Page MenuHomePhabricator
Create Task
Maniphest T91416

EducationProgram: IP attribution incorrect in a page history and causes privacy leak
Closed, ResolvedPublic
Actions

Description

This is the page in question:
https://en.wikipedia.org/w/index.php?title=Education_Program:Consumer_Reports/Wikipedia_Volunteer_Corps_Course_(winter_2015)&action=history

The third edit to the page was vandalism by an IP address. However, the page history shows the IP address of the person/account reading the page and not the IP that made the edit. The IP that apparently made the edit has zero contributions: https://en.wikipedia.org/wiki/Special:Contributions/72.68.239.80

Edit The IP's contributions are showing up now in Special:Contributions at least, but the bug still lives.

I think this is a problem.

Details

SubjectRepoBranchLines +/-
Load anonymous users by namemediawiki/extensions/EducationProgrammaster+6 -1
Customize query in gerrit

Related Objects

Event Timeline

Keegan created this task.Mar 3 2015, 6:11 PM
Keegan raised the priority of this task from to Needs Triage.
Keegan updated the task description. (Show Details)
Keegan added a project: MediaWiki-General.
Keegan subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2015, 6:11 PM
Keegan added a project: MediaWiki-extensions-EducationProgram.Mar 3 2015, 6:15 PM
Keegan set Security to None.
Harej subscribed.EditedMar 3 2015, 6:17 PM

I see 152.179.58.30, which is the IP address I am currently using. http://geoiplookup.wikimedia.org/ verifies this:

{
"city": "Washington",
"country": "US",
"lat": [redacted],
"lon": [redacted],
"IP": "152.179.58.30"
}

(Yes, I live in Washington, DC.)

CodeLyoko subscribed.Mar 3 2015, 7:13 PM
Krenair subscribed.Mar 3 2015, 9:45 PM
Krenair added a comment.Mar 4 2015, 2:28 AM
This comment was removed by chasemp.
MZMcBride triaged this task as High priority.Mar 4 2015, 4:55 AM
MZMcBride subscribed.
Keegan updated the task description. (Show Details)Mar 4 2015, 4:58 AM
Mamyles subscribed.Mar 4 2015, 3:52 PM

Also note that when viewing a revision, the edit summary is improperly displayed as "$7":
https://en.wikipedia.org/w/index.php?title=Education_Program:Consumer_Reports/Wikipedia_Volunteer_Corps_Course_(winter_2015)&revid=2539

Jalexander subscribed.Mar 4 2015, 9:23 PM
Keegan updated the task description. (Show Details)Mar 4 2015, 9:27 PM
Jalexander added a subscriber: AKoval_WMF.Mar 4 2015, 9:34 PM
Jalexander renamed this task from IP attribution incorrect in a page history to EducationProgram: IP attribution incorrect in a page history and causes privacy leak.Mar 4 2015, 10:48 PM
Jalexander changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptMar 4 2015, 10:48 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Jalexander added a comment.Mar 4 2015, 10:51 PM

Pulling this private after talking to Michelle because, while it's now redacted (but still in the history), the database info reveals a users IP (this is also a problem on wiki that I'm attempting to deal with). I adjusted the title since this bug seems to be the cause of that issue as well which is, indeed a privacy policy problem.

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

Legoktm subscribed.Mar 4 2015, 10:52 PM

Seems pretty similar to T68624.

csteipp added subscribers: chasemp, csteipp.Mar 4 2015, 11:29 PM
In T91416#1090498, @Jalexander wrote:

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

@chasemp can do that for you.

chasemp added a comment.Mar 4 2015, 11:37 PM

Removed https://phabricator.wikimedia.org/T91416#1085330 per @csteipp request.

Jalexander added a comment.Mar 4 2015, 11:38 PM

Thanks Chase, below is the redacted version of the comment so that it can still be used (originally from @Krenair).

MariaDB [enwiki_p]> select course_id, course_title from ep_courses where course_title like '%Consumer Reports%';
+-----------+-----------------------------------------------------------------+
| course_id | course_title                                                    |
+-----------+-----------------------------------------------------------------+
|       531 | Consumer Reports/Wikipedia Volunteer Corps Course (winter 2015) |
+-----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [enwiki_p]> select rev_id, rev_time, rev_user_id, rev_user_text, rev_comment from ep_revisions where rev_object_id = 531 order by rev_time desc;
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
| rev_id | rev_time       | rev_user_id | rev_user_text | rev_comment                                                     |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
|   2561 | 20150303165749 |     7830073 | Bluerasberry  | Undo revision made on 18:05, 27 February 2015 by [redacted] |
|   2539 | 20150227180530 |           0 | 72.68.239.80  | this course promotes vandalismm                                 |
|   2430 | 20150207155213 |      319203 | Ragesoss      | add dashboard link                                              |
|   2173 | 20150107153632 |     7830073 | Bluerasberry  |                                                                 |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
4 rows in set (0.01 sec)
Jalexander changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 4 2015, 11:38 PM
Jalexander changed the edit policy from "Custom Policy" to "All Users".
Jalexander changed Security from Software security bug to None.

Moved back to public (though kept Security as a project on for now because it's still a privacy related bug).

Krenair added a comment.Mar 4 2015, 11:52 PM

rev_deleted = 10 would not work (guess EducationProgram does not check that?), so we set rev_comment = '[comment redacted by [[m:System administrators|sysadmin]], ref phabricator T91416]'

chasemp unsubscribed.Mar 4 2015, 11:55 PM
Philippe-WMF added a project: Trust-and-Safety.Mar 5 2015, 12:39 AM
Philippe-WMF subscribed.
gerritbot subscribed.Mar 5 2015, 3:45 AM

Change 194448 had a related patch set uploaded (by Alex Monk):
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

gerritbot added a project: Patch-For-Review.Mar 5 2015, 3:45 AM
Barras subscribed.Mar 5 2015, 11:41 AM
Elitre subscribed.Mar 5 2015, 1:21 PM
Krenair added a comment.Mar 5 2015, 1:37 PM
In T91416#1088758, @Mamyles wrote:

Also note that when viewing a revision, the edit summary is improperly displayed as "$7":
https://en.wikipedia.org/w/index.php?title=Education_Program:Consumer_Reports/Wikipedia_Volunteer_Corps_Course_(winter_2015)&revid=2539

https://gerrit.wikimedia.org/r/#/c/194507/

gerritbot added a comment.Mar 9 2015, 7:43 PM

Change 194448 merged by jenkins-bot:
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

Krenair mentioned this in rEEDU3e43633deb80: Load anonymous users by name.Mar 9 2015, 7:44 PM
Krenair mentioned this in rEEDU4cde10901374: Show summary instead of $7 when viewing an old EPRevision.Mar 9 2015, 7:48 PM
AndyRussG subscribed.Mar 9 2015, 8:46 PM
Diffusion mentioned this in rMEXT7aa143ec630d: Updated mediawiki/extensions Project: mediawiki/extensions/EducationProgram….Mar 11 2015, 6:28 AM
Diffusion mentioned this in rMEXTdf2c3776c92f: Updated mediawiki/extensions Project: mediawiki/extensions/EducationProgram….
Keegan closed this task as Resolved.Mar 24 2015, 4:32 AM
Keegan claimed this task.
Krenair claimed this task.Mar 24 2015, 4:50 AM
AKoval_WMF awarded a token.Mar 24 2015, 5:53 PM
csteipp added a project: Vuln-Infoleak.Aug 20 2015, 9:59 PM
csteipp edited projects, added Privacy; removed Vuln-Infoleak.
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:42 PM
sbassett removed a project: Patch-For-Review.
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL