Last modified: 2006-10-21 16:32:51 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 6427 - Block password reset requests from blocked IP addresses
Block password reset requests from blocked IP addresses
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low enhancement with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
http://editthis.info/freak/crapflood
:
: 7639 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-24 18:32 UTC by freakofnurture
Modified: 2006-10-21 16:32 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description freakofnurture 2006-06-24 18:32:38 UTC
A user whose IP address is blocked from editing (either directly by number or
range, or due to an autoblock from a blocked account attempting to edit) should
also be denied the ability to initiate bloody fuck obnoxious "password reset"
requests, (usually delivered in bulk to the sysop that blocked him the IP).

Anyway I have filtered incoming e-mail from wiki@wikimedia.org directly to
"Trash can". I hope nothing important originates from that address. If it does,
it should be separated accordingly.
Comment 1 Platonides 2006-06-25 18:03:49 UTC
But if the ip is blocked, and *do* have a Wikpedia account, may want a password
reset to get his password, login and edit his user talk.
Comment 2 freakofnurture 2006-06-26 14:23:31 UTC
If an innocent user experiences both collateral damage and amnesia at the same
time, he could move to another computer to make that request, provided he
doesn't get struck by lightning and eaten by a shark along the way.
Comment 3 Rob Church 2006-07-04 23:46:36 UTC
Another option might be to throw up a captcha...
Comment 4 freakofnurture 2006-07-05 15:36:57 UTC
or a throttle limit...
Comment 5 freakofnurture 2006-07-07 21:06:50 UTC
or both...
Comment 6 Deon 2006-10-07 01:21:57 UTC
We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be someway the dev's can block certain 
IP's.
Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see 
http://en.wikipedia.org/wiki/WP:AN/I#Email
Comment 7 windyaso-wp 2006-10-07 04:42:51 UTC
It's as simple as limiting password requests to five an hour or 
something...this would certainly cut down on the worst of the abuse.
Comment 8 freakofnurture 2006-10-07 07:18:04 UTC
(In reply to comment #6)
> We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be 
someway the dev's can block certain 
> IP's.
> Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see 
> http://en.wikipedia.org/wiki/WP:AN/I#Email

Perhaps this would be best as an extra checkbox on the [[Special:Blockip]] form, 
then. --user:freakofnurture
Comment 9 Deon 2006-10-15 22:58:35 UTC
(In reply to comment #8)
>> We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be 
someway the dev's can block certain 
>> IP's.
>> Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see 
>> http://en.wikipedia.org/wiki/WP:AN/I#Email

>Perhaps this would be best as an extra checkbox on the [[Special:Blockip]] form, 
>then. --user:freakofnurture


Definetly.
-D
[[User:Deon555]]
Comment 10 Jorge 2006-10-20 04:58:03 UTC
well I lost my password for good after placing the request password email to my
autodelete spam filter after getting over 500 of those in one day, almost 1,000
for the week by en:69.50.208.4 this bug should be fixed and fast before it
happens to anyone else

jorge,

en:Jaranda
Comment 11 Karen Lofstrom 2006-10-20 10:48:05 UTC
Same IP mailbombed me. Please fix this. -- Zora
Comment 12 Tristan Miller 2006-10-21 00:02:40 UTC
See also Bug 7078, which proposes a throttle on password requests.  This would
be easiest to implement as the code is already there; the throttle value just
needs to be set for Wikipedia.
Comment 13 Brion Vibber 2006-10-21 16:23:32 UTC
*** Bug 7639 has been marked as a duplicate of this bug. ***
Comment 14 Brion Vibber 2006-10-21 16:32:51 UTC
Fixed in r17147.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links