Prevent contributions attributed to private and WMF IP addresses
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Anomie
	Jan 5 2017, 9:01 PM

Description

Occasionally a misconfiguration results in edits being seen by MediaWiki as coming from 127.0.0.1, as shown by this non-empty contributions log. Further, wikis such as the English Wikipedia had previously blocked Toolserver IPs but have been unable to do the same for Tool Labs thanks to issues such as T66530.

Since the IPs subject to these issues are well-known and typically don't change, we can easily enough add a configuration option to MediaWiki to treat these IPs as blocked "anon. only, talk page access disabled" without running into the XFF issues described in T66530.

Details

	Subject	Repo	Branch	Lines +/-
	Set $wgSoftBlockRanges	operations/mediawiki-config	master	+70 -0

Customize query in gerrit

Related Objects

Mentioned In: T209011: Change routing to ensure that traffic originating from Cloud VPS is seen as non-private IPs by Wikimedia wikis
T208986: WDQS tests can no longer edit test.wikidata.org
T174284: Fix obaid's tool by using pywikibot
T161860: Password reset link missing on mediawiki.org
T153038: mwext-qunit-jessie test fails on unrelated change
T154621: decommission mw2075-2089 to make room for new systems
Mentioned Here: T66530: $wgApplyIpBlocksToXff feature should ignore local IPs from remote proxies

Event Timeline

Anomie created this task.Jan 5 2017, 9:01 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2017, 9:01 PM

Change 324215 had a related patch set uploaded (by Anomie):
Set $wgSoftBlockRanges

https://gerrit.wikimedia.org/r/324215

Change 324214 had a related patch set uploaded (by Anomie):
Add $wgSoftBlockRanges

https://gerrit.wikimedia.org/r/324214

An announcement might be something like this:

Edits and other contributions logged to private IP addresses will be blocked, displaying the reason from [[MediaWiki:softblockrangesreason]]. This should not affect most users, however bots and other tools running on [[mw:Wikimedia Labs|Wikimedia Labs]], including [[wikitech:Portal:Tool Labs|Tool Labs]], will receive a "blocked" error if they attempt to edit without being logged in.

Johan moved this task from To Triage to Announce in next Tech/News on the User-notice board.Jan 6 2017, 1:05 AM

• MZMcBride subscribed.Jan 6 2017, 4:19 AM

RobH mentioned this in T154621: decommission mw2075-2089 to make room for new systems.Jan 6 2017, 4:47 PM

Johan moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Jan 10 2017, 11:13 PM

Liuxinyu970226 subscribed.Jan 12 2017, 5:27 AM

Ricordisamoa subscribed.Jan 17 2017, 1:33 AM

Framawiki subscribed.Jan 17 2017, 6:38 PM

Johan moved this task from In current Tech/News draft to Recently announced in Tech/News on the User-notice board.Jan 19 2017, 11:28 AM

Johan moved this task from Recently announced in Tech/News to Already announced/Archive on the User-notice board.Jan 26 2017, 7:56 AM

Change 324215 had a related patch set uploaded (by Gergő Tisza):
Set $wgSoftBlockRanges

https://gerrit.wikimedia.org/r/324215

This was announced a while ago in Tech News and on labs-l but not actually deployed. Doing that today.

Change 324215 merged by jenkins-bot:
Set $wgSoftBlockRanges

https://gerrit.wikimedia.org/r/324215

Mentioned in SAL (#wikimedia-operations) [2017-02-22T00:33:42Z] <thcipriani@tin> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:324215|Set $wgSoftBlockRanges]] T154698 PART I (duration: 00m 40s)

Mentioned in SAL (#wikimedia-operations) [2017-02-22T00:34:53Z] <thcipriani@tin> Synchronized wmf-config: SWAT: [[gerrit:324215|Set $wgSoftBlockRanges]] T154698 PART II (duration: 00m 42s)

The block message seems wrong:

$ curl -s -X POST -d 'action=edit&format=json&title=User%3ATgr_(WMF)%2Ftest&appendtext=--%3D%3D+This+is+a+test+%3D%3D--&token=%2B%5C' https://en.wikipedia.org/w/api.php | jq .
{
  "error": {
    "code": "blocked",
    "info": "You have been blocked automatically by MediaWiki.",
    "blockinfo": {
      "blockid": null,
      "blockedby": "MediaWiki default",
      "blockedbyid": 0,
      "blockreason": "__NOEDITSECTION____NOTOC__\n{| id=\"mw-blocked-text\" style=\"border:2px solid #000; width:100%; margin:0 auto 6px auto;\"\n|\n<div style=\"width:100%; margin:auto; text-align:center;\"><div style=\"font-size:180%; color:#ff0000;\"><br>'''You are currently unable to edit Wikipedia.'''</div>\n'''''You are still able to view pages''', but you are not currently able to edit, move, or create them.''\n</div>\n<div style=\"margin:auto; width:70%;\">\n<div style=\"text-align:justify;\">\nEditing from $7 is disabled as it is a [[private IP]] range. This is probably a result of a problem with your Internet connection.\n\nEven if blocked, you will ''usually'' still be able to edit your [[Special:Mytalk|user talk page]] and email other editors and administrators.\n</div>\n</div>\n|}",
      "blockedtimestamp": "2017-02-22T01:54:06Z",
      "blockexpiry": "infinite",
      "systemblocktype": "wgSoftBlockRanges"
    },
    "*": "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes."
  },
  "servedby": "mw1278"
}

I suppose this is a problem with the block API, not this patch? (Also, it wold be quite nice if errorformat applied to the block reason.)

At the API level, "blockreason" is just the string from $block->mReason. We'd have to change Block to supply a Message instead of a bare string for the API to be able to apply errorformat.

The text you're seeing there is thanks to enwiki having already customized MediaWiki:Softblockrangesreason. The default message (e.g. add uselang=someinvalidlanguage) is much cleaner:

{
   "servedby" : "mw1284",
   "error" : {
      "code" : "blocked",
      "blockinfo" : {
         "blockreason" : "Anonymous contributions are not allowed from your IP address (10.68.23.58). Please log in.",
         "blockedtimestamp" : "2017-02-22T16:40:06Z",
         "blockedby" : "MediaWiki default",
         "systemblocktype" : "wgSoftBlockRanges",
         "blockedbyid" : 0,
         "blockexpiry" : "infinite",
         "blockid" : null
      },
      "*" : "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes.",
      "info" : "You have been blocked automatically by MediaWiki."
   }
}

Anomie closed this task as Resolved.Feb 22 2017, 4:59 PM

Yeah, I got that, I was just confused about the $7 parameter. It hadn't occured to me it could be just a template error.

Tgr mentioned this in T153038: mwext-qunit-jessie test fails on unrelated change.Feb 22 2017, 7:01 PM

Liuxinyu970226 unsubscribed.Feb 25 2017, 3:33 AM

Tgr mentioned this in T161860: Password reset link missing on mediawiki.org.Mar 30 2017, 9:20 PM

Framawiki mentioned this in T174284: Fix obaid's tool by using pywikibot.Aug 27 2017, 6:31 PM

bd808 mentioned this in T208986: WDQS tests can no longer edit test.wikidata.org.Nov 7 2018, 7:42 PM

bd808 mentioned this in T209011: Change routing to ensure that traffic originating from Cloud VPS is seen as non-private IPs by Wikimedia wikis.Nov 7 2018, 11:46 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM

Ladsgroup edited projects, added User-notice-archive; removed User-notice.Aug 13 2022, 1:53 PM