T21565: Add more variables to AbuseFilter file uploading evaluation enables bad-faith editors to upload media files with an invalid {{permissionOTRS}} tag without anyone noticing (ABF is ignoring wikitext when uploading files).
background: https://commons.wikimedia.org/w/index.php?title=Commons:Administrators%27_noticeboard&oldid=149782377#OTRS_tickets_added_by_non-OTRS_volunteers
commons AF rule: https://commons.wikimedia.org/wiki/Special:AbuseFilter/69
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Provide page text and edit summary when filtering file uploads | mediawiki/extensions/AbuseFilter | master | +84 -19 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | matmarex | T89252 ABF is ignoring wikitext during upload | |||
| Resolved | matmarex | T89302 Create check hook before really uploading file with infos about description page and file |
This does not appear to be an issue with the OTRS software but with the way people use it for the permissions queue, and the need for a specific filter on a specific wiki which depends on an existing open task being fixed.
@Krenair: The other bug is not open for years and not specific enough. If needed a workaround need to be crated. Please not that faked otrs permissions on files are a problem for re-users. Because the ABF fix may take a while (years?) a workaround should be crated.
<Krenair> Steinsplitter, it sounds like any relevant software development would be for https://phabricator.wikimedia.org/T21565
<Krenair> Workarounds etc. would be done by permissions agents or other commons users, i.e. not a task to put in phabricator
looks like this is a valid bug, based on my assumption that for new upload only onUploadVerifyFile is called, but not filterEdit.
Maybe that's also a core bug, because onUploadVerifyFile maybe doesn't ship all the details we need and onUploadComplete is too late.
Further research for whoever will fix this w/o T 89302 hook:
there should/will be the hook "PageContentSave" called when the description page is created, but it hasn't a nice error handling;
via UploadBase::performUpload -> LocalFile??::upload -> WikiPage:doEditContent.
AbuseFilter currently doesn't hook in there.
I'd like to work on this at some point. No promises as to when it happens (I have a few more pressing things) or how long it'll take me (both uploading and AbuseFilter are a bit hairy), but I'm going to look into it. Remind me if I don't do anything about this for a month. :P
Change 295254 had a related patch set uploaded (by Bartosz Dziewoński):
Provide page text and edit summary when filtering file uploads
Change 295254 merged by jenkins-bot:
Provide page text and edit summary when filtering file uploads
This is now possible. After the patch is deployed to Commons with MediaWiki 1.28.0-wmf.10 (per the roadmap, this Wednesday, 13 July 2016; although there's currently a problem with logins and all wikis were rolled back to wmf.8, so this might be delayed), you will be able to use new_wikitext and similar variables in filters using action='upload'. See https://www.mediawiki.org/wiki/Extension:AbuseFilter/Rules_format#Notes for documentation. If it's unclear, don't hesitate to ask on the talk page there (I'm watching it).