/w/index.php?title=Special:ListUsers&offset=&limit=500&username=%3D (though they are not active and will be banned if they would be active without renaming their username) The fact that templates incorrectly handle parameters starting with an unescaped equal sign is not exactly an identical problem. It is not urgent or important, but it is certainly not just social.

I do not have access to the database, and I can not search among the currently active users with "=" in the username, just 3 of them: https://de.wikipedia.org/wiki/Benutzer:%3D
https://ru.wikipedia.org/wiki/User:%3DKOMENDANT%3D and
https://ja.wikipedia.org/wiki/User:%3Fips%3D%26qmagdm

If a character is to no longer be allowed, then the best solution is not to use the title blacklist, which is just an ugly hack.

Use the design features as expressed above.

Get your consensus.

Adding a character to $wgInvalidUsernameCharacters will not affect existing users. Still, I oppose adding it.

In T254045#6179000, @Bugreporter wrote:

Adding a character to $wgInvalidUsernameCharacters will not affect existing users.

Don’t we have cleaupUsernames.php or something simmilar?

In T254045#6179000, @Bugreporter wrote:

Adding a character to $wgInvalidUsernameCharacters will not affect existing users. Still, I oppose adding it.

Adding it to the title blacklist will not affect existing users either.

I oppose a solution that is through a method that it is just an ugly hack when there is one by design. Title blacklist has no public logging, and we know that people often just get confused when they get caught in the blacklists (spam or title). It is not the best solution.

In T254045#6178629, @Bugreporter wrote:

"Not so many users are aware of a workaround like this" is only a social problem, so I oppose any technical solution.

"'Not so many users are aware of how to create strong passwords' is only a social problem, so I oppose any technical solution."

If the software allows behavior that breaks things unexpectedly and without a clear cause for the average person, it is perfectly reasonable to expect a technical solution to disallow that behavior, regardless of whether the behavior is "only a social problem".

Krenair subscribed.May 30 2020, 11:58 PM

Wikisaurus2 subscribed.May 31 2020, 9:29 PM

MBH subscribed.Jun 1 2020, 12:41 PM

taavi moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Jun 5 2020, 10:53 AM

Ailbeve subscribed.Jul 24 2020, 9:19 PM

Nintendofan885 subscribed.Nov 5 2020, 5:52 PM

GeneralNotability subscribed.May 31 2022, 2:43 PM

Asartea subscribed.May 31 2022, 2:49 PM

stjn subscribed.Oct 17 2022, 3:13 PM

It seems entirely reasonable to add = to the list of characters that can no longer be used in usernames given how often it's used in wikimarkup (headings and template parameters). This doesn't fix the legacy usernames case, but still better than nothing.

+1.

TheresNoTime subscribed.Oct 17 2022, 3:39 PM

IKhitron subscribed.Oct 17 2022, 4:23 PM

Zabe subscribed.Oct 17 2022, 4:31 PM

Novem_Linguae subscribed.Oct 17 2022, 7:52 PM

Change 843585 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/core@master] Prevent new accounts from using = in their usernames

https://gerrit.wikimedia.org/r/843585

gerritbot added a project: Patch-For-Review.Oct 17 2022, 11:08 PM

I am just wondering, would or would not that affect autocreation for the already existing global accounts with = in their username? I.e. would or would not they hit the new restriction when visiting a SUL wiki they haven't visited before?

As to the whole idea as a whole, I don't see a big deal in =, re templates that is a common occurance that one has to mind possible =s inside parameter value and one is expected to use numbered parameters via the named parameters syntax in such cases.

Wellverywell subscribed.Oct 18 2022, 11:51 AM

Bugreporter added a project: User-notice.Oct 18 2022, 12:03 PM

Quiddity moved this task from To Triage to Not ready to announce on the User-notice board.Oct 20 2022, 7:53 PM

Hi. Re: Tech News (User-notice) - What wording would you suggest as the content? and When should it be included? Thanks!

P.S. the prior Talk:Title_blacklist discussion is now archived at https://meta.wikimedia.org/wiki/Talk:Title_blacklist/Archives/2020#Usernames_with_%22=%22

In T254045#8323570, @Base wrote:

I am just wondering, would or would not that affect autocreation for the already existing global accounts with = in their username? I.e. would or would not they hit the new restriction when visiting a SUL wiki they haven't visited before?

As to the whole idea as a whole, I don't see a big deal in =, re templates that is a common occurance that one has to mind possible =s inside parameter value and one is expected to use numbered parameters via the named parameters syntax in such cases.

The different is reached by using the RIGOR_CREATABLE and not the USABLE or VALID one (https://codesearch.wmcloud.org/search/?q=RIGOR_CREATABLE&i=nope&files=&excludeFiles=&repos=)

It seems the autocreate workflow does not use that rigor and it could still work. Having a test to validate could be added.

The handling of $wgInvalidUsernameCharacters kinda sucks, all you get is a nondescript You have not specified a valid username. error; but that's already the case for other characters and someone trying to use the = doesn't seem anymore likely than those.

In T254045#8333983, @Quiddity wrote:

Hi. Re: Tech News (User-notice) - What wording would you suggest as the content? and When should it be included? Thanks!

"The character = will not be allowed in new usernames, to make usernames work better with templates. Existing usernames are not affected.", can be included in the next edition.

Change 843585 merged by jenkins-bot:

[mediawiki/core@master] Prevent new accounts from using = in their usernames

https://gerrit.wikimedia.org/r/843585

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.13; 2022-12-05).Dec 4 2022, 6:01 AM

Maintenance_bot removed a project: Patch-For-Review.Dec 4 2022, 6:30 AM

Quiddity moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Dec 5 2022, 5:15 PM

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Dec 8 2022, 8:28 PM

seems like (per loginwiki_p) database there are ~3566 existing users with "=" in their user_name.

per centralauth_p there are ~8324 with "=" in their gu_name

In T254045#8462273, @Xaosflux wrote:

seems like (per loginwiki_p) database there are ~3566 existing users with "=" in their user_name.

per centralauth_p there are ~8324 with "=" in their gu_name

Should we reach out to them / to global renamers and suggest some sort of mass renaming?
We don't need to, they shouldn't be affected in any way, but for a template author there isn't that much difference between "almost always works" and "doesn't work".

Small portion are locked:

select COUNT(*) from globaluser
WHERE (gu_name like '%=%') AND (gu_locked != '0')
197

Ones STARTING with a '=' are 757.

I don't think we'll get rid of these without a fight; for example 'User:=' is a current user on dewiki with 40K+ edits

Thanks for checking, let's just call it done then.

Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Dec 16 2022, 12:14 AM

Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Dec 26 2022, 12:30 AM

matmarex mentioned this in T238285: Pages whose title ends with semicolon (;) are intermittently inaccessible (likely due to ATS).Feb 17 2023, 3:23 PM

matmarex merged a task: T75518: Equal sign (=) is not considered a prohibited character when creating an account.Jun 27 2023, 9:58 PM

matmarex added a subscriber: • bzimport.

Bugreporter mentioned this in T357830: One can’t register a username with an equals sign in it.Feb 17 2024, 1:04 AM

Change 1004170 had a related patch set uploaded (by Etetetet; author: Etetetet):

[mediawiki/core@master] Revert "Prevent new accounts from using = in their usernames"

https://gerrit.wikimedia.org/r/1004170

gerritbot added a project: Patch-For-Review.Mar 7 2024, 11:03 PM

JJMC89 removed a project: Patch-For-Review.Mar 7 2024, 11:21 PM

Change #1004170 abandoned by Esanders: