Last modified: 2012-08-04 20:49:01 UTC
There is this user account "User:Anonymous" in the list of users after installation? Which functionality does this user account have? Both renaming users name and viewing settings was not possible. I would not like to have an account there that is a sort of backdoor. Steps to reproduce: * Showing all users, the user:Anonymous appears. * Visiting the user's page there is no link for user contributions. * Renaming this user says: Der Benutzername „“ ist ungültig. * Changing rights is not possible because it is said the user did not exist. * Creating a new accout with this name causes an "Error: Warning: pg_query() [function.pg-query]: Query failed: ERROR: duplicate key violates unique constraint "mwuser_user_name_key" in /var/www/www.gfi.cx/wiki-gfi/includes/db/DatabasePostgres.php on line 552" Please see detailed debugging information below. Thanx in advance. Cheers Server: MediaWiki 1.13.2 PHP 5.2.0-8+etch13 (apache2handler) PostgreSQL PostgreSQL 8.1.13 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 20061115 (Debian 4.1.1-21) Plugins: EditUser (Version 1.5.1) , Renameuser (Version r41963) Error Message: A database error has occurred Query: INSERT INTO mwuser (user_id,user_name,user_password,user_newpassword,user_newpass_time,user_email, user_email_authenticated,user_real_name,user_options, user_token,user_registration,user_editcount) VALUES ('9','Anonymous',,,'2008-11-28 13:08:53 GMT',,NULL,,'quickbar=1 underline=2 cols=80 rows=25 searchlimit=20 contextlines=5 contextchars=50 disablesuggest=0 ajaxsearch=0 skin= math=1 usenewrc=0 rcdays=7 rclimit=50 wllimit=250 hideminor=0 highlightbroken=1 stubthreshold=0 previewontop=1 previewonfirst=0 editsection=1 editsectiononrightclick=0 editondblclick=0 editwidth=0 showtoc=1 showtoolbar=1 minordefault=0 date=default imagesize=2 thumbsize=2 rememberpassword=0 enotifwatchlistpages=0 enotifusertalkpages=1 enotifminoredits=0 enotifrevealaddr=0 shownumberswatching=1 fancysig=0 externaleditor=0 externaldiff=0 showjumplinks=1 numberheadings=0 uselivepreview=0 watchlistdays=3 extendwatchlist=0 watchlisthideminor=0 watchlisthidebots=0 watchlisthideown=0 watchcreations=0 watchdefault=0 watchmoves=0 watchdeletion=0 variant=de language=de searchNs0=1','b1821d58eed30ceb814a1cdfbaf13ecc','2008-11-28 13:08:53 GMT','0') Function: User::addToDatabase Error: 1 ERROR: duplicate key violates unique constraint "mwuser_user_name_key" Backtrace: 1. 0 /var/www/wiki/includes/db/Database.php(561): DatabasePostgres->reportQueryError('ERROR: duplica...', 1, 'INSERT INTO mwu...', 'User::addToData...', ) 2. 1 /var/www/wiki/includes/db/DatabasePostgres.php(817): Database->query('INSERT INTO mwu...', 'User::addToData...', ) 3. 2 /var/www/wiki/includes/User.php(2271): DatabasePostgres->insert('user', Array, 'User::addToData...') 4. 3 /var/www/wiki/includes/specials/SpecialUserlogin.php(339): User->addToDatabase() 5. 4 /var/www/wiki/includes/specials/SpecialUserlogin.php(324): LoginForm->initUser(Object(User), false) 6. 5 /var/www/wiki/includes/specials/SpecialUserlogin.php(153): LoginForm->addNewAccountInternal() 7. 6 /var/www/wiki/includes/specials/SpecialUserlogin.php(96): LoginForm->addNewAccount() 8. 7 /var/www/wiki/includes/specials/SpecialUserlogin.php(17): LoginForm->execute() 9. 8 [internal function]: wfSpecialUserlogin(NULL, Object(SpecialPage)) 10. 9 /var/www/wiki/includes/SpecialPage.php(748): call_user_func('wfSpecialUserlo...', NULL, Object(SpecialPage)) 11. 10 /var/www/wiki/includes/SpecialPage.php(534): SpecialPage->execute(NULL) 12. 11 /var/www/www.gfi.cx/wiki-gfi/includes/Wiki.php(224): SpecialPage::executePath(Object(Title)) 13. 12 /var/www/www.gfi.cx/wiki-gfi/includes/Wiki.php(55): MediaWiki->initializeSpecialCases(Object(Title), Object(OutputPage), Object(WebRequest)) 14. 13 /var/www/www.gfi.cx/wiki-gfi/index.php(93): MediaWiki->initialize(Object(Title), NULL, Object(OutputPage), Object(User), Object(WebRequest)) 15. 14 {main}</nowiki>
Please Note: Path to wiki is allways the same, I just faild at renaming the path in this bug report.
In other words: I cannot delete the user because he does not exist. I cannot create the user because he exists. And he is shown in the user list. So, what is wrong? Is it a bug in this Version?
It's a nasty hack implemented in order to make foreign key constraints work in a schema that wasn't designed for them. -- Create a dummy user to satisfy fk contraints especially with revisions INSERT INTO mwuser VALUES (DEFAULT,'Anonymous','',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,now(),now()); I would suggest removing the foreign key constraints from the PG schema, which are more trouble than they're worth.
Hello, I would like to propose that we hide the User:Anonymous user from the user list.
Created attachment 6098 [details] Patch that hides User:Anonymous on the user list. I have created a patch that hides User:Anonymous from the user list. Im not sure if this would be the best way to resolve this bug.
Are there any backdoors that could result from the Anonymous user being in the database? I think if they are able to do something to the anonymous user in the database through a backdoor, then it will probably just affect all users rather than just one.
Review of the patch: it doesn't take into account that there are different DB backends, most of which doesn't create that dummy account. Therefore, someone could register a stealth account 'Anonymous' that will be hard to track. And using a hardcoded value for checks is also extremely problematic.
(In reply to comment #7) > Review of the patch: it doesn't take into account that there are different DB > backends, most of which doesn't create that dummy account. Therefore, someone > could register a stealth account 'Anonymous' that will be hard to track. And > using a hardcoded value for checks is also extremely problematic. Would checking the database, be suitable so if postgresql is used then the anonymous account is hidden from the user list?
Fixed on r65405
