Page MenuHomePhabricator

suffusion_of_yellow (Suffusion of Yellow)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Oct 15 2018, 6:19 PM (287 w, 3 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Suffusion of Yellow [ Global Accounts ]

Recent Activity

Yesterday

suffusion_of_yellow created T362813: AbuseFilter editor uses wrong path for CodeEditor modules.
Wed, Apr 17, 5:59 PM · CodeEditor, AbuseFilter

Tue, Apr 16

suffusion_of_yellow added a comment to T234155: Create CheckUser-level abuse filters.

Something else that I don't think has been said: Filter log entries would need to be deleted (as in "deleted for real with no backup") after 90 days, as per the data retention policy. Not just the "details", but the whole thing. If my IP happens to fall in the same range as some LTA, I don't want want that fact recorded forever.

Tue, Apr 16, 9:28 PM · Community-Wishlist-Survey-2023, Trust-and-Safety, Epic, WMF-Legal, CheckUser, AbuseFilter, OKR-Work

Jan 28 2024

suffusion_of_yellow added a comment to T356025: A poor internet connection should not result in a HTTP 503 error.

Just tried again, this time with Chromium and the same tc settings, and the got the same error (Varnish XID 492021032). This is not a new problem; I just got around to reporting it now.

Jan 28 2024, 10:12 PM · SRE, Traffic
suffusion_of_yellow created T356025: A poor internet connection should not result in a HTTP 503 error.
Jan 28 2024, 9:58 PM · SRE, Traffic

Jan 16 2024

suffusion_of_yellow added a comment to T354315: With animations disabled clicking links in the Minerva main menu below nearby do not work.

[mediawiki/skins/MinervaNeue@master] Update checkboxHack target node

https://gerrit.wikimedia.org/r/990144

Jan 16 2024, 2:23 AM · MW-1.42-notes (1.42.0-wmf.14; 2024-01-16), Web-Team-Backlog (FY2023-24 Q3 Sprint 1), Patch-For-Review, MinervaNeue, Regression

Jan 12 2024

suffusion_of_yellow added a comment to T354315: With animations disabled clicking links in the Minerva main menu below nearby do not work.

So stepped through this with the debugger and I think I see what going on here.

Jan 12 2024, 5:59 AM · MW-1.42-notes (1.42.0-wmf.14; 2024-01-16), Web-Team-Backlog (FY2023-24 Q3 Sprint 1), Patch-For-Review, MinervaNeue, Regression

Jan 10 2024

suffusion_of_yellow added a comment to T354315: With animations disabled clicking links in the Minerva main menu below nearby do not work.

I can reproduce this on enwiki with:

Jan 10 2024, 7:58 PM · MW-1.42-notes (1.42.0-wmf.14; 2024-01-16), Web-Team-Backlog (FY2023-24 Q3 Sprint 1), Patch-For-Review, MinervaNeue, Regression

Oct 6 2023

suffusion_of_yellow added a comment to T348237: Combining throttling edit filters causes multiple false positives for single IP edits.

It looks like almost nothing has been said about private filters so far, beyond a few throttle settings. I think this task can be made public.

Oct 6 2023, 8:50 PM · SecTeam-Processed, AbuseFilter
suffusion_of_yellow added a comment to T348237: Combining throttling edit filters causes multiple false positives for single IP edits.

I set up public filter https://en.wikipedia.org/wiki/Special:AbuseFilter/1269 to test this. It currently trips on any three edits, by the same user, to the same page, within one second. It already has almost 100 hits in less than a day. I have no idea what the other users are doing, but I was able to trip it by attempting repeated identical edits:

Oct 6 2023, 8:48 PM · SecTeam-Processed, AbuseFilter

Sep 2 2023

suffusion_of_yellow added a comment to T345483: Mobile notifications are nearly invisible.

Appears to be related to 7a7e8e94b. At least, when I manually remove the !important, I get a large red square background, which is an improvement over no background at all.

Sep 2 2023, 12:12 AM · MW-1.41-notes (1.41.0-wmf.26; 2023-09-12), Web-Team-Backlog (Web Team FY2023-24 Q1 Sprint 5), Regression, MobileFrontend

Sep 1 2023

suffusion_of_yellow updated subscribers of T345483: Mobile notifications are nearly invisible.

@Jdlrobson: Could this have something to do with the Codex switchover?

Sep 1 2023, 11:50 PM · MW-1.41-notes (1.41.0-wmf.26; 2023-09-12), Web-Team-Backlog (Web Team FY2023-24 Q1 Sprint 5), Regression, MobileFrontend
suffusion_of_yellow renamed T345483: Mobile notifications are nearly invisible from Mobile notifications are nearly nearly invisible to Mobile notifications are nearly invisible.
Sep 1 2023, 11:31 PM · MW-1.41-notes (1.41.0-wmf.26; 2023-09-12), Web-Team-Backlog (Web Team FY2023-24 Q1 Sprint 5), Regression, MobileFrontend
suffusion_of_yellow created T345483: Mobile notifications are nearly invisible.
Sep 1 2023, 11:30 PM · MW-1.41-notes (1.41.0-wmf.26; 2023-09-12), Web-Team-Backlog (Web Team FY2023-24 Q1 Sprint 5), Regression, MobileFrontend

Jul 18 2023

suffusion_of_yellow added a comment to T341961: UnexpectedValueException: MapCacheLRU::has: invalid key; must be string or integer..

If anyone is looking for a quick workaround for their own scripts, adding uselang=en seems to do the trick.

Jul 18 2023, 4:03 AM · MW-1.41-notes (1.41.0-wmf.18; 2023-07-18), MediaWiki-Action-API, MediaWiki-Internationalization, Wikimedia-production-error

Jul 16 2023

suffusion_of_yellow created T341952: UnexpectedValueException: MapCacheLRU::has: invalid key; must be string or integer..
Jul 16 2023, 9:02 PM · MediaWiki-Internationalization, Wikimedia-production-error

Jun 25 2023

suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.

When are y'all upgrading to Debian 11? That has PCRE version 10.36, and I cannot even reproduce this with 10.33.

Jun 25 2023, 9:10 PM · PHP 7.4 support, serviceops, AbuseFilter
suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.
(async () => {
  let r = {};
Jun 25 2023, 7:50 PM · PHP 7.4 support, serviceops, AbuseFilter
suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.

From https://github.com/php/php-src/blob/PHP-7.3.31/ext/pcre/php_pcre.c:

Jun 25 2023, 7:10 PM · PHP 7.4 support, serviceops, AbuseFilter
suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.

But if I prefix the regex with (*NO_JIT) I get the correct result 100% of the time.

Jun 25 2023, 6:27 PM · PHP 7.4 support, serviceops, AbuseFilter
suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.

Still getting this for GET requests, but not POST requests on enwiki, even when I throw in junk to prevent caching:

Jun 25 2023, 6:23 PM · PHP 7.4 support, serviceops, AbuseFilter
suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.
(await (new mw.ForeignApi('https://test.wikipedia.org/w/api.php')).get({action: "abusefilterevalexpression", expression: '"aa" irlike "a[\\x{fd}\\x{ff}]"'})).abusefilterevalexpression.result
true
(await (new mw.ForeignApi('https://test.wikipedia.org/w/api.php')).post({action: "abusefilterevalexpression", expression: '"aa" irlike "a[\\x{fd}\\x{ff}]"'})).abusefilterevalexpression.result
true
(await (new mw.ForeignApi('https://en.wikipedia.org/w/api.php')).get({action: "abusefilterevalexpression", expression: '"aa" irlike "a[\\x{fd}\\x{ff}]"'})).abusefilterevalexpression.result
true
(await (new mw.ForeignApi('https://en.wikipedia.org/w/api.php')).post({action: "abusefilterevalexpression", expression: '"aa" irlike "a[\\x{fd}\\x{ff}]"'})).abusefilterevalexpression.result
false
Jun 25 2023, 5:52 PM · PHP 7.4 support, serviceops, AbuseFilter

Jun 24 2023

suffusion_of_yellow added a comment to T340068: Regular expression "х[ÿý]и" matches "х и" in Abusefilter.

Appears to be a JIT bug in some old versions of PCRE2 (and presumably "classic" PCRE, but I haven't tested):

PCRE2 version 10.32 2018-09-10
/a[\x{fd}\x{ff}]/i,utf,debug,auto_callout,jit=7
------------------------------------------------------------------
  0  63 Bra
  3     Callout 255 0 1
  9  /i a
 11     Callout 255 1 14
 17     [\xdd\xfd\xff\x{178}]
 57     Callout 255 15 0
 63  63 Ket
 66     End
------------------------------------------------------------------
Capturing subpattern count = 0
Options: auto_callout caseless utf
First code unit = 'a' (caseless)
Subject length lower bound = 2
aa
--->aa
 +0 ^      a
 +1 ^^     [\x{fd}\x{ff}]
+15 ^ ^    End of pattern
 0: aa
Jun 24 2023, 7:25 PM · PHP 7.4 support, serviceops, AbuseFilter

Jun 21 2023

suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Thanks. Will this be a problem for a while on enwiki while the stale data is flushed out? Yes, it would be nice to do away with all those links eventually but they're everywhere...

Jun 21 2023, 5:01 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow reopened T337149: CAPTCHA required to edit any page on testwiki containing a link with no path as "Open".

Still something weird going on with protocol-relative (?) links, see https://test.wikipedia.org/wiki/Special:AbuseLog/99197 where a dummy edit apparently was seen as adding and removing about 30 links.

Jun 21 2023, 4:41 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

Jun 16 2023

suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

Is this ready to test on testwiki? I tried to add "spamsite.com" there, and got "Save failed".

Jun 16 2023, 12:39 AM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist

Jun 7 2023

suffusion_of_yellow reopened T337149: CAPTCHA required to edit any page on testwiki containing a link with no path as "Open".
Jun 7 2023, 5:19 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

I did a more thorough check at testwiki, including all supported URI schemes. There is still a problem with port numbers, see https://test.wikipedia.org/wiki/Special:AbuseLog/98932.

Jun 7 2023, 5:19 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

Jun 6 2023

suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

@Ladsgroup: Ooooh. When you siad "interface admins" earlier did you mean users with editinterface rights? No argument there. I thought you meant editsitejs. On enwiki all admins have editinterface rights, but only handful of "interface administrators" have editsitejs rights; hence my confusion.

Jun 6 2023, 11:13 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist

Jun 2 2023

suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

It looks like there are over 1000 regexes doing something more complex than matching a single domain:

Jun 2 2023, 11:06 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist
suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

Some more questions:

Jun 2 2023, 9:49 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist
suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

This is not true (at least on enwiki), for the "disallow" action; a filter set to true will stop 100% of edits, until it is disabled. And this is a good thing, because sometimes when we're being attacked by proxies, the attacker's edits make up a substantial portion of recentchanges.

Please look at AbuseFilterEmergencyDisableThreshold configuration. I don't know where are you getting this but it exists.

Jun 2 2023, 7:42 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist
suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

I have notified WP:EFN and WT:SBL of this task.

Jun 2 2023, 7:21 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist
suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

You should use abusefilter for that. It has added_links variable for that.

Jun 2 2023, 7:12 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist
suffusion_of_yellow added a comment to T337431: Rework MediaWiki:SpamBlacklist.

Q1: How will this work when it's not a simple block of a single domain? For example, the global blacklist blocks any occurrence of "sexcam", "online-casino", and many other words anywhere in the domain.

Jun 2 2023, 6:31 PM · MW-1.41-notes (1.41.0-wmf.22; 2023-08-15), Patch-For-Review, User-notice, Wikimedia-Hackathon-2023, AbuseFilter, SpamBlacklist

May 31 2023

suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

No problems on test2wiki.

May 31 2023, 7:58 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

May 30 2023

suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

When does test2wiki update to wmf11? I want to be sure these changes cause anything unexpected at READ_OLD wikis, or we'll be dealing with issues at enwiki on Thursday.

May 30 2023, 8:49 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Wait. Also mailto: links, see the reversed URL in https://test.wikipedia.org/wiki/Special:AbuseLog/98828

May 30 2023, 8:46 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

FWIW IPv6 links are fairly common on enwiki, as they're built into various "user info" templates, see https://en.wikipedia.org/w/index.php?title=Wikipedia:Administrator_intervention_against_vandalism/TB2&oldid=1157765051 for example. I have no idea how common port numbers are.

May 30 2023, 8:42 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

@Ladsgroup: Thanks. Tested this again, and most of the listed problems have been fixed. But I still trip AbuseFilter, SpamBlacklist and ConfirmEdit when I edit a page containing a link with a port number, see https://test.wikipedia.org/wiki/Special:AbuseLog/98826. I also discovered a new problem with IPv6 links; see https://test.wikipedia.org/wiki/Special:AbuseLog/98822.

May 30 2023, 7:16 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

May 27 2023

suffusion_of_yellow added a comment to T337071: VisualEdtor and 2017 text editor should make "editingold" notice more visible.

(By the way, just look at all this text in the screenshots… ain't nobody reading all that. I had to resize the browser just to show the two messages I am describing. The notice about old revisions is not the only problem here. As long as there is just so much useless text, people will not read it, and will miss the important messages, even if – especially if! – we make them even bigger.)

May 27 2023, 7:32 PM · MediaWiki-Editnotice, Verified, MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Editing-team (Kanban Board), VisualEditor-MediaWiki-2017WikitextEditor, VisualEditor
suffusion_of_yellow updated subscribers of T337633: Empty message 'editnotice-notext' is visible as an edit notice in VisualEditor and mobile apps.

Also reported at enwiki VPT.

May 27 2023, 7:23 PM · Skipped QA, MW-1.41-notes (1.41.0-wmf.11; 2023-05-30), Editing-team (Kanban Board), Regression, VisualEditor

May 23 2023

suffusion_of_yellow updated the task description for T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.
May 23 2023, 8:43 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T312666: Remove duplication in externallinks table.

Please see T337149 before deploying this to any more wikis. SCHEMA_COMPAT_READ_NEW is causing major problems with ConfirmEdit, AbuseFilter, and SpamBlacklist.

May 23 2023, 7:59 PM · MW-1.41-notes (1.41.0-wmf.26; 2023-09-12), Patch-For-Review, MediaWiki-Page-derived-data, DBA
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

I can confirm that SpamBlacklist is affected by this too. This blacklist hit was triggered by attempting to add https://example.com to a page already containing https://spam.site. Not sure why the tags were removed.

May 23 2023, 7:50 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

May 21 2023

suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Yes, AbuseFilter is affected by this, see the incorrect added_links and removed_links in my comment above. Any extension that uses getExternalLinksForPage will need to be updated, if the plan really is to do away with el_to.

May 21 2023, 12:10 AM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)

May 20 2023

suffusion_of_yellow added projects to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path: AbuseFilter, SpamBlacklist.
May 20 2023, 11:54 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

And it gets worse. This also happen with:

May 20 2023, 11:53 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

But that makes it impossible to know if the path was "/" or empty, and the original URL can't be recovered, except from el_to which I gather from T312666 you plan on getting rid of.

May 20 2023, 11:15 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow renamed T337149: CAPTCHA required to edit any page on testwiki containing a link with no path from CAPTCHA required to edit any page containing a link on testwiki to CAPTCHA required to edit any page on testwiki containing a link with no path.
May 20 2023, 10:11 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Oh here we go:

// T312666
'wgExternalLinksSchemaMigrationStage' => [
        'default' => SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_OLD,
        'testwiki' => SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW,
        'mediawikiwiki' => SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW,
        'fawikiquote' => SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW,
],
May 20 2023, 10:07 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow updated subscribers of T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Could this have something to do with T326251 and e06f77134defc?

May 20 2023, 9:51 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

This even affects prop=extlinks:

May 20 2023, 9:07 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.

Seems to affect more than just the ConfirmEdit. Check out this abuse log hit:

May 20 2023, 8:38 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow created T337149: CAPTCHA required to edit any page on testwiki containing a link with no path.
May 20 2023, 8:32 PM · MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), DBA, ConfirmEdit (CAPTCHA extension)
suffusion_of_yellow added a comment to T337071: VisualEdtor and 2017 text editor should make "editingold" notice more visible.

That would be better than nothing; and if it's easy enough to do while we are discussing better solutions, go for it. If it can also be given the same styling as with the 2010 interface (seems to come from classes mw-message-box mw-message-box-warning), that would also help. But the main problem is that the alerts disappear when you click anywhere else on the screen.

May 20 2023, 7:37 PM · MediaWiki-Editnotice, Verified, MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Editing-team (Kanban Board), VisualEditor-MediaWiki-2017WikitextEditor, VisualEditor

May 19 2023

suffusion_of_yellow created T337071: VisualEdtor and 2017 text editor should make "editingold" notice more visible.
May 19 2023, 11:09 PM · MediaWiki-Editnotice, Verified, MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Editing-team (Kanban Board), VisualEditor-MediaWiki-2017WikitextEditor, VisualEditor

Feb 5 2023

suffusion_of_yellow added a comment to T328875: Incorrect thumbnail being returned by drmrs, eqiad and esams.

This seems to depend on the IP I connect to:

Feb 5 2023, 10:22 PM · serviceops, Thumbor

Jan 18 2023

suffusion_of_yellow added a comment to T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.

Haven't tested it, but nothing obviously wrong with the latest patch. I don't claim to understand the blocking code all that well though.

Jan 18 2023, 9:24 PM · SRE, Vuln-Misconfiguration, Platform Engineering, SecTeam-Processed, User-jbond, MediaWiki-General, Security, Security-Team

Jan 16 2023

suffusion_of_yellow added a comment to T327122: Web interface and API give different abuse log details when using formatversion=1.

Thanks, that does it. Was it really always this way?

Jan 16 2023, 11:05 PM · Regression, AbuseFilter
suffusion_of_yellow created T327122: Web interface and API give different abuse log details when using formatversion=1.
Jan 16 2023, 10:29 PM · Regression, AbuseFilter

Jan 6 2023

suffusion_of_yellow added a comment to T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.

Bumping this. It's been 18 months now. If this were being exploited in the wild, would anyone even know?

Jan 6 2023, 8:09 PM · SRE, Vuln-Misconfiguration, Platform Engineering, SecTeam-Processed, User-jbond, MediaWiki-General, Security, Security-Team

Dec 12 2022

suffusion_of_yellow updated subscribers of T325019: Wrong error message when undo fails because of a merge conflict.
Dec 12 2022, 8:35 PM · MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), MediaWiki-General
suffusion_of_yellow created T325019: Wrong error message when undo fails because of a merge conflict.
Dec 12 2022, 8:31 PM · MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), MediaWiki-General

Nov 1 2022

suffusion_of_yellow added a comment to T264104: Verify AbuseFilter code that claims to share and re-use ParserOutput from core.

One year later, now that T288707 is resolved, it seems that we're indeed parsing stuff twice.

Nov 1 2022, 4:57 AM · Wikimedia-Performance-recommendation, MW-1.41-notes (1.41.0-wmf.19; 2023-07-25), Platform Team Workboards (Clinic Duty Team), AbuseFilter

Jul 18 2022

suffusion_of_yellow added a comment to T313163: AbuseFilter API "aflprop=details" should allow querying finer grained variables.

Supporting brotli compression (T137979), at least for API, might also help here.

Jul 18 2022, 7:19 PM · Patch-For-Review, AbuseFilter
suffusion_of_yellow added a comment to T313163: AbuseFilter API "aflprop=details" should allow querying finer grained variables.

So, something like the iiextmetadatafilter parameter for prop=imageinfo? I agree this would be useful. A typical filter hit is around 100 KB, and some filters on enwiki get tens of thousands of hits in a year. It would be nice to find out which parts of the filter are actually matching anything, without downloading gigabytes of data.

Jul 18 2022, 7:18 PM · Patch-For-Review, AbuseFilter
suffusion_of_yellow created T313258: AbuseFilter statistics wildly inaccurate after saving filter.
Jul 18 2022, 6:44 PM · TestMe, AbuseFilter

May 16 2022

suffusion_of_yellow added a comment to T306660: [Goal] Table of contents on narrow screens in vector-2022.

@suffusion_of_yellow , no, that's not true. Narrow screen doesn't mean mobile screen. Vector (intentionally) doesn't define a viewport, so users there will never get a narrow screen. Users on a mobile device will continue to see the desktop site with a desktop viewport zoomed out like so:

May 16 2022, 7:52 PM · Web-Team-Backlog (Kanbanana-2022-23-Q1), Desktop Improvements (Vector 2022)
suffusion_of_yellow added a comment to T306660: [Goal] Table of contents on narrow screens in vector-2022.

Something to remember: People using Vector on "narrow screens" are likely to be mobile users who dislike the (Minerva) mobile site. So a "solution" that makes Vector more like Minerva (e.g. collapsed sections) is exactly the wrong one. That would leave no escape, except logging in from every device, and every private tab, just to read a page.

May 16 2022, 7:05 PM · Web-Team-Backlog (Kanbanana-2022-23-Q1), Desktop Improvements (Vector 2022)

Mar 29 2022

suffusion_of_yellow added a comment to T305011: Simple regular expression fails on 10000 character string.

Original thread was here. I'm trying to find if something occurs inside a table with an "Album" heading:

Mar 29 2022, 11:23 PM · AbuseFilter
suffusion_of_yellow created T305011: Simple regular expression fails on 10000 character string.
Mar 29 2022, 10:12 PM · AbuseFilter

Jan 29 2022

suffusion_of_yellow added a comment to T223195: Invalid IPv6 URL on page causes all non-autoconfirmed edits to trigger CAPTCHA.

And another one: http://Draft:Getscreen.me. I got a CAPTCHA (from a non-AC account) even for a null edit on Wikipedia:Teahouse until I made this change.

Jan 29 2022, 3:45 AM · ConfirmEdit (CAPTCHA extension)

Dec 8 2021

suffusion_of_yellow added a comment to T295429: "You have new messages" alert not showing on testwiki when logged out.

I tried again on testwiki, enwiktionary, and enwikinews, and got an alert every time. Thanks for fixing this! Now where do we talk about disabling LiquidThreads on all WMF wikis?

Dec 8 2021, 10:45 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications

Nov 23 2021

suffusion_of_yellow updated subscribers of T296349: Session not created on VoteWiki when using desktop site with a mobile user agent.
Nov 23 2021, 10:11 PM · MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth, Mobile, MediaWiki-extensions-SecurePoll
suffusion_of_yellow created T296349: Session not created on VoteWiki when using desktop site with a mobile user agent.
Nov 23 2021, 10:09 PM · MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth, Mobile, MediaWiki-extensions-SecurePoll

Nov 20 2021

suffusion_of_yellow added a project to T296137: Blocked users should not be able to view private filters: AbuseFilter.
Nov 20 2021, 8:03 PM · MW-1.40-notes (1.40.0-wmf.7; 2022-10-24), SecTeam-Processed, Vuln-MissingAuthz, AbuseFilter, Security
suffusion_of_yellow created T296137: Blocked users should not be able to view private filters.
Nov 20 2021, 8:02 PM · MW-1.40-notes (1.40.0-wmf.7; 2022-10-24), SecTeam-Processed, Vuln-MissingAuthz, AbuseFilter, Security

Nov 12 2021

suffusion_of_yellow added a comment to T295429: "You have new messages" alert not showing on testwiki when logged out.

It's installed but at Special:Version it's spelled "Liquid Threads" instead of "LiquidThreads". And I get no message bar. You can see the full list at https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings.php. EIther wmgUseLiquidThreads or wmgLiquidThreadsFrozen force the extension to load.

Nov 12 2021, 9:00 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications
suffusion_of_yellow updated subscribers of T295429: "You have new messages" alert not showing on testwiki when logged out.

Maybe some extension/feature only enabled on testwiki is interfering? No idea what that could be.

Nov 12 2021, 8:45 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications

Nov 11 2021

suffusion_of_yellow updated subscribers of T284642: Add yellow talk page message banner to non-main namespace pages on mobile.

First, @bwang and @ovasileva (and anyone else I've missed) thank you for implementing this! As you might know it's long been a pet peeve of mine.

Nov 11 2021, 8:10 PM · User-notice-archive, Patch-For-Review, MW-1.38-notes (1.38.0-wmf.7; 2021-11-02), MobileFrontend, MinervaNeue, Web-Team-Backlog (Kanbanana-FY-2021-22)
suffusion_of_yellow reopened T295429: "You have new messages" alert not showing on testwiki when logged out as "Open".

(Unless you experience this on an uncached view - you can tell apart cached views from the response headers having X-Cache-Status: hit or something similar vs. miss or pass on uncached views. Please reopen if you see this on an uncached view.)

Nov 11 2021, 7:34 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications
suffusion_of_yellow reopened T295429: "You have new messages" alert not showing on testwiki when logged out, a subtask of T284642: Add yellow talk page message banner to non-main namespace pages on mobile, as Open.
Nov 11 2021, 7:33 PM · User-notice-archive, Patch-For-Review, MW-1.38-notes (1.38.0-wmf.7; 2021-11-02), MobileFrontend, MinervaNeue, Web-Team-Backlog (Kanbanana-FY-2021-22)
suffusion_of_yellow updated the task description for T295429: "You have new messages" alert not showing on testwiki when logged out.
Nov 11 2021, 7:31 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications

Nov 10 2021

suffusion_of_yellow created T295429: "You have new messages" alert not showing on testwiki when logged out.
Nov 10 2021, 12:15 AM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Web-Team-Backlog (Kanbanana-FY-2021-22), MobileFrontend, Notifications

Oct 8 2021

1234qwer1234qwer4 awarded T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045) a The World Burns token.
Oct 8 2021, 4:25 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team

Oct 7 2021

AntiCompositeNumber awarded T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045) a Yellow Medal token.
Oct 7 2021, 9:19 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team

Oct 2 2021

suffusion_of_yellow added a comment to T291481: Determine approach for notifications for IP Editors on Android.

Thanks @Dbrant for getting to this!

Oct 2 2021, 9:08 PM · Wikipedia-Android-App-Backlog (Android Release - FY2023-24)

Aug 20 2021

Platonides awarded T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045) a Barnstar token.
Aug 20 2021, 11:08 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team
suffusion_of_yellow added projects to T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045): Vuln-XSS, MediaWiki-extensions-SecurePoll.
Aug 20 2021, 10:19 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team
suffusion_of_yellow created T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045).
Aug 20 2021, 10:18 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team

Jul 27 2021

suffusion_of_yellow created T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again).
Jul 27 2021, 11:53 PM · SecTeam-Processed, Platform Engineering, Regression, Vuln-Infoleak, Vuln-CSRF, MediaWiki-Action-API, Security, Security-Team

Jul 4 2021

suffusion_of_yellow created T286140: AbuseLog no longer recording revids of saved edits.
Jul 4 2021, 12:09 AM · MW-1.37-notes (1.37.0-wmf.15; 2021-07-19), User-DannyS712, Regression, AbuseFilter

Jun 22 2021

suffusion_of_yellow added a comment to T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.

Do all the "trusted" proxies strip out existing XFF headers? I thought they usually just append another address.

Jun 22 2021, 7:04 PM · SRE, Vuln-Misconfiguration, Platform Engineering, SecTeam-Processed, User-jbond, MediaWiki-General, Security, Security-Team

Jun 21 2021

suffusion_of_yellow added a comment to T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.

In my opinion, just ignoring autoblocks for non-trusted headers won't be hugely harmful. If the vandal was using a proxy in the first place, then it's the proxy that will get hit by the autoblock, not the real IP. So the "abuse" scenario is:

Jun 21 2021, 7:21 PM · SRE, Vuln-Misconfiguration, Platform Engineering, SecTeam-Processed, User-jbond, MediaWiki-General, Security, Security-Team

Jun 18 2021

suffusion_of_yellow created T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.
Jun 18 2021, 9:25 PM · SRE, Vuln-Misconfiguration, Platform Engineering, SecTeam-Processed, User-jbond, MediaWiki-General, Security, Security-Team

Jun 8 2021

suffusion_of_yellow added a comment to T276149: Android application sometimes falsely claims that an user account is blocked.

(All this also applies to T276147. Only responding in one place.)

Jun 8 2021, 11:17 PM · Wikipedia-Android-App-Backlog
suffusion_of_yellow added a comment to T276147: Android application does not show block messages.

See T276149#7144054. (Should these tasks be merged...?) With 2.7.50362-beta-2021-06-04, the block message is there now, but it's not parsed. @Dbrant implied there might a newer version that does parse the message, but I can't find it.

Jun 8 2021, 8:46 PM · Wikipedia-Android-App-Backlog (Android Release FY2020-21)
suffusion_of_yellow added a comment to T276149: Android application sometimes falsely claims that an user account is blocked.

@Dbrant: That link is a 404 but I tested on 2.7.50362beta-2021-06-04, which is the latest on https://releases.wikimedia.org/mobile/android/wikipedia/betas

Jun 8 2021, 8:40 PM · Wikipedia-Android-App-Backlog

May 28 2021

suffusion_of_yellow added a comment to T276149: Android application sometimes falsely claims that an user account is blocked.

! In T276149#7122539, @Dbrant wrote:

May 28 2021, 6:45 PM · Wikipedia-Android-App-Backlog

May 27 2021

suffusion_of_yellow added a comment to T276149: Android application sometimes falsely claims that an user account is blocked.

Tested in 2.7.50359-alpha-2021-05-27 on testwiki

May 27 2021, 11:27 PM · Wikipedia-Android-App-Backlog