Page MenuHomePhabricator

Blocks from AbuseFilter show up as performed from the target's IP address in Checkuser
Open, MediumPublic

Description

Blocks performed by the AbuseFilter show up in the Checkuser as having been performed thru the target's IP address, hence it appears as if the IP had been used by more than one user, one being the actual user and the other being AbuseFilter blocking it.

This causes some confusions and several times I've performed the additional check on the IP trying to figure out who else used it.


See Also:
T55008: MediaWiki:Autoblocker etc. reveals to third party that a (blocked) user has used the same IP address

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:51 AM
bzimport added a project: AbuseFilter.
bzimport set Reference to bz42345.
Snowolf created this task.Nov 22 2012, 1:49 AM

Change 92050 had a related patch set uploaded by Legoktm:
Allow extensions to override the IP address

https://gerrit.wikimedia.org/r/92050

Change 92051 had a related patch set uploaded by Legoktm:
Override the IP for the filter user in CheckUser data

https://gerrit.wikimedia.org/r/92051

Change 92179 had a related patch set uploaded by saper:
Allow robotic Users to determine their IP address

https://gerrit.wikimedia.org/r/92179

saper added a comment.Oct 27 2013, 8:49 PM

I did some checks here and the problem is thet a whole original WebRequest is re-used for logging.

Even if we force the AbuseFilter to give different IP address, for example user agent will be taken from the original request.

Change 92252 had a related patch set uploaded by saper:
Introduce AbuseFilterUser

https://gerrit.wikimedia.org/r/92252

Change 92179 abandoned by saper:
Allow robotic Users to determine their IP address

Reason:
as per review

https://gerrit.wikimedia.org/r/92179

Change 92252 abandoned by saper:
Introduce AbuseFilterUser

Reason:
Thank you, closing per code review.

https://gerrit.wikimedia.org/r/92252

jayvdb added a comment.Oct 7 2014, 5:33 AM

status update: two of the patches have been abandoned, but this one is still under review

https://gerrit.wikimedia.org/r/#/c/92051/

Se4598 added a subscriber: Se4598.

Adding CheckUser.
Patches currently existing are gerrit:92051 in AbuseFilter and corresponding gerrit:92050 in CheckUser extension (Though they also currently reuse the same web request (same UA etc.).

Legoktm removed Legoktm as the assignee of this task.Feb 9 2015, 6:39 PM
Legoktm set Security to None.
saper moved this task from Backlog to Under discussion on the CheckUser board.Apr 5 2015, 11:12 PM
saper moved this task from Under discussion to Patches in review on the CheckUser board.

Change 92050 had a related patch set uploaded (by Paladox):
Allow extensions to override the IP address

https://gerrit.wikimedia.org/r/92050

Change 92051 had a related patch set uploaded (by Paladox):
Override the IP for the filter user in CheckUser data

https://gerrit.wikimedia.org/r/92051

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptAug 8 2015, 11:45 AM

Krenair asked in Gerrit: "What about X-Forwarded-For?"
Anybody having an opinion / input?

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptMar 8 2016, 10:45 PM
MarcoAurelio moved this task from Closed to Patches in review on the CheckUser board.

I'm not sure how x-forwarded-for is relevant? Is Krenair suggesting that we should use x-forwarded-for to convey this info, or rather, that we need to account for x-forwarded-for headers in some way? It seems related but I'm not sure how it's relevant.

I think what @Krenair meant was "why not use/inject X-Forward-For to show both the IP that actually did the action (server's) and the IP of the user on whose behalf the server did the action (in this case I guess the blocked user?)

But I think that is not a good idea. XFF is used to show information flow form one IP to the next. In this case, the information does not flow to the blocked user at all so they should not be represented in the XFF trail.

Meno25 added a subscriber: Meno25.Dec 9 2018, 3:47 AM