Last modified: 2014-11-19 07:23:30 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T23206, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 21206 - Log of title blacklist hits
Log of title blacklist hits
Status: PATCH_TO_REVIEW
Product: MediaWiki extensions
Classification: Unclassified
TitleBlacklist (Other open bugs)
unspecified
All All
: Normal enhancement with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
: easy
: 41263 63086 (view as bug list)
Depends on:
Blocks: SWMT 66450
  Show dependency treegraph
 
Reported: 2009-10-20 19:17 UTC by Mike.lifeguard
Modified: 2014-11-19 07:23 UTC (History)
13 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mike.lifeguard 2009-10-20 19:17:26 UTC 
Per bug 1542 comment 4, please provide a log of hits against the title blacklist.
Comment 1 Bugmeister Bot 2011-08-19 19:13:00 UTC 
Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734
Comment 2 Alex Monk 2012-10-22 00:38:26 UTC 
*** Bug 41263 has been marked as a duplicate of this bug. ***
Comment 3 MZMcBride 2012-10-22 01:02:24 UTC 
Marking this as easy.
Comment 4 This, that and the other (TTO) 2013-11-19 05:09:14 UTC 
This bug doesn't make sense. What does it mean to "hit the title blacklist"? 

If a title is blacklisted, the user simply does not see a "Create" tab when visiting that title. I don't see any point to just log hits to blacklisted pages...
Comment 5 This, that and the other (TTO) 2013-11-19 05:42:35 UTC 
(In reply to comment #4)
> If a title is blacklisted, the user simply does not see a "Create" tab when
> visiting that title.

This is wrong, apparently. But my point stands: it seems silly to log accesses to title=Bad_title&action=edit.
Comment 6 seth 2013-11-23 17:03:00 UTC 
The information could be used to see, whether an entry is still needed or maybe removed.
Comment 7 Liangent 2014-04-01 18:00:47 UTC 
*** Bug 63086 has been marked as a duplicate of this bug. ***
Comment 8 Liangent 2014-04-01 18:03:05 UTC 
(In reply to This, that and the other from comment #5)
> This is wrong, apparently. But my point stands: it seems silly to log
> accesses to title=Bad_title&action=edit.

and if it's done so it could be easy to get that log spammed (and it looks like some kind of CSRF).
Comment 9 Ajraddatz 2014-04-01 18:05:30 UTC 
There is already a spam blacklist log which does not get spammed, making this point a possibility which doesn't happen. It would also be just as easy to spam edits to pages as spam actions to the proposed TBL log.

Like the SBL log, it should be admin-only, so that people don't get the idea that spamming it is possible.
Comment 10 Ajraddatz 2014-04-01 18:06:47 UTC 
Liangent, you've also merged a bug that was monitored by people who are actually active with this bug and not included them in the CC list. Is there any way to update that?
Comment 11 Liangent 2014-04-01 18:31:11 UTC 
(In reply to Ajraddatz from comment #9)
> There is already a spam blacklist log which does not get spammed, making
> this point a possibility which doesn't happen. It would also be just as easy
> to spam edits to pages as spam actions to the proposed TBL log.

The point is that, the method to spam this list is GET, and without a token, while the spamblacklist one is POST with a token. I could embed [img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/img] in my forum signature to have that URL accessed by hundreds of people.
Comment 12 Andre Klapper 2014-04-01 21:48:29 UTC 
(In reply to Ajraddatz from comment #10)
> you've also merged a bug that was monitored by people who are
> actually active with this bug and not included them in the CC list. Is there
> any way to update that?

Add them to the CC list.
Comment 13 Ajraddatz 2014-04-01 21:50:38 UTC 
(In reply to Liangent from comment #11)
> (In reply to Ajraddatz from comment #9)
> > There is already a spam blacklist log which does not get spammed, making
> > this point a possibility which doesn't happen. It would also be just as easy
> > to spam edits to pages as spam actions to the proposed TBL log.
> 
> The point is that, the method to spam this list is GET, and without a token,
> while the spamblacklist one is POST with a token. I could embed
> [img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/
> img] in my forum signature to have that URL accessed by hundreds of people.

That's very true, thanks for clarifying. Hopefully by keeping the log private people wouldn't think to do that.
Comment 14 Gerrit Notification Bot 2014-04-01 23:28:44 UTC 
Change 123128 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add log for TB hits

https://gerrit.wikimedia.org/r/123128
Comment 15 Gerrit Notification Bot 2014-04-02 00:45:20 UTC 
Change 123150 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add TitleBlacklist hit log

https://gerrit.wikimedia.org/r/123150
Comment 16 Gerrit Notification Bot 2014-04-02 00:50:24 UTC 
Change 123150 abandoned by Brian Wolff:
[WIP] Add TitleBlacklist hit log

Reason:
accidental commit

https://gerrit.wikimedia.org/r/123150
Comment 17 PiRSquared17 2014-04-02 16:37:20 UTC 
legoktm recommended to just log account creations/page moves, avoiding the problem described above.
Comment 18 Ajraddatz 2014-04-02 16:39:55 UTC 
That's there the most useful part of the log would be anyhow, so that works.
Comment 19 Gerrit Notification Bot 2014-06-10 20:37:41 UTC 
Change 123128 merged by jenkins-bot:
Add log for TitleBlacklist hits

https://gerrit.wikimedia.org/r/123128
Comment 20 Kunal Mehta (Legoktm) 2014-06-10 20:42:17 UTC 
Created bug 66450 to update the WMF configuration.
Comment 21 Gerrit Notification Bot 2014-06-10 22:43:43 UTC 
Change 138745 had a related patch set uploaded by Gerrit Patch Uploader:
Fixes regarding title blacklist log

https://gerrit.wikimedia.org/r/138745
Comment 22 Nemo 2014-06-11 06:23:40 UTC 
> Make logging of IPs for account creations optional, default disabled
> 
> https://gerrit.wikimedia.org/r/138745

That's sensible. Once merged, extension page needs to be updated.

Actually, after bug 66450 is fixed, we should think of making the log enabled by default, because it's an extension we bundle with core. Separate bug for that?
Comment 23 Cenarium 2014-11-16 03:19:08 UTC 
(In reply to Liangent from comment #8)
> (In reply to This, that and the other from comment #5)
> > This is wrong, apparently. But my point stands: it seems silly to log
> > accesses to title=Bad_title&action=edit.
> 
> and if it's done so it could be easy to get that log spammed (and it looks
> like some kind of CSRF).

Couldn't this be solved for edit and move by only logging recently active registered users ?

It would be helpful to have a bot report those hitting it multiple times, cause they often find ways to elude it after enough tries.
Comment 24 Nemo 2014-11-19 07:23:30 UTC 
Jackmcbarn said on "Make logging of IPs for account creations optional, default disabled" <https://gerrit.wikimedia.org/r/#/c/138745/4>:
> I doubt that many non-WMF wikis would want this off.

I disagree. I think non-WMF wikis are even more likely to want IPs hidden: many of them don't even install CheckUser because the marginal gain in antispam features is overcome by the burden of being forced to manage a privacy policy. We should ship a default MediaWiki which gives as little maintenance and legal burden as possible by default.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links