Page MenuHomePhabricator

Remove all proxy blocking functionalities from mediawiki core
Open, LowPublic


To conclude the work started in T56597, I think the remaining proxy blocking functionalities should be removed from mediawiki core. The settings using this are $wgProxyList and $wgEnableDnsBlacklist, and there is an associated proxyunbannable userright. WMF wikis don't use this, $wgProxyList refers to mwblocker.log which does not exist in wmf-config, and a couple of wikis have $wgEnableDnsBlacklist set as true but don't seem to actually use it. WMF wikis use the TorBlock extension instead, so all that it does for end users is creating an unused userright. I think that all wikis should be able to choose whatever proxy blocking extension they want, and so there's no need to have anything in mediawiki core.

Event Timeline

Cenarium created this task.Nov 30 2014, 6:07 PM
Cenarium updated the task description. (Show Details)
Cenarium raised the priority of this task from to Needs Triage.
Cenarium added a project: MediaWiki-Core-Team.
Cenarium changed Security from none to None.
Cenarium added a subscriber: Cenarium.
Reedy added a subscriber: Reedy.Nov 30 2014, 6:12 PM

Yes, mwblocker.log does exist in wmf-config, it's just only locally and in .gitignore so not checked into the repo

Beta labs has $wgEnableDnsBlacklist = true in CommonSettings-labs.php.

revi added a subscriber: revi.Dec 4 2014, 12:30 PM
Aklapper triaged this task as Low priority.Mar 21 2015, 10:04 PM
Aklapper added a subscriber: Aklapper.

Yes, mwblocker.log does exist in wmf-config, it's just only locally and in .gitignore so not checked into the repo

Though it looks like it was useful in the early years of mediawiki, there are now tools at our disposal such as global blocks and the TorBlock extension that provide a more efficient management system for proxies.
I wonder if the file is regularly updated and if there's still any reason to keep it private ? Also, I've seen in T28710 that the file might actually be empty, at least for some wikis, and created only to avoid a bug.

As for the dns blacklist, it's well updated since it relies on, though the implementation only supports IPv4 addresses. It might be moved to an extension.