Page MenuHomePhabricator

Special:Blocklist is leaking RevDel'ed information
Closed, InvalidPublic

Description

When viewing [[Special:BlockList]] you can see information that has been RevDeleted.

Example:
http://www.mediawiki.org/wiki/Special:BlockList => "11:35, 13 October 2010, Jyothis (Talk | contribs | block) blocked Yourmomsuckscock (Talk | contribs) (infinite, account creation blocked, e-mail blocked) (crosswiki abuse<!--globally locked; about bot-->) (unblock | change block)"

That block log (The username only) was revdeleted so it was hidden, see http://www.mediawiki.org/w/index.php?title=Special%3ALog&type=&user=&page=User%3AYourmomsuckscock&year=&month=-1&tagfilter=&hide_patrol_log=1&hide_review_log=1


Version: 1.20.x
Severity: major

Details

Reference
bz25763

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:22 PM
bzimport set Reference to bz25763.
bzimport added a subscriber: Unknown Object (MLST).
Peachey88 created this task.Nov 3 2010, 6:45 AM

I don't see that the username is shown there. You are getting a result for a specific query (the revdeleted username), but given that you are going to block it, seems sensible that those entries are shown there.

You are right. I was looking at the later link.

aaron added a comment.Jan 6 2011, 10:19 PM

Hiding a block log item doesn't hide the separate block table rows. There isn't even a foreign key to the block log record in the "currently blocked" user table.

Aaron, how likely is it that this will be fixed in the next week? I don't want to have it blocking 1.17 (as it is now) if we can't get it fixed soon.

(In reply to comment #5)

I don't want to have it blocking 1.17 (as it is now) if we can't get it fixed soon.

Well it is potentially leaking information that has been removed for legal reasons (eg: OFFICE actions).

Sure, but that information has been leaking for a while. It should be fixed, but this isn't something that should block 1.17.

  • Bug 27517 has been marked as a duplicate of this bug. ***

The user Yourmomsuckscock is not hidden on mediawiki.org (It is list on Special:ListUsers[1]), only the log of the block was hidden and that is only for documentation, it is not the block itself. WORKSFORME.

Hide the user with a reblock and the block will not shown on Special:BlockList (or Special:IPblocklist under 1.17), because the page is filtering ipb_deleted since r20439.

[1] http://www.mediawiki.org/w/index.php?title=Special%3AListUsers&username=Yourmomsuckscock&group=&limit=1

jayvdb added a comment.Sep 3 2011, 8:57 PM

It should not be necessary to hide the user entirely in order to ensure that a hidden log entry does not appear.

(In reply to comment #11)

It should not be necessary to hide the user entirely in order to ensure that a
hidden log entry does not appear.

I do not think so. What helps you, when the block is not shown in that list, but the username is visible at many other places? Log is for documentation only. If you hide the username, all logs would also hidden.

When you hide the log entry for a user right change, the user rights are still visible by the user. When you hide the log entry for a move, the move is still visible in the history with the null revision.

Technical it is hard to do this. A ipb_deleted = 1 indicates a hide username. You have to use another number and test many places.

For example: per API you can get the blockinfo for the user (but not the log entry, because only the log entry is hidden, not the block itself):
http://www.mediawiki.org/w/api.php?action=query&list=allusers|users|blocks&aufrom=Yourmomsuckscock&aulimit=1&auprop=blockinfo&ususers=Yourmomsuckscock&usprop=blockinfo&bkusers=Yourmomsuckscock

In my opinion, it is wrong from the UI, that is does not show the information, that the user is blocked, when the log entry is deleted/suppressed.

Tegel.svwp wrote:

Abusive user name is one thing, but the cases where it's really a problem is when the user name contains non-public information, as outing of other user.

Right now the only solution that I can see is to rename the account, and the hide the log action related to the renaming. And that extra work shouldn't be necessary.

Hope for a solution soon.

Best Regards,

Tegel

Change 132638 had a related patch set uploaded by Withoutaname:
Hide suppressed usernames from Special:BlockList

https://gerrit.wikimedia.org/r/132638

(In reply to Tegel from comment #13)

Abusive user name is one thing, but the cases where it's really a problem is
when the user name contains non-public information, as outing of other user.

Right now the only solution that I can see is to rename the account, and the
hide the log action related to the renaming. And that extra work shouldn't
be necessary.

Hope for a solution soon.

Best Regards,

Tegel

Tegel, the user himself is not hidden with the block (ipb_deleted field from ipblocks table), but the log entry for the block is hidden (log_deleted from logging table).

Change 132638 abandoned by Withoutaname:
Hide suppressed usernames from Special:BlockList

Reason:
Root cause was not ipb_deleted but log_deleted where log_type is suppress.

https://gerrit.wikimedia.org/r/132638

(In reply to Tegel from comment #13)

Abusive user name is one thing, but the cases where it's really a problem is
when the user name contains non-public information, as outing of other user.

Right now the only solution that I can see is to rename the account, and the
hide the log action related to the renaming. And that extra work shouldn't
be necessary.

Hope for a solution soon.

Best Regards,

Tegel

As was said above, the way to accomplish this is to check the "Hide username from edits and lists" box when blocking. Revdel'ing the log entry intentionally only affects the log entry. Changing this would also violate access restrictions, since it would allow non-oversighters to effectively oversight information.

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptAug 5 2016, 2:26 PM