Author: mike.lifeguard+bugs
Description:
Per T3542#58010, please provide a log of hits against the title blacklist.
Author: mike.lifeguard+bugs
Description:
Per T3542#58010, please provide a log of hits against the title blacklist.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T68450 Set $wgTitleBlacklistLogHits = true on WMF wikis | |||
Resolved | PiRSquared17 | T23206 Log of title blacklist hits |
mhershberger wrote:
Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734
This bug doesn't make sense. What does it mean to "hit the title blacklist"?
If a title is blacklisted, the user simply does not see a "Create" tab when visiting that title. I don't see any point to just log hits to blacklisted pages...
(In reply to comment #4)
If a title is blacklisted, the user simply does not see a "Create" tab when
visiting that title.
This is wrong, apparently. But my point stands: it seems silly to log accesses to title=Bad_title&action=edit.
The information could be used to see, whether an entry is still needed or maybe removed.
(In reply to This, that and the other from comment #5)
This is wrong, apparently. But my point stands: it seems silly to log
accesses to title=Bad_title&action=edit.
and if it's done so it could be easy to get that log spammed (and it looks like some kind of CSRF).
There is already a spam blacklist log which does not get spammed, making this point a possibility which doesn't happen. It would also be just as easy to spam edits to pages as spam actions to the proposed TBL log.
Like the SBL log, it should be admin-only, so that people don't get the idea that spamming it is possible.
Liangent, you've also merged a bug that was monitored by people who are actually active with this bug and not included them in the CC list. Is there any way to update that?
(In reply to Ajraddatz from comment #9)
There is already a spam blacklist log which does not get spammed, making
this point a possibility which doesn't happen. It would also be just as easy
to spam edits to pages as spam actions to the proposed TBL log.
The point is that, the method to spam this list is GET, and without a token, while the spamblacklist one is POST with a token. I could embed [img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/img] in my forum signature to have that URL accessed by hundreds of people.
(In reply to Ajraddatz from comment #10)
you've also merged a bug that was monitored by people who are
actually active with this bug and not included them in the CC list. Is there
any way to update that?
Add them to the CC list.
(In reply to Liangent from comment #11)
(In reply to Ajraddatz from comment #9)
There is already a spam blacklist log which does not get spammed, making
this point a possibility which doesn't happen. It would also be just as easy
to spam edits to pages as spam actions to the proposed TBL log.The point is that, the method to spam this list is GET, and without a token,
while the spamblacklist one is POST with a token. I could embed
[img=1,1]http://en.wikipedia.org/w/index.php?title=Bad_title&action=edit[/
img] in my forum signature to have that URL accessed by hundreds of people.
That's very true, thanks for clarifying. Hopefully by keeping the log private people wouldn't think to do that.
Change 123128 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add log for TB hits
Change 123150 had a related patch set uploaded by Gerrit Patch Uploader:
[WIP] Add TitleBlacklist hit log
Change 123150 abandoned by Brian Wolff:
[WIP] Add TitleBlacklist hit log
Reason:
accidental commit
legoktm recommended to just log account creations/page moves, avoiding the problem described above.
Change 138745 had a related patch set uploaded by Gerrit Patch Uploader:
Fixes regarding title blacklist log
Make logging of IPs for account creations optional, default disabled
That's sensible. Once merged, extension page needs to be updated.
Actually, after bug 66450 is fixed, we should think of making the log enabled by default, because it's an extension we bundle with core. Separate bug for that?
(In reply to Liangent from comment #8)
(In reply to This, that and the other from comment #5)
This is wrong, apparently. But my point stands: it seems silly to log
accesses to title=Bad_title&action=edit.and if it's done so it could be easy to get that log spammed (and it looks
like some kind of CSRF).
Couldn't this be solved for edit and move by only logging recently active registered users ?
It would be helpful to have a bot report those hitting it multiple times, cause they often find ways to elude it after enough tries.
Jackmcbarn said on "Make logging of IPs for account creations optional, default disabled" https://gerrit.wikimedia.org/r/#/c/138745/4:
I doubt that many non-WMF wikis would want this off.
I disagree. I think non-WMF wikis are even more likely to want IPs hidden: many of them don't even install CheckUser because the marginal gain in antispam features is overcome by the burden of being forced to manage a privacy policy. We should ship a default MediaWiki which gives as little maintenance and legal burden as possible by default.
As far as I can see, there's already a title blacklist log avalaible in Special:Log. No entries on it though.
I think so. This was implemented by
https://gerrit.wikimedia.org/r/#/c/123128/
mentioned on T23206#248973 above.