Page MenuHomePhabricator

[Epic] Temporary account AbuseFilter support
Open, Needs TriagePublic

Description

AbuseFilter should work when IP masking is enabled ($wgAutoCreateTempUser['enabled'] = true).

AbuseFilter handles the EditFilterMergedContent hook. When a user is anonymous with IP masking enabled, the user passed to EditFilterMergedContent is an unsaved account (user ID = 0) with an automatically generated prospective name. I'm concerned about loading various kinds of user data using this unusual kind of User object. For example the variables user-editcount, user-emailconfirm, user-groups, user-rights, user-block and user-age. We need to confirm that these variables return something reasonable. Ideally they shouldn't do DB queries looking for rows with user_id=0.

The "block" action in this scenario is probably broken -- it will try to block a non-existent user by name. Maybe the autoblock flag could be used to block the IP address while preserving privacy. If that doesn't work, it's better to fail than to leak the IP address.

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

There has been some talk of adding an IP address variable for temporary users while somehow maintaining privacy. I think that's out of scope for now. The first thing is to make sure AbuseFilter doesn't throw exceptions or do anything stupid.

Adding a boolean variable that reflects User::isTemp() (or its UserIdentity equivalent) could be done at this stage and would be nice to have.

Related Objects

StatusSubtypeAssignedTask
Resolvedkostajh
DeclinedNone
In ProgressNiharika
OpenNone
OpenTchanders
Resolved lbowmaker
Resolvedtstarling
OpenNone
ResolvedSTran
ResolvedUmherirrender
Resolved AGueyte
Duplicate AGueyte
ResolvedSTran
ResolvedDreamy_Jazz
ResolvedSTran
ResolvedSTran
ResolvedSTran
ResolvedSTran
ResolvedSTran
Resolvedkostajh
OpenSTran
ResolvedTchanders
ResolvedSTran
ResolvedSTran
OpenSTran
OpenNone
ResolvedSTran
ResolvedBUG REPORTDreamy_Jazz
OpenNone

Event Timeline

For your convenience, variables related to users are set in VariableGenerator::generateUserVars and computed in LazyVariableComputer.

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

Indeed, but this feature should be disabled on Wikimedia wikis.

The "rangeblock" action uses WebRequest::getIP() and so apparently has the potential to leak IP addresses. If so, it's an issue not specific to temporary accounts.

Indeed, but this feature should be disabled on Wikimedia wikis.

It's enabled on fawiki and fawikiquote.

You are right, I must have once convinced myself about that.

Related: T280413, T152394. I'm not sure what the best way of fixing those could be. But perhaps, the time has come to find one.

The "block" action in this scenario is probably broken -- it will try to block a non-existent user by name. Maybe the autoblock flag could be used to block the IP address while preserving privacy. If that doesn't work, it's better to fail than to leak the IP address.

Testing on dewiki beta trying to edit as an anonymous user:

  • if the AbuseFilter blocks the autocreateaccount action the IP is blocked but the temporary user is recorded in the AbuseFilter log (although the temp user is not actually created).
  • if the edit action is blocked the IP is blocked and is recorded in the AB log (T328403)
Tchanders renamed this task from [IP Masking] Temporary account AbuseFilter support to [Epic] Temporary account AbuseFilter support.Mar 1 2024, 10:51 AM