Page MenuHomePhabricator

Update Security Team-owned products that may be affected by IP Masking
Closed, ResolvedPublic

Description

IP Masking will affect lots of our products, features, tools, gadgets, etc. This task is for tracking work to update those that are owned by Security-Team, ahead of IP Masking being enabled on WMF sites.

See T326816: Update features for temporary accounts, particularly What will be affected.

A preliminary investigation (T326759) has found that the following may be affected:

  • StopForumSpam

Event Timeline

Hey @Tchanders - Thanks for the notification. ext:StopForumSpam, while enforcing on the beta cluster, is still only in "report-only mode" on a handful of wikis right now (https://gerrit.wikimedia.org/r/823789). It seems like, according to T326759, that there might be two things needed here:

  1. Update this small block of code that tries to find the IP from an anon username. The code pulls the IP from the request context in all other cases.
  2. Wait for various functions from Wikimedia\IPUtils to be updated, if necessary? It looks like the functions used by ext:StopForumSpam might not even be problematic: IPUtils::isIPAddress, IPUtils::formatHex, IPUtils::toHex, IPUtils::sanitizeIP.
sbassett moved this task from Watching to Waiting on the Security-Team board.
sbassett moved this task from Waiting to Watching on the Security-Team board.
sbassett moved this task from Backlog to Waiting on the user-sbassett board.

ext:StopForumSpam also echos back a user's IP address via the following error message (if they're disallowed access by the extension): https://github.com/wikimedia/mediawiki-extensions-StopForumSpam/blob/master/i18n/en.json#L13. It is unclear to me if this sort of thing will be disallowed under the new IP Masking policies.

sbassett moved this task from Incoming to Watching on the Security-Team board.

A similar question was asked on T350116#9358739, and I suspect it's fine. (If not we'll have to audit where else we display a user their own IP address.)

@Niharika Could you confirm whether this is the case?

I can confirm that revealing a user's own IP address to themselves should be OK.

I can confirm that revealing a user's own IP address to themselves should be OK.

Ok, so that just leaves the small code updates/questions from T326871#8521975 then, for ext:StopForumSpam.

Change 979952 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/StopForumSpam@master] Remove IP assignment via User::getName() for anonymous users

https://gerrit.wikimedia.org/r/979952

  1. Wait for various functions from Wikimedia\IPUtils to be updated, if necessary? It looks like the functions used by ext:StopForumSpam might not even be problematic: IPUtils::isIPAddress, IPUtils::formatHex, IPUtils::toHex, IPUtils::sanitizeIP.

I agree this looks fine. We included those terms in the search to flag up affected extensions just as indicators that the extension did something with IP addresses. Once it's getting the IP from the context, that should be fine. Thanks!

Change 979952 merged by jenkins-bot:

[mediawiki/extensions/StopForumSpam@master] Remove IP assignment via User::getName() for anonymous users

https://gerrit.wikimedia.org/r/979952

sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

I agree this looks fine. We included those terms in the search to flag up affected extensions just as indicators that the extension did something with IP addresses. Once it's getting the IP from the context, that should be fine. Thanks!

Ok, this change set was just merged. Tentatively resolving this task for now.