Page MenuHomePhabricator
Create Task
Maniphest T342134

Limit the ability for other users after the fact storing client hints data using the REST API
Closed, ResolvedPublic
Actions

Description

When an anon user edits and either uses a browser that does not support client hints or blocks the REST API URL manually, the client hints data is never stored. This means that any other user connecting through this IP address could store arbitrary client hints data for this action, by sending a request to the API.

While this is unlikely to happen, it should be guarded against where possible. This should be done by limiting the time that a user who is allowed to make the API request can have to submit the data. In all cases where the submission is caused by an edit, this will be made moments after. However, in the case of manual experimentation, this could be done hours later.

The cut-off should account for users on slow internet connections and therefore should be set to give enough time to make the request.

Thanks to @dom_walden for spotting this.

Acceptance critera
  • Limit the time period that another user could submit client hints data if the user making the edit blocks the client hints API url.

Details

SubjectRepoBranchLines +/-
Prevent saving Client Hints using REST API when action is too oldmediawiki/extensions/CheckUsermaster+84 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Jul 18 2023, 3:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2023, 3:38 PM
Dreamy_Jazz updated the task description. (Show Details)Jul 18 2023, 3:53 PM
Dreamy_Jazz added a subscriber: dom_walden.
Dreamy_Jazz moved this task from Untriaged to CheckUser on the Anti-Harassment board.Jul 22 2023, 5:46 PM
Dreamy_Jazz edited projects, added http-client-hints, CheckUser, Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment.Jul 26 2023, 11:35 AM
Dreamy_Jazz moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.
Dreamy_Jazz updated the task description. (Show Details)Jul 26 2023, 12:04 PM
Dreamy_Jazz mentioned this in T258105: Implement storage for User-Agent Client Hints header data.Jul 26 2023, 1:08 PM
gerritbot added a comment.Jul 26 2023, 1:56 PM

Change 941936 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Prevent saving Client Hints using REST API when action is too old

https://gerrit.wikimedia.org/r/941936

gerritbot added a project: Patch-For-Review.Jul 26 2023, 1:56 PM
Dreamy_Jazz moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Jul 26 2023, 2:11 PM
Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Jul 27 2023, 3:10 PM
gerritbot added a comment.Jul 27 2023, 3:26 PM

Change 941936 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Prevent saving Client Hints using REST API when action is too old

https://gerrit.wikimedia.org/r/941936

Maintenance_bot removed a project: Patch-For-Review.Jul 27 2023, 3:31 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.20; 2023-08-01).Jul 27 2023, 4:00 PM
GMikesell-WMF subscribed.Jul 27 2023, 7:30 PM

@Dreamy_Jazz During this time period, it is able to collect client hint data. After the time period is over, it's saying the revision is too old to record client hint data. Is that what it's supposed to look like when the time period is over?

Before PatchAfter Patch
T342134_CheckUser_ClientHintTimePeriod_BP.png (182×2 px, 52 KB)
T342134_CheckUser_ClientHintTimePeriod_AP.png (233×2 px, 95 KB)
GMikesell-WMF added a comment.Jul 27 2023, 10:11 PM

@Dreamy_Jazz Thanks for validating and I will move this to Done. Thanks again for your work!

GMikesell-WMF moved this task from QA/Testing 🐞 to Done Q1 2023-2024 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Jul 27 2023, 10:12 PM
Dreamy_Jazz updated the task description. (Show Details)Aug 7 2023, 11:49 AM
Dreamy_Jazz mentioned this in T342790: Allow storage of client hints for deleted revisions and revisions with revision deleted performer.
Tchanders closed this task as Resolved.Aug 14 2023, 10:22 AM
kostajh added a comment.Aug 22 2023, 7:00 AM

Noting that there are three instances of "The revision {id} is too old to allow recording client hints data" in Logstash, on three different wikis. We can keep an eye on this when we start collecting data on group2 wikis.

Dreamy_Jazz added a comment.Aug 22 2023, 7:43 AM
In T342134#9108381, @kostajh wrote:

Noting that there are three instances of "The revision {id} is too old to allow recording client hints data" in Logstash, on three different wikis. We can keep an eye on this when we start collecting data on group2 wikis.

Thanks for noting this.

dom_walden mentioned this in T345165: Move the time limit check before the permissions check.Aug 29 2023, 2:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits