In T9061#183507, @Reception123 wrote:
- It is yes, this can be seen via LS.php
- Is set to true by default and unmodified for MH
- Yes, 'mhglobal' is the global blocking DB
- Those are the only two settings we have different than the defaults.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Apr 12 2022
Apr 12 2022
In T9061#183509, @Reception123 wrote:The issue will have to be tested on a test wiki by applying a global block to an IP and identifying potential extensions and them being disabled/enabled until we can conclude which one is causing it.
Apr 11 2022
Apr 11 2022
Not seen since backups disabled
In T9061#183509, @Reception123 wrote:The issue will have to be tested on a test wiki by applying a global block to an IP and identifying potential extensions and them being disabled/enabled until we can conclude which one is causing it.
In T9061#183454, @Universal_Omega wrote:I thought this could've happened if the globalblock-whitelist right was given, but according to Special:ListGroupRights, * does not have that. So that doesn't seem to be the case, and I'm personally not certain how this was done, unless I'm missing something here.
That's already been tried before and mitigated against.
Status?
The issue will have to be tested on a test wiki by applying a global block to an IP and identifying potential extensions and them being disabled/enabled until we can conclude which one is causing it.
- It is yes, this can be seen via LS.php
- Is set to true by default and unmodified for MH
- Yes, 'mhglobal' is the global blocking DB
- Those are the only two settings we have different than the defaults.
This may or may not be of interest to @Owen, but adding him nonetheless in his Trust and Safety and Board capacities, so he can at least view the task, for a question I've asked him in our #trust-safety channel on Discord
Unknown Object (User) edited projects for T9061: CreateRedirect has weak (no?) permissions checks, added: MediaWiki; removed Extensions.
If this turns out to be an actual issue, something to check is if ApiEditPage actually checks for global blocks. Which means this may potentially be a core vulnerability, if it is one.
In T9061#183454, @Universal_Omega wrote:I thought this could've happened if the globalblock-whitelist right was given, but according to Special:ListGroupRights, * does not have that. So that doesn't seem to be the case, and I'm personally not certain how this was done, unless I'm missing something here.
Unknown Object (User) added a comment to T9061: CreateRedirect has weak (no?) permissions checks.
Also why would bypasstoscheck have absolutely anything to do with GlobalBlocking? I don't see how, and it seems extremely unlikely it would, since that is for sign up pages, and this issue is an anonymous user.
Unknown Object (User) moved T9061: CreateRedirect has weak (no?) permissions checks from Actions Needed (Review) to Deployed Extension Bugs on the Extensions board.
Unknown Object (User) added a comment to T9061: CreateRedirect has weak (no?) permissions checks.
I thought this could've happened if the globalblock-whitelist right was given, but according to Special:ListGroupRights, * does not have that. So that doesn't seem to be the case, and I'm personally not certain how this was done, unless I'm missing something here.
Dmehus moved T9061: CreateRedirect has weak (no?) permissions checks from Backlog to In Progress on the Configuration board.
Dmehus moved T9061: CreateRedirect has weak (no?) permissions checks from Backlog to Actions Needed (Review) on the Extensions board.
Dmehus moved T9061: CreateRedirect has weak (no?) permissions checks from Backlog to Short Term on the MediaWiki (SRE) board.
Dmehus moved T9061: CreateRedirect has weak (no?) permissions checks from Backlog to External on the Trust & Safety board.
Dmehus renamed T9061: CreateRedirect has weak (no?) permissions checks from Investigate why global block for 148.74.235.89 not effective on `wikiweewiki` to Investigate why global block for 148.74.235.89 not effective on wikiweewiki.
Adding @Raidarr this way since I can't added him via the "Change subscribers" field
Apr 9 2022
Apr 9 2022
Unknown Object (User) added a comment to T9049: PHP-FPM issues.
test101 having the issues also seemed very strange to me seeing as how it currently didn't even work, as it is down right now.
In T9049#183324, @RhinosF1 wrote:In T9049#183296, @MacFan4000 wrote:There is a bit of a pattern with these outages, both times test101 was also affected, and both times it was at the same time of day. (roughly 8:00 PM EST/0:00 UTC)
I'm not sure how related test101's issues are.
This was an observation made by @Universal_Omega
In T9049#183296, @MacFan4000 wrote:There is a bit of a pattern with these outages, both times test101 was also affected, and both times it was at the same time of day. (roughly 8:00 PM EST/0:00 UTC)
It's very strange to happen exact same time.
I've had a quick glance through traffic patterns and there's no spike in actual requests. It must be something being accessed but no hint as to what.
Unknown Object (User) added a comment to T9049: PHP-FPM issues.
In T9049#183315, @RhinosF1 wrote:This is a DOS
Unknown Object (User) updated subscribers of T9049: PHP-FPM issues.
https://grafana.miraheze.org/d/dsHv5-4nz/mediawiki?orgId=1&from=1649366728843&to=1649489031546 shows a ten-fold jump in connections active at the same time
This is a DOS
Apr 8 2022
Apr 8 2022
Unknown Object (User) claimed T8949: Name field needs to be blanked out with RemovePII extension.
Apr 3 2022
Apr 3 2022
John closed T8810: QuizGame: Administrative API module lets unauthenticated requests through as Resolved.
John changed the visibility for T8448: Private wiki pages can leak via Special:Preferences signature preview.
John changed the visibility for T8147: Possible GDPR compliance issue with the way in which MediaWiki adds edit summaries for file uploads.
Apr 2 2022
Apr 2 2022
Dmehus added a comment to T9018: POST request does not check registered status for RequestWiki comments.
In T9018#182556, @RhinosF1 wrote:No
RhinosF1 added a comment to T9018: POST request does not check registered status for RequestWiki comments.
No
Dmehus added a comment to T9018: POST request does not check registered status for RequestWiki comments.
In T9018#182554, @RhinosF1 wrote:Still waiting for GitHub to issue the CVE
RhinosF1 added a comment to T9018: POST request does not check registered status for RequestWiki comments.
Still waiting for GitHub to issue the CVE
Dmehus added a comment to T9018: POST request does not check registered status for RequestWiki comments.
In T9018#182551, @RhinosF1 wrote:
RhinosF1 renamed T9018: POST request does not check registered status for RequestWiki comments from Locked user reopened wiki request to POST request does not check registered status for RequestWiki comments.
John closed T9018: POST request does not check registered status for RequestWiki comments as Resolved.
Mar 29 2022
Mar 29 2022
Silicona updated the task description for T9006: Miraheze error 012-1004 "SSL connection failed" on Nintendo 3DS models..
Mar 28 2022
Mar 28 2022
I'm proposing that since no one figured this out until now, a solution that wouldn't require extension changes (which I feel aren't necessary since there's been no occurrences of abuse) is to use wgRevokePermissions. As to not give anything away before being merged, I will merge the PR immediately after CI checks.
In T8990#182067, @Zppix wrote:In T8990#181927, @Reception123 wrote:Lowering priority since this has been the case since 2018 apparently with no issue so I don't see why 4 years later it would be high.
When you create the task it gets assigned that for some reason.
Mar 27 2022
Mar 27 2022
In T8990#181927, @Reception123 wrote:Lowering priority since this has been the case since 2018 apparently with no issue so I don't see why 4 years later it would be high.
Mar 26 2022
Mar 26 2022
Spoke with @Paladox and no further action is needed on this task.
@RhinosF1 Do we still need this task open since the incident has passed?
Reception123 lowered the priority of T8990: Requesting wikis ignores if user is blocked. from High to Normal.
Lowering priority since this has been the case since 2018 apparently with no issue so I don't see why 4 years later it would be high.
Mar 25 2022
Mar 25 2022
Slightly different issue (I'd raise it elsewhere but I have a meeting I need to get to), but it appears that restricting view access to require "delete" permissions does not work, only restricting access to "createwiki" (I have not checked os).
I'm far less worried about that. It's never caused an issue and it's fairly easy to lock an account. We block 1000s of proxies and can easily block more to reduce the risk of people being able to just change IP.
Unknown Object (User) added a comment to T8990: Requesting wikis ignores if user is blocked..
In T8990#181906, @RhinosF1 wrote:In T8990#181905, @Universal_Omega wrote:In T8990#181904, @John wrote:In T8990#181902, @RhinosF1 wrote:@John, @Universal_Omega: is this intended or?
It was removed in early 2018 with a rewrite as we didn’t want meta blocks to influence someone’s ability to request wikis or engage in wiki requests.
I think we should have it check for global blocks only, not local meta blocks I guess, if it doesn't?
If you are globally blocked (from your IP), you can't create an account. If you don't have an account, you can't request a wiki.
In T8990#181905, @Universal_Omega wrote:In T8990#181904, @John wrote:In T8990#181902, @RhinosF1 wrote:@John, @Universal_Omega: is this intended or?
It was removed in early 2018 with a rewrite as we didn’t want meta blocks to influence someone’s ability to request wikis or engage in wiki requests.
I think we should have it check for global blocks only, not local meta blocks I guess, if it doesn't?
Unknown Object (User) added a comment to T8990: Requesting wikis ignores if user is blocked..
In T8990#181904, @John wrote:In T8990#181902, @RhinosF1 wrote:@John, @Universal_Omega: is this intended or?
It was removed in early 2018 with a rewrite as we didn’t want meta blocks to influence someone’s ability to request wikis or engage in wiki requests.
In T8990#181902, @RhinosF1 wrote:@John, @Universal_Omega: is this intended or?
It doesn't seem to have any check for blocks.
In T8990#181900, @Reception123 wrote:@Zppix you mean comment on requests or also create new ones?
It seems interact in general.
@Zppix you mean comment on requests or also create new ones?
Mar 23 2022
Mar 23 2022
NCSC are aware
blocked at firewall level globally, let's keep an eye.
Mar 19 2022
Mar 19 2022
Mar 18 2022
Mar 18 2022
Unknown Object (User) added a comment to T8949: Name field needs to be blanked out with RemovePII extension.
Mar 17 2022
Mar 17 2022
Reception123 shifted T8949: Name field needs to be blanked out with RemovePII extension from the Restricted Space space to the S1 Public space.
Reception123 changed the visibility for T8949: Name field needs to be blanked out with RemovePII extension.
Reception123 changed the visibility for T8949: Name field needs to be blanked out with RemovePII extension.
Reception123 shifted T8949: Name field needs to be blanked out with RemovePII extension from the S1 Public space to the Restricted Space space.
Dmehus added a project to T8949: Name field needs to be blanked out with RemovePII extension: Security.
Reception123 added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
Has anyone actually reported this upstream? If not I will do so and then proceed to close the task per John's comments
Mar 13 2022
Mar 13 2022
Dmehus lowered the priority of T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments from High to Normal.
Lowering priority on this, given that users cannot view the suppression log.
John added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
In T8928#180522, @Dmehus wrote:In T8928#180521, @John wrote:In T8928#180519, @Dmehus wrote:In T8928#180516, @Agent_Isai wrote:This is something not fixable by us so assigning upstream tag
That's fair. Thanks. No objection to changing the status to stalled on upstream fix, but I would oppose declining or closing as invalid.
It is actually convention to close upstream tasks that we have no influence over as invalid unless the implementation would require direct action by us in one form or another
That's fair. There's far more invalid tasks, than stalled ones. Any objections to using the stalled reason in this case, on a non-precedent setting basis?
Dmehus added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
In T8928#180521, @John wrote:In T8928#180519, @Dmehus wrote:In T8928#180516, @Agent_Isai wrote:This is something not fixable by us so assigning upstream tag
That's fair. Thanks. No objection to changing the status to stalled on upstream fix, but I would oppose declining or closing as invalid.
It is actually convention to close upstream tasks that we have no influence over as invalid unless the implementation would require direct action by us in one form or another
John added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
In T8928#180519, @Dmehus wrote:In T8928#180516, @Agent_Isai wrote:This is something not fixable by us so assigning upstream tag
That's fair. Thanks. No objection to changing the status to stalled on upstream fix, but I would oppose declining or closing as invalid.
Dmehus added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
In T8928#180516, @Agent_Isai wrote:This is something not fixable by us so assigning upstream tag
Agent_Isai added a project to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments: Upstream.
This is something not fixable by us so assigning upstream tag
Dmehus added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
In T8928#180510, @RhinosF1 wrote:This isn't a security issue. Comments aren't meant to be restored. Personally, having a private log is probably better than permanent deletion.
Whether this is hacky or appropriate and what's a good UI/X is a debate for upstream.
RhinosF1 closed T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments as Invalid.
This isn't a security issue. Comments aren't meant to be restored. Personally, having a private log is probably better than permanent deletion.
RhinosF1 changed the visibility for T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
RhinosF1 added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
As far as I can tell, there is only 1 level of deletion for comments. I'd assume they are never meant to be restored which is why suppression is used.
RhinosF1 added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
Can you please place in a private paste exactly what was in the log
RhinosF1 added a comment to T8928: CommentStreams extension provides normal administrators and/or users the ability to suppress comments.
Exactly how?