From 78422e75600a5d88b515bb1dddb44595384eeb90 Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Mon, 30 Sep 2019 13:46:25 +0200 Subject: [PATCH] SECURITY: Use autoblocks in case of account creation To avoid disclosing the IP address of the creator. Bug: T152394 Depends-On: Ia334cdc84ac1408ad72ffd8c87c958ae7deebb54 Change-Id: I10d5852d0f3f2e921c9e2078278b0db7898ea51c --- i18n/en.json | 1 + i18n/qqq.json | 3 ++- includes/AbuseFilterRunner.php | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/i18n/en.json b/i18n/en.json index a6ae3549..16a0be11 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -17,6 +17,7 @@ "abusefilter-autopromote-blocked": "This action has been automatically identified as harmful, and it has been disallowed.\nIn addition, as a security measure, some privileges routinely granted to established accounts have been temporarily revoked from your account.\nA brief description of the abuse rule which your action matched is: $1", "abusefilter-blocker": "Abuse filter", "abusefilter-blockreason": "Automatically blocked by abuse filter.\nDescription of matched rule: $1", + "abusefilter-autoblockreason": "Autoblock issued by the abuse filter on account creation.\nDescription of matched rule: $1", "abusefilter-degroupreason": "Rights automatically stripped by abuse filter.\nRule description: $1", "abusefilter-blockautopromotereason": "Autopromotion automatically delayed by abuse filter.\nRule description: $1", "abusefilter-accountreserved": "This account name is reserved for use by the abuse filter.", diff --git a/i18n/qqq.json b/i18n/qqq.json index b029c94d..7be7f8e0 100644 --- a/i18n/qqq.json +++ b/i18n/qqq.json @@ -50,7 +50,8 @@ "abusefilter-degrouped": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", "abusefilter-autopromote-blocked": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", "abusefilter-blocker": "Username of reserved user for abuse filter actions.", - "abusefilter-blockreason": "Message given to user because of a triggered filter. Parameters:\n* $1 is a filter description\n* $2 is the filter id", + "abusefilter-blockreason": "Reason used in log entries when blocking a user. Parameters:\n* $1 filter description", + "abusefilter-autoblockreason": "Reason used in log entries when autoblocking an IP. Parameters:\n* $1 filter description", "abusefilter-degroupreason": "Used as log entry when removal of the user from all privileged groups performed by Abuse filter. Parameters:\n* $1 is the filter description (reason)\n* $2 is the filter id", "abusefilter-blockautopromotereason": "Used as log entry when delaying the autopromotion of a user. Parameters:\n* $1 is the filter description (reason)\n* $2 is the filter id", "abusefilter-accountreserved": "Message given when trying to register a reserved account name for AbuseFilter actions.", diff --git a/includes/AbuseFilterRunner.php b/includes/AbuseFilterRunner.php index e5fe1d24..e60616b3 100644 --- a/includes/AbuseFilterRunner.php +++ b/includes/AbuseFilterRunner.php @@ -1084,6 +1084,14 @@ class AbuseFilterRunner { $ruleDesc, $ruleNumber )->inContentLanguage()->text(); + $isAccountCreation = strpos( $this->action, 'createaccount' ) !== false; + $autoBlockTarget = null; + if ( $this->user->isAnon() && $isAccountCreation ) { + // T152394 + $autoBlockTarget = $target; + $target = $this->vars->getVar( 'accountname' )->toString(); + } + $block = new DatabaseBlock(); $block->setTarget( $target ); $block->setBlocker( $filterUser ); @@ -1097,6 +1105,24 @@ class AbuseFilterRunner { $success = $block->insert(); if ( $success ) { + if ( $autoBlockTarget !== null ) { + $abReason = wfMessage( + 'abusefilter-autoblockreason', + $rule['desc'], $rule['number'] + )->inContentLanguage()->text(); + + $autoblock = new DatabaseBlock(); + $autoblock->setTarget( $autoBlockTarget ); + $autoblock->setBlocker( $filterUser ); + $autoblock->setReason( $abReason ); + $autoblock->mExpiry = SpecialBlock::parseExpiryInput( $expiry ); + $autoblock->mAuto = true; + $autoblock->isCreateAccountBlocked( true ); + $autoblock->isUsertalkEditAllowed( !$preventEditOwnUserTalk ); + $autoblock->mParentBlockId = $success['id']; + $autoblock->insert(); + } + // Log it only if the block was successful $logParams = []; $logParams['5::duration'] = ( $block->mExpiry === 'infinity' )