Page MenuHomePhabricator
Create Task
Maniphest T350116

Block messages duplicated for anonymous user with IP Masking enabled
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
Tchanders
Authored By
dom_walden
Oct 31 2023, 9:02 AM
Tags
Referenced Files
F41415622: duplicate_block_error_message_multiple.png
Oct 31 2023, 9:02 AM
F40005908: duplicate_block_error_message.png
Oct 31 2023, 9:02 AM
File Not Attached
Subscribers
Aklapper
dom_walden
kostajh
KSiebert
MusikAnimal
Niharika
Tchanders
tstarling

Description

What is the problem?

When attempting to edit as an IP from an IP that is blocked and IP Masking is enabled, the block message is duplicated.

It does not seem to matter if the IP is blocked by a local database block, global block, system block or a combination of any of these. Whatever the block error message is for the particular block, it is duplicated.

Originally found in T345683#9279144.

Steps to reproduce problem
  1. If testing locally, add this to you LocalSettings.php: $wgAutoCreateTempUser['enabled'] = true;
  2. Locally or on dewiki beta, while logged out, go to Special:MyTalk to find out what your IP address is (e.g. http://localhost:8080/wiki/Special:MyTalk or https://de.wikipedia.beta.wmflabs.org/wiki/Special:MyTalk)
  3. Login as an admin user, go to Special:Block and block the IP from step 1. (Use a "sitewide" block. Any other parameters shouldn't matter.)
  4. Log out and attempt to edit any page on the wiki

Expected behaviour: You see one blocked message. It will look something like this (if on an English wiki) or this (if on dewiki) but without the red/yellow banner.
Observed behaviour: The blocked message is duplicated.

Environment

Wiki(s): https://de.wikipedia.beta.wmflabs.org MediaWiki 1.42.0-alpha (af78055) 08:54, 31 October 2023.

Screenshots

Example showing a single duplicated block message:

duplicate_block_error_message.png (602×1 px, 107 KB)

Example showing two block messages being duplicated (one IP range and $wgDnsBlacklistUrls):

duplicate_block_error_message_multiple.png (746×1 px, 148 KB)

Details

SubjectRepoBranchLines +/-
EditPage: Remove unnecessary extra check for blocksmediawiki/coremaster+1 -32
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Oct 31 2023, 9:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 31 2023, 9:02 AM
dom_walden mentioned this in T345683: Review of MediaWiki block-related code.Oct 31 2023, 9:02 AM
dom_walden updated the task description. (Show Details)Oct 31 2023, 9:05 AM
dmaza edited projects, added Community-Tech (CommTech-Kanban); removed Community-Tech.Oct 31 2023, 9:42 AM
MusikAnimal added subscribers: Tchanders, tstarling, MusikAnimal.EditedNov 14 2023, 7:38 PM

The blockedtext-tempuser message is being shown by PermissionsManager, while the blockedtext message is being shown by EditPage.php#942. Above the code in EditPage, I see the comment:

// Check if the user is blocked from editing.
// This check must be done on the context user, in order to trigger
// checks for blocks against IP address, XFF, etc, until T221067

T221067: Move block-related methods on User to the BlockManager doesn't appear to have been worked on, but it seems perhaps there was some unintended overlap between what was planned for T221067 and what has been done recently for T345683: Review of MediaWiki block-related code. Removing the code below the aforementioned comment causes only blockedtext-tempuser to be shown, which I believe is what we want. However I haven't tested the different code paths to ensure there's no missing block messages, etc. I could dig through and figure this out, but I feel like @tstarling and @Tchanders would probably know off-hand whether the code in EditPage is still needed. I also advise ensuring we're not stepping on any toes between T221067 and T345683. Can either of you speak to that? Thanks!

MusikAnimal added a project: Temporary accounts.Nov 14 2023, 7:41 PM

It's probably also worth mentioning that blockedtext-tempuser seems to expose the IP to the user. Is that intentional? I would guess that with Temporary accounts enabled, we wouldn't want to show the IP, even though it is the user's actual IP (so not really a security concern, per se).

KSiebert subscribed.Nov 15 2023, 3:25 PM
kostajh subscribed.Nov 20 2023, 6:49 PM
Tchanders added a subscriber: Niharika.Nov 27 2023, 11:16 AM
In T350116#9332184, @MusikAnimal wrote:

It's probably also worth mentioning that blockedtext-tempuser seems to expose the IP to the user. Is that intentional? I would guess that with Temporary accounts enabled, we wouldn't want to show the IP, even though it is the user's actual IP (so not really a security concern, per se).

I strongly suspect that revealing the IP address only to the user themselves would be OK. If not, we'd have to update the block message for fully-registered users, and probably do an audit of where else we show the IP address. @Niharika Could you confirm this is the case? We could add it to the documentation if so.

Tchanders added a comment.Nov 27 2023, 1:03 PM

What's happening here?

The extra block check was added to solve T327307: Blocked temporary account user should see block message on edit page when their IP address is blocked. In short, when a logged-out user is trying to make their first edit, and IP masking is enabled, we check their permissions against a placeholder temporary account. Because this user is different from the (global) context user, the IP address, XFF, cookies, etc weren't being checked for blocks (see docblock here). So we added an extra check for these.

Since https://gerrit.wikimedia.org/r/c/mediawiki/core/+/964610, the PermissionManager looks for IP, XFF, cookie, etc blocks regardless of whether the user is the context user, but we don't find that block when checking User::getBlock, since that goes via the old route - so we still do the extra check, but unnecessarily.

How can we fix it?

Simply: we can remove the extra check, now that PermissionManager checks the right thing. (This task.)

Long story (beyond scope of this task): We were using the placeholder temporary users for permissions checks so that we could disallow anon (IP) users from editing (or whatever action) in the config, but still allow them to edit if the edit will create a temporary account. However, we're going to change that approach as summarised in T336187#9341749: we'll check against the anon (IP) user, and the config must be set to allow the * group to perform the action. We decided this so that other features wouldn't have to check against a temporary placeholder user. But it should also mean we can stop checking against a temporary placeholder user from EditPage too.

gerritbot added a comment.Nov 27 2023, 1:59 PM

Change 977680 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] EditPage: Remove unnecessary extra check for blocks

https://gerrit.wikimedia.org/r/977680

gerritbot added a project: Patch-For-Review.Nov 27 2023, 1:59 PM
Tchanders claimed this task.Nov 27 2023, 3:59 PM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)).
Tchanders moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)) board.
Tchanders moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)) board.Nov 28 2023, 8:08 PM
gerritbot added a comment.Nov 28 2023, 8:22 PM

Change 977680 merged by jenkins-bot:

[mediawiki/core@master] EditPage: Remove unnecessary extra check for blocks

https://gerrit.wikimedia.org/r/977680

Maintenance_bot removed a project: Patch-For-Review.Nov 28 2023, 8:30 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.9; 2023-12-12).Nov 28 2023, 9:00 PM
Tchanders mentioned this in T326871: Update Security Team-owned products that may be affected by IP Masking.Nov 29 2023, 8:04 PM
dom_walden added a comment.EditedDec 1 2023, 11:34 AM
In T350116#9365050, @gerritbot wrote:

Change 977680 merged by jenkins-bot:

[mediawiki/core@master] EditPage: Remove unnecessary extra check for blocks

https://gerrit.wikimedia.org/r/977680

@Tchanders I think since this change we no longer block globally blocked IPs if they appear in the XFF header, but only on the Edit page (not when trying to edit via the API) and only if IP Masking is enabled.

kostajh added a comment.Dec 4 2023, 8:18 AM
In T350116#9374582, @dom_walden wrote:
In T350116#9365050, @gerritbot wrote:

Change 977680 merged by jenkins-bot:

[mediawiki/core@master] EditPage: Remove unnecessary extra check for blocks

https://gerrit.wikimedia.org/r/977680

@Tchanders I think since this change we no longer block globally blocked IPs if they appear in the XFF header, but only on the Edit page (not when trying to edit via the API) and only if IP Masking is enabled.

@Tchanders @dom_walden should we revert the patch, then, until we have a fix in place for that scenario? Or make a follow-up task given that we don't have temporary accounts configuration enabled in production yet?

Tchanders added a comment.Dec 4 2023, 10:35 AM

@kostajh I don't think this needs reverting, since it's not enabled in production. I'll look into it and decide whether it needs a fix here or another task.

Tchanders added a comment.Dec 6 2023, 1:52 PM

@Tchanders I think since this change we no longer block globally blocked IPs if they appear in the XFF header, but only on the Edit page (not when trying to edit via the API) and only if IP Masking is enabled.

@dom_walden This is what I've found - is that the same as what you meant?

Setup

  • Enable temporary accounts
  • Globally block an IP address
  • Log out
  • Try to edit from an unblocked IP address, but with the blocked IP address in your XFF header

What I observed, with this change

  • No block message is shown
  • On trying to submit the edit, the XFF IP block prevents it

What I observed, before this change

  • A single block message is shown for the XFF IP block (as opposed to duplicated messages as per the task description)

The problem is that GlobalBlocking is still checking for the global/context/session user before it decides whether to check XFF blocks (unlike core, which was updated not to do this - see T350116#9359068). When editing for the first time as a logged out user with temporary accounts enabled, the session user is the IP user, but the user passed to GlobalBlocking is the placeholder temporary account.

I'll file two follow-up tasks here, and doing either or both of these will solve the problem of GlobalBlocking not finding XFF blocks:

  1. GlobalBlocking should be using the same conditions as core to decide whether to check for XFF blocks
  2. We may be able to stop using a placeholder temporary account for permissions checks from EditPage
dmaza removed a project: Community-Tech (CommTech-Kanban).Dec 7 2023, 6:36 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)); removed Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)).Dec 11 2023, 5:05 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)) board.Dec 13 2023, 4:10 PM
In T350116#9386699, @Tchanders wrote:

@Tchanders I think since this change we no longer block globally blocked IPs if they appear in the XFF header, but only on the Edit page (not when trying to edit via the API) and only if IP Masking is enabled.

@dom_walden This is what I've found - is that the same as what you meant?

Yes, that's the one.

I'll file two follow-up tasks here, and doing either or both of these will solve the problem of GlobalBlocking not finding XFF blocks:

Thanks. I will move this task along.

Tchanders mentioned this in T353564: GlobalBlocking should use the same conditions as core to decide whether to check for XFF blocks.Dec 15 2023, 10:50 PM
Tchanders closed this task as Resolved.EditedDec 15 2023, 10:53 PM
  1. GlobalBlocking should be using the same conditions as core to decide whether to check for XFF blocks

T353564: GlobalBlocking should use the same conditions as core to decide whether to check for XFF blocks

  1. We may be able to stop using a placeholder temporary account for permissions checks from EditPage

T353565: Investigate: Do we still need to use a placeholder temporary account for permissions checks in EditPage?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL