Your explanations make sense, thank you! I agree with Martin here that
we should not completely remove the allowlist as long as the feature is
available to "normal" users (as in non-sysops).
Based on that I'm inclined to go ahead and write a patch that lets
sysops manage the allowlist via a system message and filed
https://phabricator.wikimedia.org/T300407 to track it. I don't think
there is an issue with trusting Commons sysops to manage the list.
-- Taavi
PS. Looking at this brought me some memories! Writing tests for
UploadFromUrl::isAllowedHost was my very first contribution to the core,
back in January 2020 during GCI 2019. :-)
On 1/28/22 17:28, Martin Urbanec wrote:
Like James, I'd be fine with having the allowlist
on wiki.
I don't think it's a good idea to /remove/ the allowlist though. If you
remove it, the upload-by-url feature might become a vector for an
amplification DoS attack. As of today, upload_by_url can be used by any
and all Commons users. With no allowlist, it'd be much easier to
instruct our servers to request an excessive amount of data from a
target server of your choice. This will (likely? didn't check) be
restricted by our own rate limits on uploading, but the upload rate
limits are virtually nonexistent for autopatrollers and above (which is
a role reasonably easy to get; much easier than +sysop, for example).
I'm not sure if this kind of abuse is likely to happen.
However, I recall it given as an explanation when I wondered why the
allowlist exists a few years ago. What do you think Taavi?
Martin Urbanec
pá 28. 1. 2022 v 16:12 odesílatel James Forrester
<jforrester(a)wikimedia.org <mailto:jforrester@wikimedia.org>> napsal:
On Fri, 28 Jan 2022 at 06:42, Taavi Väänänen <hi(a)taavi.wtf> wrote:
Hi sitereq-l,
I'm looking for context regarding our upload-by-url allowlist in
the
hopes of reducing workload for the site request process. Does
anyone know
* Why do we even have an allowlist for upload-by-url? I presume
this is
to make it harder to upload a large amount of non-free files,
but I'm
curious if there are any other reasons that I'm not aware of.
* If there aren't other reasons for having the allowlist, are
there any
reasons other than "someone needs to work on it" that would not
let us
to move the allowlist to a system message that Commons
administrators
can edit?
Yeah, I filed T140040 <https://phabricator.wikimedia.org/T140040> a
few years ago to scrap the allowlist and just trust +sysop users
(and let the community de-sysop them if they misuse or abuse it).
Any change of this kind would need to be discussed in advance with
the Commons community of course.
Switching the allowlist to an on-wiki page seems fine from my POV,
though it might be worth exploring just setting it to *first before
doing the extra work of migrating it?
J.
--
*James D. Forrester*(he/him <http://pronoun.is/he> or they/themself
<http://pronoun.is/they/.../themself>)
Wikimedia Foundation <https://wikimediafoundation.org/>
_______________________________________________
Sitereq-l mailing list -- sitereq-l(a)lists.wikimedia.org
<mailto:sitereq-l@lists.wikimedia.org>
List information:
https://lists.wikimedia.org/postorius/lists/sitereq-l.lists.wikimedia.org/
<https://lists.wikimedia.org/postorius/lists/sitereq-l.lists.wikimedia.org/>
--
Taavi Väänänen
https://taavi.wtf