Page MenuHomePhabricator
Create Task
Maniphest T68639

OAuth should be autoblock-exempt / "IP address had been blocked automatically" in croptool
Closed, DuplicatePublic
Actions

Description

On Cloud-Services, we got a report of someone getting

Upload failed! Your IP address has been blocked automatically, because it was used by a blocked user

while using croptool (https://tools.wmflabs.org/croptool/). I could reproduce this at the time of this bug. This suggests the IP of the web server (or some other Tool Labs server) is autoblocked, and this no-one can edit via oauth.

Croptool is running on tools-webgrid-02, but testing manually with wget

wget "https://commons.wikimedia.org/w/index.php?title=User_talk:Valhallasw&action=edit"

the returned html does not suggest the user is blocked:

http://tools.wmflabs.org/jira-bugimport/editpage.html

I'm not sure if the correct course of action would be to ip-block-exempt all 10.* IP's, or to have OAuth edits be autoblock exempt by default.

Version: master
Severity: normal

Details

Reference
bz66639

Related Objects

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:12 AM
bzimport added a project: MediaWiki-extensions-OAuth.
bzimport set Reference to bz66639.
bzimport added a subscriber: Unknown Object (MLST).
valhallasw created this task.Jun 15 2014, 1:53 PM
csteipp added a comment.Jun 16 2014, 5:15 PM

I think the community needs tools to block misbehaving OAuth apps. We probably need to keep a list of IP addresses in use by them so autoblocks or accidental IP blocks don't happen. But I think a blanked exemption for OAuth would open us up for abuse.

Steinsplitter added a comment.Jun 17 2014, 5:13 PM

WMF Range whitelisted on Commons.

[1] https://commons.wikimedia.org/w/index.php?title=MediaWiki:Autoblock_whitelist&action=history

Steinsplitter added a comment.Sep 16 2014, 4:39 PM

Again problems [2], therefore i [2] whitelisted 10.0.0.0/8 subnet.

OAuth is using by default the toolslabs ip? If yes this need a fix.

[1] https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=625816502#Blocked_user_logging_in_through_OAuth_causing_an_autoblock
[2]https://commons.wikimedia.org/w/index.php?title=MediaWiki%3AAutoblock_whitelist&diff=134709271&oldid=129995409

Anomie added a comment.Sep 16 2014, 5:12 PM

(In reply to Steinsplitter from comment #3)

OAuth is using by default the toolslabs ip?

No, it's not.

But just like with a bot, the servers see the request coming from the IP address of the machine the OAuth-using tool is actually running on (e.g. Tool Labs) because that actually *is* the IP address the request is coming from. See bug 70885 for details on why that's not going to change.

Danmichaelo added a comment.Sep 16 2014, 5:47 PM

Hm, there must better ways to block misbehaving OAuth apps than to use IP blocks? Such as removing the authorization.

csteipp added a comment.Sep 16 2014, 8:41 PM

(In reply to Dan Michael Heggø from comment #5)

Hm, there must better ways to block misbehaving OAuth apps than to use IP
blocks? Such as removing the authorization.

Yes, the app's key can be revoked:

The app can be re-enabled by resetting it to "Approved", so definitely be bold if it looks like the entire app is misbehaving.

Rillke added a comment.Sep 17 2014, 5:34 PM

(In reply to Chris Steipp from comment #6)

Yes, the app's key can be revoked

I get a permission error when trying to access the cited page. Maybe implement a way so communities can block OAuth Apps they don't like?

csteipp added a comment.Sep 17 2014, 8:32 PM

(In reply to Rainer Rillke @commons.wikimedia from comment #7)

I get a permission error when trying to access the cited page. Maybe
implement a way so communities can block OAuth Apps they don't like?

Stewards have the right, since it blocks the app across all wikis.

It's an interesting idea, being able to block a specific app on a specific wiki. If there's a need for that feature it could probably be done without too much work. Maybe open a separate bug if you think it's a feature that several wikis would like.

Deskana closed this task as a duplicate of T74501: Need a way for trusted OAuth apps to make edits from blocked IPs.Mar 6 2015, 10:35 PM
bd808 moved this task from Backlog to Tool User wants on the MediaWiki-extensions-OAuth board.Mar 6 2015, 10:38 PM
bd808 moved this task from Tool User wants to Archive on the MediaWiki-extensions-OAuth board.
Laddo subscribed.Apr 19 2019, 10:31 AM
Framawiki subscribed.Apr 19 2019, 3:40 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:41 PM
AntiCompositeNumber mentioned this in T274050: Users trying to analyze pages are being told they are blocked when they are not.Jan 31 2022, 3:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL