Page MenuHomePhabricator
Create Task
Maniphest T71047

Develop countermeasures to the merge page histories attack
Open, LowestPublic
Actions

Description

See [[mw:User:MZMcBride/Attacks#Merge_page_histories]]: This attack by a rogue sysop "causes a royal mess that very few people can clean up properly. Find two pages with less than 2500 revisions (A and B) and one page with thousands and thousands of revisions (C). Delete page A and move page B to A's old location. Delete page B and then move page C to B's (and A's) old location. Restore the edits and suddenly you've merged three page's history into one. And there's nothing easy to do to reverse it."

One solution might be to track in log_search or log_params the revision IDs involved in page move, page deletion, and page undeletion events. Then a non-rogue sysop could select the log events to roll back, and the pages could be restored to their condition before those log events occurred.

Version: 1.24rc
Severity: normal

Details

Reference
bz69047

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 22 2014, 3:30 AM
bzimport added a project: MediaWiki-Page-deletion.
bzimport set Reference to bz69047.
bzimport added a subscriber: Unknown Object (MLST).
leucosticte created this task.Aug 2 2014, 2:18 PM
Bawolff added a comment.Aug 3 2014, 2:13 AM

Wasn't there some plan once Special:MergeHistory was better developed to disable history-merging-via-undelete? Maybe I'm misremembering.

bzimport added a comment.Aug 3 2014, 1:18 PM

abd wrote:

The difficult-to-undo damage occurs when the deleted revisions are restored and thus merged, though the same effect arises when revisions are deleted (that is, revisions become merged in the history of deleted revisions). This is one of a class of problems where a single command actually performs many actions that are not reversible with a single command, an "undo." Page moves including subpages can show a similar issue, I found to my regret when I once moved a page and included subpages without checking, and there were hundreds of them and then the move turned out to be a Bad Idea.

leucosticte added a comment.Aug 3 2014, 1:35 PM

(In reply to Abd ulRahman Lomax from comment #2)

The difficult-to-undo damage occurs when the deleted revisions are restored
and thus merged, though the same effect arises when revisions are deleted
(that is, revisions become merged in the history of deleted revisions). This
is one of a class of problems where a single command actually performs many
actions that are not reversible with a single command, an "undo." Page moves
including subpages can show a similar issue, I found to my regret when I
once moved a page and included subpages without checking, and there were
hundreds of them and then the move turned out to be a Bad Idea.

It's not so much when the pages are deleted that the problem arises, as when they're undeleted. When they're deleted, the revisions get moved from the revision table to the archive table, where it's possible to tell which pages they came from by the [[mw:Manual:Archive table#ar_page_id]]. When they're undeleted, they get moved back to the revision table, and they all end up with the same [[mw:Manual:Revision table#rev_page]] if they're being undeleted to the same page title.

leucosticte added a comment.Aug 3 2014, 1:37 PM

(In reply to Bawolff (Brian Wolff) from comment #1)

Wasn't there some plan once Special:MergeHistory was better developed to
disable history-merging-via-undelete? Maybe I'm misremembering.

I hadn't heard of that. I wonder how that would be implemented? E.g., perhaps it would be disallowed to undelete revisions with different ar_page_id values in one undelete action, and/or it would be disallowed to undelete revisions to a page that already exists?

leucosticte added a comment.Aug 4 2014, 12:20 AM

Proof of concept for (one possible way of) reversing these attacks is [[Extension:MoveRevisions]].

leucosticte added a comment.Aug 4 2014, 12:21 AM

Er, [[mw:Extension:MoveRevisions]], rather.

Liuxinyu970226 set Security to None.Nov 4 2015, 10:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 4 2015, 10:37 AM
Tjlsangria added a subtask: T147154: Add an "affected revisions" link to items in the deletion log.Oct 2 2016, 5:06 PM
Aklapper closed subtask T147154: Add an "affected revisions" link to items in the deletion log as Declined.Dec 21 2016, 6:34 AM
Cenarium removed a parent task: T70311: Add mirrormove module to MirrorTools.Feb 10 2017, 4:26 PM
GTrang subscribed.Sep 9 2018, 5:35 PM

In reply to the comment by the banned user about not allowing revisions from different page IDs to be restored at once, there is now a task for this: T193690. "Prevention is better than cure." Although that task prevents histories from being easily merged via Special:Undelete, it does not help "cure contaminated histories" by splitting them to restore them to good condition.

GTrang mentioned this in T206587: Overhaul the undelete feature with a "pagearchive" table.Dec 26 2018, 6:53 PM
DannyS712 added a project: MediaWiki-MergeHistory.Apr 8 2020, 4:54 PM
DannyS712 subscribed.
Pppery awarded a token.Oct 20 2023, 11:55 PM
Pppery subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL