From 718044add9fa0fcd20fcc73686f1ffb83ef1ff2f Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Mon, 23 Sep 2019 14:30:45 +0200 Subject: [PATCH] SECURITY: Use autoblocks in case of account creation To avoid disclosing the IP address of the creator. Bug: T152394 Change-Id: I06ce96ff1b90443e71dc9f1cfb98220501679841 --- i18n/en.json | 1 + i18n/qqq.json | 3 ++- includes/AbuseFilterRunner.php | 27 +++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/i18n/en.json b/i18n/en.json index a6ae3549..16a0be11 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -17,6 +17,7 @@ "abusefilter-autopromote-blocked": "This action has been automatically identified as harmful, and it has been disallowed.\nIn addition, as a security measure, some privileges routinely granted to established accounts have been temporarily revoked from your account.\nA brief description of the abuse rule which your action matched is: $1", "abusefilter-blocker": "Abuse filter", "abusefilter-blockreason": "Automatically blocked by abuse filter.\nDescription of matched rule: $1", + "abusefilter-autoblockreason": "Autoblock issued by the abuse filter on account creation.\nDescription of matched rule: $1", "abusefilter-degroupreason": "Rights automatically stripped by abuse filter.\nRule description: $1", "abusefilter-blockautopromotereason": "Autopromotion automatically delayed by abuse filter.\nRule description: $1", "abusefilter-accountreserved": "This account name is reserved for use by the abuse filter.", diff --git a/i18n/qqq.json b/i18n/qqq.json index b029c94d..7be7f8e0 100644 --- a/i18n/qqq.json +++ b/i18n/qqq.json @@ -50,7 +50,8 @@ "abusefilter-degrouped": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", "abusefilter-autopromote-blocked": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", "abusefilter-blocker": "Username of reserved user for abuse filter actions.", - "abusefilter-blockreason": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", + "abusefilter-blockreason": "Reason used in log entries when blocking a user. Parameters:\n* $1 filter description", + "abusefilter-autoblockreason": "Reason used in log entries when autoblocking an IP. Parameters:\n* $1 filter description", "abusefilter-degroupreason": "Used as log entry when removal of the user from all privileged groups performed by Abuse filter. Parameters:\n* $1 is the filter description (reason)\n* $2 is the filter id", "abusefilter-blockautopromotereason": "Used as log entry when delaying the autopromotion of a user. Parameters:\n* $1 is the filter description (reason)\n* $2 is the filter id", "abusefilter-accountreserved": "Message given when trying to register a reserved account name for AbuseFilter actions.", diff --git a/includes/AbuseFilterRunner.php b/includes/AbuseFilterRunner.php index 95a39007..5426447e 100644 --- a/includes/AbuseFilterRunner.php +++ b/includes/AbuseFilterRunner.php @@ -1055,6 +1055,7 @@ class AbuseFilterRunner { * @param string $expiry * @param bool $isAutoBlock * @param bool $preventEditOwnUserTalk + * @fixme Beutify this method as soon as you can publicly see this comment */ private function doAbuseFilterBlock( array $rule, @@ -1068,7 +1069,15 @@ class AbuseFilterRunner { 'abusefilter-blockreason', $rule['desc'], $rule['number'] )->inContentLanguage()->text(); + $action = $this->vars->getVar( 'action' )->toString(); + $isAccountCreation = strpos( $action, 'createaccount' ) !== false; + $autoBlockTarget = null; + if ( $this->user->isAnon() && $isAccountCreation ) { + // T152394 + $autoBlockTarget = $target; + $target = $this->vars->getVar( 'accountname' )->toString(); + } $block = new DatabaseBlock(); $block->setTarget( $target ); $block->setBlocker( $filterUser ); @@ -1081,6 +1090,24 @@ class AbuseFilterRunner { $success = $block->insert(); + if ( $success && $autoBlockTarget !== null ) { + $abReason = wfMessage( + 'abusefilter-autoblockreason', + $rule['desc'], $rule['number'] + )->inContentLanguage()->text(); + + $autoblock = new DatabaseBlock(); + $autoblock->setTarget( $autoBlockTarget ); + $autoblock->setBlocker( $filterUser ); + $autoblock->setReason( $abReason ); + $autoblock->mExpiry = SpecialBlock::parseExpiryInput( $expiry ); + $autoblock->mAuto = true; + $autoblock->isCreateAccountBlocked( true ); + $autoblock->isUsertalkEditAllowed( !$preventEditOwnUserTalk ); + $autoblock->mParentBlockId = $success['id']; + $autoblock->insert(); + } + if ( $success ) { // Log it only if the block was successful $logParams = []; -- 2.22.0.windows.1