Page MenuHomePhabricator
Create Task
Maniphest T323969

AbuseFilter: Apparent bug with Special:CreateLocalAccount
Open, Needs TriagePublicBUG REPORT
Actions

Description

I have found an apparent bug of the abusefilter, related to Special:CreateLocalAccount.
We have filters including the following lines:

equals_to_any(action, "createaccount", "autocreateaccount")
&    rmwhitespace(accountname) rlike "SOME REGEX"

This prevents forcible local account creation as expected if the account name matches the criteria, but the problem is that no abuse log is shown when forcible creation is barred. When you evaluate action === "createaccount", you can use a bunch of built-in variables like user_name and user_groups in addition to accountname, but as for "forcecreatelocal" (as in list=logevents), something like !"sysop" in user_groups doesn't work and there's no way to prevent the relevant filter from being triggered on forcible account creation (note also that there's no way to see which variables are available for "forcecreatelocal" since abuse log doesn't show up). I tried disabling the filter to see if that resolves the issue, but even after turning it off (and leaving it some minutes), it keeps getting triggered and we can't use [[Special:CreateLocalAccount]] in the way that it should work.

We would appreciate it if someone could look into this matter.

Related Objects

Event Timeline

Dragoniez created this task.Nov 29 2022, 4:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2022, 4:39 AM
matej_suchanek subscribed.Nov 29 2022, 7:34 AM

This sounds like either T307827#7911129 or T307828, or both.

Dragoniez added a comment.EditedDec 4 2022, 10:21 AM

A bit more information.
I tried erasing the relevant conditions that prevent account creations BEFORE forcible account creation, then that wasn't barred by the filter (note: I didn't either DISABLE or DELETE the filter). Maybe this is a workaround.
Anyway, when I forcibly created the relevant local account and blocked it for sockpuppetry with autoblock turned on, my IP was autoblocked. Is this normal? It's ridiculous that the IP of the sysop that took the admin action is autoblocked. Also, my IP will probably show up when the blocked user is CU-ed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL