From c3643b485526998df51469c67fdefed6cc0508e8 Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Mon, 8 Feb 2021 18:14:11 +0100 Subject: [PATCH] SECURITY: Don't leak IPs when blocking anon account creations The block log entry will be automatically suppressed, until we can implement a better solution. Bug: T152394 Change-Id: I8bae477ad7e4d0190335363ac2decf28e4313da1 --- .../Consequence/BlockingConsequence.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/includes/Consequences/Consequence/BlockingConsequence.php b/includes/Consequences/Consequence/BlockingConsequence.php index 0bb88c9d..dd7bb114 100644 --- a/includes/Consequences/Consequence/BlockingConsequence.php +++ b/includes/Consequences/Consequence/BlockingConsequence.php @@ -2,12 +2,14 @@ namespace MediaWiki\Extension\AbuseFilter\Consequences\Consequence; +use LogPage; use MediaWiki\Block\BlockUserFactory; use MediaWiki\Extension\AbuseFilter\Consequences\Parameters; use MediaWiki\Extension\AbuseFilter\FilterUser; use MessageLocalizer; use Status; use User; +use Wikimedia\IPUtils; /** * Base class for consequences that block a user @@ -70,7 +72,7 @@ abstract class BlockingConsequence extends Consequence implements HookAborterCon $ruleNumber )->inContentLanguage()->text(); - return $this->blockUserFactory->newBlockUser( + $blockUser = $this->blockUserFactory->newBlockUser( $target, // TODO: Avoid User here (T266409) User::newFromIdentity( $this->filterUser->getUser() ), @@ -82,6 +84,13 @@ abstract class BlockingConsequence extends Consequence implements HookAborterCon 'isCreateAccountBlocked' => true, 'isUserTalkEditBlocked' => $preventEditOwnUserTalk ] - )->placeBlockUnsafe(); + ); + if ( + strpos( $this->parameters->getAction(), 'createaccount' ) !== false && + IPUtils::isIPAddress( $target ) + ) { + $blockUser->setLogDeletionFlags( LogPage::SUPPRESSED_ACTION ); + } + return $blockUser->placeBlockUnsafe(); } }