Last modified: 2008-02-05 02:34:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14660, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 12660 - Users who request accounts are sent an administrator's IP address by e-mail


Summary:	Users who request accounts are sent an administrator's IP address by e-mail

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	User login and signup (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Normal major (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:	patch, patch-need-review

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-01-17 08:46 UTC by Gurch
Modified:	2008-02-05 02:34 UTC (History)
CC List:	5 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address. (620 bytes, patch) 2008-01-17 08:59 UTC, Fran Rogers	Details
Add an attachment (proposed patch, testcase, etc.)

Description Gurch 2008-01-17 08:46:11 UTC

On the English Wikipedia, anonymous users who want accounts but can't create them themselves (because the name is too similar or account creation is disabled from their IP address) can request them at http://en.wikipedia.org/wiki/WP:ACC whereupon a trusted user will create the account via the "by e-mail" button on the account creation form.

Once they have done so, the user requesting the account recieves an automated e-mail, which looks like this:

  The account "[name]" has been created on Wikipedia for you.

  You have been given a temporary password "[password]". Please log in with these credentials where you will be prompted to change your password.

  This account was created by someone at [IP address]. You may ignore this message if it was created in error.

That IP address is the IP address of whoever *created the account* -- an administrator or other trusted user. Since the username of whoever handled the request can be found in the page history, the two can be connected. Thus anyone who handles an account creation request is sending their IP address to the requestee.

Can this be avoided somehow?

Comment 1 Fran Rogers 2008-01-17 08:59:19 UTC

Created attachment 4553 [details]
If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address.

Comment 2 Gurch 2008-01-17 09:03:23 UTC

Should also change the text of the e-mail (wherever that's stored) so it makes sense with a username there instead of an IP address (remove the "someone at").

Comment 3 Carl Fürstenberg 2008-02-05 00:29:24 UTC

bumping severity, as it's a safty issue

Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-02-05 02:19:22 UTC

Fixed in r30562.

Comment 5 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-02-05 02:34:26 UTC

Oh, I didn't spot the existing patch.  Maybe that would be a better idea, but I can't effectively test it (doubt I have working e-mail on localhost), so what I committed will do for now.

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links