Page MenuHomePhabricator
Create Task
Maniphest T281549

Fix or remove mediawiki-announce auto subscription code in the MediaWiki Installer
Closed, ResolvedPublic
Actions

Description

https://gerrit.wikimedia.org/g/mediawiki/core/+/d7dbcb2327695ca1eb2d4e15ba23b72899dff594/includes/installer/Installer.php#1836

Postorius has CSRF protection so adapting this will be more complicated as you will need to 1) hit the subscription endpoint (which also does the MM2 or MM3 check by checking the response) 2) extract the CSRF token 3) pass back the same cookies to <stuff>/anonymous_subscribe with the token and email address.

It might just be easier to provide a link saying "sign up for mediawiki-announce" but I doubt we'd get the same conversion rate.

Details

SubjectRepoBranchLines +/-
Installer: Fix mediawiki-announce auto subscription codemediawiki/coreREL1_36+70 -53
Installer: Fix mediawiki-announce auto subscription codemediawiki/coreREL1_35+71 -52
Installer: Fix mediawiki-announce auto subscription codemediawiki/coremaster+70 -53
WebInstaller: Don't show the announce-l subscribe checkbox temporarilymediawiki/coreREL1_36+7 -6
WebInstaller: Don't show the announce-l subscribe checkbox temporarilymediawiki/coreREL1_35+6 -5
WebInstaller: Don't show the announce-l subscribe checkbox temporarilymediawiki/coreREL1_31+6 -5
WebInstaller: Don't show the announce-l subscribe checkbox temporarilymediawiki/coremaster+7 -6
Customize query in gerrit

Related Objects

Event Timeline

Legoktm triaged this task as High priority.Apr 30 2021, 1:22 AM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 30 2021, 1:22 AM
Reedy subscribed.Apr 30 2021, 1:51 AM

It might just be easier to provide a link saying "sign up for mediawiki-announce" but I doubt we'd get the same conversion rate.

Do we actually get that many anyway from it?

I get numerous ticket systems replying. Numerous "you can't send to this address" and occasionally a few people wanting to unsubscribe.

Legoktm added a comment.Apr 30 2021, 2:02 AM
In T281549#7047965, @Reedy wrote:

It might just be easier to provide a link saying "sign up for mediawiki-announce" but I doubt we'd get the same conversion rate.

Do we actually get that many anyway from it?

Well...no. It's totally broken after we added CSRF to it a few years ago:

km@cashew ~> curl -X POST -F "email=legoktm@wikimedia.org" -F "language=en" -F "digest=0" "https://lists.wikimedia.org/mailman/subscribe/mediawiki-announce"
<!-- $Revision: 3550 $ -->
<html>
<head><title>MediaWiki-announce Subscription results</title></head>
<body bgcolor="white">
<h1>MediaWiki-announce Subscription results</h1>
There was no hidden token in your submission or it was corrupted.

<p>You must GET the form before submitting it.
<hr><address><a href="../listinfo/mediawiki-announce">MediaWiki-announce</a> list run by <a href="mailto:mediawiki-announce-owner@lists.wikimedia.org">mediawiki-announce-owner at lists.wikimedia.org</a><br><a href="../admin/mediawiki-announce">MediaWiki-announce administrative interface</a> (requires authorization)<br><a href="../listinfo">Overview of all lists.wikimedia.org mailing lists</a><p>
<table WIDTH="100%" BORDER="0">
  <tr>
    <td><a href="http://www.gnu.org/software/mailman/index.html"><img src="/images/mailman/mailman.jpg" alt="Delivered by Mailman" border="0" /><br>version 2.1.29</a></td>
    <td><a href="http://www.python.org/"><img src="/images/mailman/PythonPowered.png" alt="Python Powered" border="0" /></a></td>
    <td><a href="http://www.gnu.org/"><img src="/images/mailman/gnu-head-tiny.jpg" alt="GNU's Not Unix" border="0" /></a></td>
    <td><a href="https://www.debian.org/"><img src="/images/mailman/debianpowered.png" alt="Debian Powered" border="0" /></a></td>
  </tr>
</table>
</address>
</body>
</html>

Given that no one has noticed until now probably a link is good enough?

Reedy added a comment.Apr 30 2021, 2:08 AM

Haha. Probably. Not worth the extra hassle.

Legoktm lowered the priority of this task from High to Medium.Apr 30 2021, 2:09 AM
Legoktm renamed this task from Update MediaWiki installer for Mailman3 to Remove broken mediawiki-announce auto subscription code from the MediaWiki Installer.Apr 30 2021, 3:17 AM
Legoktm added a comment.May 1 2021, 6:01 AM
In T281549#7047965, @Reedy wrote:

It might just be easier to provide a link saying "sign up for mediawiki-announce" but I doubt we'd get the same conversion rate.

Do we actually get that many anyway from it?

So I dug through the logs a bit, in the month of April, there were 592 POSTs to the mediawiki-announce subscribe page, from a user-agent matching "MediaWiki/1.". (actually an interesting datapoint on which versions of MediaWiki are being installed!)

I think that's actually a high enough number to worth supporting.

legoktm@lists1001:/var/log/apache2$ zgrep "http://lists.wikimedia.org/mailman/subscribe/mediawiki-announce" lists.wikimedia.org-access.log*.gz | grep "POST" | grep "MediaWiki/1." | awk '{print $12}' | sort |uniq -c
      1 MediaWiki/1.19.24
      1 MediaWiki/1.23.10
      1 MediaWiki/1.24.1
      3 MediaWiki/1.24.2
      1 MediaWiki/1.25.1
      1 MediaWiki/1.25.3
     19 MediaWiki/1.27.1
      2 MediaWiki/1.27.4
      4 MediaWiki/1.28.0
      1 MediaWiki/1.29.2
      1 MediaWiki/1.30.0
      2 MediaWiki/1.30.2
      1 MediaWiki/1.31.0
     10 MediaWiki/1.31.12
     13 MediaWiki/1.31.14
      4 MediaWiki/1.31.7
      1 MediaWiki/1.32.0
      1 MediaWiki/1.33.0
      5 MediaWiki/1.33.1
      1 MediaWiki/1.33.3
      4 MediaWiki/1.33.4
      3 MediaWiki/1.34.0
      1 MediaWiki/1.34.4
     24 MediaWiki/1.35.0
    223 MediaWiki/1.35.1
    259 MediaWiki/1.35.2
      1 MediaWiki/1.36.0-alpha
      4 MediaWiki/1.37.0-alpha
Legoktm renamed this task from Remove broken mediawiki-announce auto subscription code from the MediaWiki Installer to Fix or remove mediawiki-announce auto subscription code in the MediaWiki Installer.May 1 2021, 6:02 AM
Legoktm mentioned this in T281619: /var/log/mailman/subscribe* has PII (IP addresses) from August 2020.May 1 2021, 6:15 AM
Jdforrester-WMF subscribed.May 5 2021, 3:01 PM
gerritbot added a comment.May 5 2021, 3:07 PM

Change 685493 had a related patch set uploaded (by Jforrester; author: Jforrester):

[mediawiki/core@master] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685493

gerritbot added a project: Patch-For-Review.May 5 2021, 3:07 PM
gerritbot added a comment.May 6 2021, 6:16 PM

Change 685886 had a related patch set uploaded (by Reedy; author: Jforrester):

[mediawiki/core@REL1_36] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685886

gerritbot added a comment.May 6 2021, 6:17 PM

Change 685887 had a related patch set uploaded (by Reedy; author: Jforrester):

[mediawiki/core@REL1_35] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685887

gerritbot added a comment.May 6 2021, 6:20 PM

Change 685888 had a related patch set uploaded (by Reedy; author: Jforrester):

[mediawiki/core@REL1_31] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685888

gerritbot added a comment.May 6 2021, 6:38 PM

Change 685493 merged by jenkins-bot:

[mediawiki/core@master] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685493

gerritbot added a comment.May 6 2021, 8:26 PM

Change 685888 merged by jenkins-bot:

[mediawiki/core@REL1_31] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685888

gerritbot added a comment.May 8 2021, 5:22 PM

Change 685887 merged by jenkins-bot:

[mediawiki/core@REL1_35] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685887

gerritbot added a comment.May 8 2021, 5:35 PM

Change 685886 merged by jenkins-bot:

[mediawiki/core@REL1_36] WebInstaller: Don't show the announce-l subscribe checkbox temporarily

https://gerrit.wikimedia.org/r/685886

Jdforrester-WMF moved this task from Blocker to Not a blocker on the MW-1.36-release board.May 8 2021, 5:56 PM

Moved to "not a blocker" as I've commented it out. But let's do better. :-)

Maintenance_bot removed a project: Patch-For-Review.May 8 2021, 6:10 PM
Reedy moved this task from Backlog to Done on the MW-1.31-release board.May 17 2021, 7:29 PM
gerritbot added a comment.Aug 29 2021, 11:30 AM

Change 715330 had a related patch set uploaded (by PleaseStand; author: PleaseStand):

[mediawiki/core@master] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/715330

gerritbot added a project: Patch-For-Review.Aug 29 2021, 11:30 AM
gerritbot added a comment.Sep 1 2021, 11:25 PM

Change 715330 merged by jenkins-bot:

[mediawiki/core@master] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/715330

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.23; 2021-09-13).Sep 2 2021, 12:00 AM
Maintenance_bot removed a project: Patch-For-Review.Sep 2 2021, 12:11 AM
gerritbot added a comment.Sep 2 2021, 5:23 PM

Change 716102 had a related patch set uploaded (by Reedy; author: PleaseStand):

[mediawiki/core@REL1_36] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/716102

gerritbot added a project: Patch-For-Review.Sep 2 2021, 5:23 PM
gerritbot added a comment.Sep 2 2021, 5:41 PM

Change 716457 had a related patch set uploaded (by Reedy; author: PleaseStand):

[mediawiki/core@REL1_35] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/716457

gerritbot added a comment.Sep 2 2021, 6:14 PM

Change 716457 merged by jenkins-bot:

[mediawiki/core@REL1_35] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/716457

gerritbot added a comment.Sep 2 2021, 6:15 PM

Change 716102 merged by jenkins-bot:

[mediawiki/core@REL1_36] Installer: Fix mediawiki-announce auto subscription code

https://gerrit.wikimedia.org/r/716102

ReleaseTaggerBot added projects: MW-1.35-notes, MW-1.36-notes.Sep 2 2021, 7:00 PM
Jdforrester-WMF closed this task as Resolved.Sep 2 2021, 8:12 PM
Jdforrester-WMF assigned this task to PleaseStand.

Fixed and will roll out in the next point releases of 1.35 and 1.36 (and 1.37.0).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL