Page MenuHomePhabricator
Create Task
Maniphest T401354

Consider adding a fake User-Agent header to incoming requests to Patch Demo wikis
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

Background
  • Previously, when someone visited a page on a Patch Demo wiki, that person's User-Agent header was passed through to that wiki.
  • As Patch Demo wikis are (by their nature) publicly accessible/publicly usable, this meant that end-users' User-Agents could be publicly accessed by way of the CheckUser extension. This was reported in security task T385156: Patch Demo can publicly reveal User-Agents via the CheckUser extension.
  • To resolve that issue, Apache configuration was added to strip the User-Agent header from all incoming requests to Patch Demo wikis.
This task

Due to the fact that the Wikibase REST API currently requires inbound requests to include a User-Agent header, stripping the UA header means that this API is (by default) no longer effectively functional on Patch Demo wikis. @Silvan_WMDE has therefore requested that Patch Demo includes a fake User-Agent header, rather than stripping it entirely.

In T385156#11057842, @Silvan_WMDE wrote:
In T385156#10706486, @thcipriani wrote:

That's a good call. We're using apache for both the wikis. I tested CheckUser just now enabling mod_headers with RequestHeader unset User-Agent and that gets rid of the user agent.

Unfortunately, this breaks the Wikibase REST API on PatchDemo. As per T318151: 🥐 Require clients to identify themselves by providing User-Agent header, Wikibase rejects REST requests with missing or empty User-Agent headers.

We could also fake one if that's helpful for developers.

That would be helpful, indeed.

Related Objects

Event Timeline

A_smart_kitten created this task.Aug 6 2025, 9:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2025, 9:37 PM
A_smart_kitten mentioned this in T385156: Patch Demo can publicly reveal User-Agents via the CheckUser extension.Aug 6 2025, 9:38 PM
thcipriani added a comment.Aug 6 2025, 9:44 PM

Thanks for splitting this out @A_smart_kitten !

Silvan_WMDE awarded a token.Aug 7 2025, 2:39 PM
AMarkossyan-WMF moved this task from triage to bugs on the Catalyst (PatchDemo) board.Aug 7 2025, 4:17 PM
AMarkossyan-WMF assigned this task to jnuche.Aug 7 2025, 4:19 PM
AMarkossyan-WMF edited projects, added Catalyst (musi); removed Catalyst (PatchDemo).
AMarkossyan-WMF moved this task from Backlog to Ready on the Catalyst (musi) board.Aug 7 2025, 4:28 PM
AMarkossyan-WMF set the point value for this task to 2.
CodeReviewBot added a project: Patch-For-Review.Aug 11 2025, 2:17 PM

jnuche opened https://gitlab.wikimedia.org/repos/test-platform/catalyst/ci-charts/-/merge_requests/90

apache: set bogus UA for requests to the wiki

CodeReviewBot added a comment.Aug 12 2025, 8:44 AM

jnuche merged https://gitlab.wikimedia.org/repos/test-platform/catalyst/ci-charts/-/merge_requests/90

apache: set bogus UA for requests to the wiki

A_smart_kitten added a comment.Aug 12 2025, 9:25 AM

@jnuche should the bogus UA also be added to the non-catalyst backend, or e.g. is that not worth doing at this stage?

Maintenance_bot removed a project: Patch-For-Review.Aug 12 2025, 9:30 AM
jnuche added a comment.Aug 12 2025, 9:40 AM

@jnuche should the bogus UA also be added to the non-catalyst backend, or e.g. is that not worth doing at this stage?

Probably not. We can always add it at a later date if there really is a requirement to support this in the legacy backend

A_smart_kitten added a comment.Aug 12 2025, 9:46 AM

Fair enough :)

jnuche closed this task as Resolved.Aug 12 2025, 10:39 AM

@Silvan_WMDE I can see the new UA in prod :)

Tentatively calling the task completed

jnuche moved this task from Ready to Waiting for review on the Catalyst (musi) board.Aug 12 2025, 10:40 AM
thcipriani added projects: Release-Engineering-Team (Doing 😎), Essential-Work.Aug 15 2025, 11:36 PM
Silvan_WMDE added a comment.Aug 25 2025, 3:23 PM
In T401354#11077446, @jnuche wrote:

@Silvan_WMDE I can see the new UA in prod :)

Tentatively calling the task completed

Thank you, I can confirm that the Wikibase REST API is now working in a patch demo wiki based on top of the Wikibase master branch. Much appreciated. 💯

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits