Page MenuHomePhabricator
Create Task
Maniphest T300407

Allow managing upload-by-url allowlist as a system message
Closed, ResolvedPublic
Actions

Description

Changes to the commons upload-by-url allowlist make up a large amount of mediawiki config change requests. Based on the sitereq-l thread I started today, we should be able to convert that configuration setting into a mediawiki system message to allow Commons sysops to self-manage that allowlist.

Details

SubjectRepoBranchLines +/-
commonswiki: Enable wgCopyUploadAllowOnWikiDomainConfigoperations/mediawiki-configmaster+5 -295
Allow managing upload-by-url allowlist as a system messagemediawiki/coremaster+113 -5
Customize query in gerrit

Related Objects

Event Timeline

taavi created this task.Jan 28 2022, 9:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2022, 9:51 PM
taavi added a project: MediaWiki-Uploading.Jan 28 2022, 9:51 PM
MarcoAurelio subscribed.Jan 28 2022, 9:59 PM
Zabe subscribed.Jan 28 2022, 10:16 PM
DannyS712 subscribed.Jan 29 2022, 12:01 AM
Urbanecm subscribed.Jan 29 2022, 10:54 AM
4nn1l2 subscribed.Jan 30 2022, 3:02 AM
gerritbot added a comment.Jan 30 2022, 7:17 PM

Change 758100 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/core@master] Allow managing upload-by-url allowlist as a system message

https://gerrit.wikimedia.org/r/758100

gerritbot added a project: Patch-For-Review.Jan 30 2022, 7:17 PM
taavi claimed this task.Jan 30 2022, 7:32 PM
4nn1l2 added a comment.Jan 31 2022, 3:33 AM

Hi @Majavah, this is sooo useful :) Thanks for coming up with this brilliant idea and uploading the patch!

Can you guess when this feature will be available for Commons admins? I ask this question because I have a bunch of url allowlisting tasks such as T300375: Add researcharchive.calacademy.org to the wgCopyUploadsDomains allowlist of Wikimedia Commons and I want to know if I can arrange for their deployment today or I had better wait. Thanks again

Urbanecm added a comment.Feb 8 2022, 8:32 PM
In T300407#7662376, @4nn1l2 wrote:

[...]
Can you guess when this feature will be available for Commons admins? I ask this question because I have a bunch of url allowlisting tasks such as T300375: Add researcharchive.calacademy.org to the wgCopyUploadsDomains allowlist of Wikimedia Commons and I want to know if I can arrange for their deployment today or I had better wait. Thanks again

I'm not Majavah, but I have some experience with new features. I think "in 3 months" would be a realistic estimate (but, things happen, and it can be delayed for unexpected reasons).

taavi added a comment.Feb 8 2022, 8:34 PM
In T300407#7694934, @Urbanecm wrote:
In T300407#7662376, @4nn1l2 wrote:

[...]
Can you guess when this feature will be available for Commons admins? I ask this question because I have a bunch of url allowlisting tasks such as T300375: Add researcharchive.calacademy.org to the wgCopyUploadsDomains allowlist of Wikimedia Commons and I want to know if I can arrange for their deployment today or I had better wait. Thanks again

I'm not Majavah, but I have some experience with new features. I think "in 3 months" would be a realistic estimate (but, things happen, and it can be delayed for unexpected reasons).

In another words: "somtimes after someone +2's the attached patch". I've asked some people to review it, but can't force anyone to do so.

MarcoAurelio added a comment.Feb 10 2022, 4:43 PM

Would it be possible to have it as a JSON page?

gerritbot added a comment.Mar 24 2022, 2:49 PM

Change 758100 merged by jenkins-bot:

[mediawiki/core@master] Allow managing upload-by-url allowlist as a system message

https://gerrit.wikimedia.org/r/758100

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.5; 2022-03-28).Mar 24 2022, 3:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 24 2022, 3:11 PM
AndrejHalas closed this task as Resolved.Apr 2 2022, 6:20 PM
AndrejHalas claimed this task.
AndrejHalas triaged this task as Unbreak Now! priority.
AndrejHalas removed projects: MW-1.39-notes (1.39.0-wmf.5; 2022-03-28), MediaWiki-Uploading.
AndrejHalas removed subscribers: 4nn1l2, Urbanecm, DannyS712 and 4 others.
Zabe reopened this task as Open.Apr 2 2022, 6:23 PM
Zabe reassigned this task from AndrejHalas to taavi.
Zabe lowered the priority of this task from Unbreak Now! to Needs Triage.
Zabe added projects: MediaWiki-Uploading, MW-1.39-notes (1.39.0-wmf.5; 2022-03-28).
Zabe added subscribers: Urbanecm, DannyS712, 4nn1l2 and 5 others.
Zabe removed a subscriber: AndrejHalas.
taavi added a comment.Apr 26 2022, 6:50 AM

Hi @4nn1l2 and others! The code change was merged to mediawiki/core a while back now, so this is now possible with a simple config change. Do you have preferences on when to enable that config switch? I'm happy to copy the current list from the config repo to Commons or leave that to you if you prefer that.

Stang subscribed.May 13 2022, 6:38 AM
Stang added a comment.May 13 2022, 3:39 PM

Hi @Majavah, I have posted a notice on local VP. There is a question: "would this also work with the MediaWiki Upload Wizard as it currently does for Flickr?" Thanks!

Marsupium subscribed.May 14 2022, 5:23 PM
Stang added a comment.May 14 2022, 11:33 PM

Also, I dumped the allowlist inside InitialiseSettings.php to an on-wiki page, please check if the syntax is correct.

gerritbot added a comment.May 20 2022, 12:16 PM

Change 793766 had a related patch set uploaded (by Stang; author: Stang):

[operations/mediawiki-config@master] commonswiki: Enable wgCopyUploadAllowOnWikiDomainConfig

https://gerrit.wikimedia.org/r/793766

gerritbot added a project: Patch-For-Review.May 20 2022, 12:16 PM
CptViraj subscribed.May 23 2022, 5:01 AM
gerritbot added a comment.May 23 2022, 8:07 PM

Change 793766 merged by jenkins-bot:

[operations/mediawiki-config@master] commonswiki: Enable wgCopyUploadAllowOnWikiDomainConfig

https://gerrit.wikimedia.org/r/793766

Stashbot added a comment.May 23 2022, 8:13 PM

Mentioned in SAL (#wikimedia-operations) [2022-05-23T20:13:16Z] <cjming@deploy1002> Synchronized wmf-config/InitialiseSettings.php: Config: [[gerrit:793766|commonswiki: Enable wgCopyUploadAllowOnWikiDomainConfig (T300407)]] (duration: 00m 52s)

Stang closed this task as Resolved.May 23 2022, 8:22 PM
Stang removed a project: Patch-For-Review.

Deployed, domains migrated to MediaWiki:Copyupload-allowed-domains.

Stang unsubscribed.May 24 2022, 12:58 PM
Don-vip mentioned this in T312800: Add *.esahubble.org and *.webbtelescope.org to the wgCopyUploadsDomains whitelist of Wikimedia Commons.Jul 11 2022, 6:04 PM
Bawolff subscribed.Feb 13 2024, 5:57 AM

re https://lists.wikimedia.org/hyperkitty/list/sitereq-l@lists.wikimedia.org/thread/DEE7HHID26YNKYQKA4QQ4WW5YHURU7CB/

  • Why do we even have an allowlist for upload-by-url? I presume this is

to make it harder to upload a large amount of non-free files, but I'm
curious if there are any other reasons that I'm not aware of.

If memory serves, there was some paranoia around someone finding a zero-day in url-downloader.wikimedia.org and maybe SSRF. I remember thinking the worry was a bit overblown at the time.

Bawolff added a comment.Feb 13 2024, 6:04 AM

Ah found it: T65961#679911 was essentially what lead to the restriction.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL