Page MenuHomePhabricator
Create Task
Maniphest T18037

Captcha is displayed when user transcludes a template that has an external link
Open, LowestPublicFeature
Actions

Description

If the user adds for example {{IMDb|124|Foo}} or {{IPcheck|127.0.0.1}} in the English Wikipedia, he has to solve a Captcha, because the templates link to imdb.com, dnsstuff.com and so on.
This is both annoying and confusing, because the user does not add an external link, the template does.

The obvious solution would be not to display a Captcha if the url is provided by the template, not the user. However, clever spammers could do the following:

  1. Create template "evilLink" with external link. Solve a Captcha to do so.
  2. Transclude template "evilLink" into 1000 pages without having to solve a Captcha.
  3. ???
  4. Profit!

The alternative would be, to use MediaWiki:Captcha-addurl-whitelist, however few sysops even notice, that there are Captchas (Admins don't have to solve them, so they are not aware of the problem).
But perhaps, there is another way. If FlaggedRevs are active on a wiki, it would be possible to allow only external links of flagged templates without a Captcha. If FlaggedRevs are missing, it would be possible to allow external links that have been in a template for a while (this would slow down spammers).

Version: unspecified
Severity: enhancement

Details

Reference
bz16037

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 10:21 PM
bzimport added a project: ConfirmEdit (CAPTCHA extension).
bzimport set Reference to bz16037.
bzimport added a subscriber: Unknown Object (MLST).
Tobias created this task.Oct 19 2008, 9:08 AM
brooke added a comment.Nov 24 2008, 8:30 PM

I don't think there's really a good way to do this at present -- there's no good way to tell "where" the URL came from. In the examples you give, the URL "comes from" both places -- it's formed from a combination of something in the template and something in the template parameters.

bzimport added a comment.Nov 24 2008, 8:34 PM

mike.lifeguard+bugs wrote:

(In reply to comment #0)

If the user adds for example {{IMDb|124|Foo}} or {{IPcheck|127.0.0.1}} in the
English Wikipedia, he has to solve a Captcha, because the templates link to
imdb.com, dnsstuff.com and so on.
This is both annoying and confusing, because the user does not add an external
link, the template does.

That counts as adding a link. I'm unclear why we would want to change this behaviour.

The obvious solution would be not to display a Captcha if the url is provided
by the template, not the user. However, clever spammers could do the following:

  1. Create template "evilLink" with external link. Solve a Captcha to do so.
  2. Transclude template "evilLink" into 1000 pages without having to solve a

Captcha.

  1. ???
  2. Profit!

That situation is exactly why it works this way. It's not outlandish at all.

The alternative would be, to use MediaWiki:Captcha-addurl-whitelist, however
few sysops even notice, that there are Captchas (Admins don't have to solve
them, so they are not aware of the problem).

Of course, the whitelist should be used - that's what it's for! I imagine the same team who handle the spam black/whitelist would also handle requests for additions to that whitelist.

Recommend WONTFIX.

Tobias added a comment.Nov 25 2008, 12:07 PM

From the developers point of view, it might be difficult or even impossible to fix with the current design. However, from the users point of view, this is totally confusing. I recommend to at least change the system message to something that explains the problem.

Aklapper added a comment.Dec 12 2012, 1:39 PM

[Removing RESOLVED LATER as discussed in
http://lists.wikimedia.org/pipermail/wikitech-l/2012-November/064240.html .
Reopening and setting priority to "Lowest".
For future reference, please use either RESOLVED WONTFIX (for issues that will
not be fixed), or simply set lowest priority. Thanks a lot!]

RobH unsubscribed.Mar 3 2020, 6:22 PM
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptMar 3 2020, 6:22 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:02 AM
Aklapper removed a subscriber: wikibugs-l-list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL