Page MenuHomePhabricator
Create Task
Maniphest T348803

Account consisting of spacelike characters (Hangul fillers) only
Open, Needs TriagePublicBUG REPORT
Actions

Description

Hello,

Can you please explain how this account was created? Also how can this be avoided? Because it's affected the logs
For reference please see CentralAuth

Screenshot 2023-10-12 231214.png (780×1 px, 52 KB)

Screenshot 2023-10-12 231522.png (537×1 px, 63 KB)

Thanks

Details

SubjectRepoBranchLines +/-
Add space-like and more invisible lettersmediawiki/libs/Equivsetmaster+95 -7
Customize query in gerrit

Event Timeline

alaa created this task.Oct 12 2023, 8:15 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptOct 12 2023, 8:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
alaa updated the task description. (Show Details)Oct 12 2023, 8:18 PM
Kizule subscribed.Oct 12 2023, 8:56 PM

ChatGPT as the best friend: https://chat.openai.com/share/8df51bc8-f0a5-413e-9355-aebfa4468692

Reference: https://www.compart.com/en/unicode/U+1164

Tgr edited projects, added Equivset, AntiSpoof; removed MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth.Oct 12 2023, 9:45 PM
Tgr subscribed.

ChatGPT is a bit off, it's actually a series of Hangul fillers (U+3164).

Equivset/Antispoof only groups together the Hangul filler with the half-width Hangul filler, which is not super useful. I guess we'd need an equivalence set of spacelike/invisible characters, so we can ban them at the beginning or end of a username?

Not really a problem with CentralAuth, in any case.

Tgr renamed this task from Account created with blank username to Account consisting of spacelike characters (Hangul fillers) only.Oct 12 2023, 9:46 PM
Bugreporter subscribed.Oct 14 2023, 1:01 AM

See: https://meta.wikimedia.org/wiki/Talk:Title_blacklist/Archives/2021#U+3164_(Hangul_Filler)

gerritbot added a comment.Feb 18 2024, 2:29 PM

Change 1004323 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/libs/Equivset@master] Add more space-a-like and invisible letters

https://gerrit.wikimedia.org/r/1004323

gerritbot added a project: Patch-For-Review.Feb 18 2024, 2:29 PM
gerritbot added a comment.Feb 19 2024, 6:34 AM

Change 1004323 merged by jenkins-bot:

[mediawiki/libs/Equivset@master] Add space-like and more invisible letters

https://gerrit.wikimedia.org/r/1004323

Maintenance_bot removed a project: Patch-For-Review.Feb 19 2024, 7:30 AM
Umherirrender subscribed.Feb 20 2024, 9:45 PM

The linked patch sets needs a new release of the equivset package, that could be happen in some months.

I have tested it with AntiSpoof and the error handling is not nice:

To prevent confusion, the username "ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ" cannot be used: Your provided username is too short. Please choose another username.

But at least it cannot be created.
The hangul filler is now replaced with spaces and AntiSpoof removed all spaces in the validation step, making the user name the empty string within the checks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits