Page MenuHomePhabricator

API list=blocks reveals private data
Closed, ResolvedPublic

Description

The current implementation of the IP block list reveals the IP address(es) of users who are autoblocked in breach of [[wikimedia:Privacy policy]]. See http://en.wikipedia.org/w/api.php?action=query&list=blocks&bklimit=500 for an example query where this problem occurs.

Expected behaviour: list the autoblock id only in the user attribute as in [[Special:Ipblocklist]] (#xxxxxx) for the entries that deal with autoblocks. Example: user="#123".

Actual behaviour: the IP of the autoblocked users is shown in the user attribute instead.


Version: 1.12.x
Severity: blocker
URL: http://en.wikipedia.org/w/api.php?action=query&list=blocks

Details

Reference
bz12321

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:55 PM
bzimport set Reference to bz12321.
bzimport added a subscriber: Unknown Object (MLST).

Disabled list=blocks on Wikimedia pending a fix.