Page MenuHomePhabricator

EducationProgram: IP attribution incorrect in a page history and causes privacy leak
Closed, ResolvedPublic

Description

This is the page in question:
https://en.wikipedia.org/w/index.php?title=Education_Program:Consumer_Reports/Wikipedia_Volunteer_Corps_Course_(winter_2015)&action=history

The third edit to the page was vandalism by an IP address. However, the page history shows the IP address of the person/account reading the page and not the IP that made the edit. The IP that apparently made the edit has zero contributions: https://en.wikipedia.org/wiki/Special:Contributions/72.68.239.80

Edit The IP's contributions are showing up now in Special:Contributions at least, but the bug still lives.

I think this is a problem.

Event Timeline

Keegan raised the priority of this task from to Needs Triage.
Keegan updated the task description. (Show Details)
Keegan added a project: MediaWiki-General.
Keegan subscribed.

I see 152.179.58.30, which is the IP address I am currently using. http://geoiplookup.wikimedia.org/ verifies this:

{
"city": "Washington",
"country": "US",
"lat": [redacted],
"lon": [redacted],
"IP": "152.179.58.30"
}

(Yes, I live in Washington, DC.)

This comment was removed by chasemp.
MZMcBride subscribed.
Jalexander renamed this task from IP attribution incorrect in a page history to EducationProgram: IP attribution incorrect in a page history and causes privacy leak.Mar 4 2015, 10:48 PM
Jalexander changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptMar 4 2015, 10:48 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript

Pulling this private after talking to Michelle because, while it's now redacted (but still in the history), the database info reveals a users IP (this is also a problem on wiki that I'm attempting to deal with). I adjusted the title since this bug seems to be the cause of that issue as well which is, indeed a privacy policy problem.

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

@chasemp can do that for you.

Thanks Chase, below is the redacted version of the comment so that it can still be used (originally from @Krenair).

MariaDB [enwiki_p]> select course_id, course_title from ep_courses where course_title like '%Consumer Reports%';
+-----------+-----------------------------------------------------------------+
| course_id | course_title                                                    |
+-----------+-----------------------------------------------------------------+
|       531 | Consumer Reports/Wikipedia Volunteer Corps Course (winter 2015) |
+-----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [enwiki_p]> select rev_id, rev_time, rev_user_id, rev_user_text, rev_comment from ep_revisions where rev_object_id = 531 order by rev_time desc;
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
| rev_id | rev_time       | rev_user_id | rev_user_text | rev_comment                                                     |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
|   2561 | 20150303165749 |     7830073 | Bluerasberry  | Undo revision made on 18:05, 27 February 2015 by [redacted] |
|   2539 | 20150227180530 |           0 | 72.68.239.80  | this course promotes vandalismm                                 |
|   2430 | 20150207155213 |      319203 | Ragesoss      | add dashboard link                                              |
|   2173 | 20150107153632 |     7830073 | Bluerasberry  |                                                                 |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
4 rows in set (0.01 sec)
Jalexander changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 4 2015, 11:38 PM
Jalexander changed the edit policy from "Custom Policy" to "All Users".
Jalexander changed Security from Software security bug to None.

Moved back to public (though kept Security as a project on for now because it's still a privacy related bug).

rev_deleted = 10 would not work (guess EducationProgram does not check that?), so we set rev_comment = '[comment redacted by [[m:System administrators|sysadmin]], ref phabricator T91416]'

Change 194448 had a related patch set uploaded (by Alex Monk):
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

Change 194448 merged by jenkins-bot:
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

Keegan claimed this task.