"Special contributions" template leaks PII

[jonoaldersonwp]

E.g., ​https://codex.wordpress.org/Special:Contributions/Jany2786@gmail.com

This template should have a meta robots value of 'noindex, follow'.

[jonoaldersonwp]

Also applies to the "Special: Log" template - see ​https://codex.wordpress.org/index.php?title=Special:Log&type=&user=Sassyloving25@gmail+com&page=Sassyloving25&year=2018&month=11&hide_tag_log=1

[Otto42]

For reference, that isn't the email address, it's the username. Those are old spam accounts that used the same values for email and username.

We no longer allow accounts to have email addresses as their username. Been like that for a few years. Usernames must be lowercase alphanum only.

[tellyworth]

Can (should) we handle URLs with user=\w+@ in a special way? Force a 404 or 410, redact the address from the page, something like that? Just in case there are any ancient non-spam addresses in there.

[jonoaldersonwp]

Hmm, we should probably avoid trying to do anything clever with the URLs on request, but, we can definitely control indexing of these (types of) URLs, and, separately, I've plans to keep them out of Google Analytics etc by doing some housekeeping in Google Tag Manager before tracking scripts fire.

[jonoaldersonwp]

For clarity, this still needs noindex'ing.

[tellyworth]

What's the solution here? Noindex all Special: pages? Just Contributions and Log? Is it specific to those with @ in the URL?

[jonoaldersonwp]

Let's noindex anything starting with ​https://codex.wordpress.org/Special:Contributions/ - I don't see any useful/valuable (landing) pages in that set.

[dd32]

Having just cleaned out a lot of spam from the codex, taking into account #4127 and #4373 I think we could noindex

• ^/User:*
• ^/User_talk:*
• ^/Special:*
• ^/index.php*

User pages do have useful content on some of them, but it's in the minority.

[jonoaldersonwp]

Nice, that'd be great!

[dd32]

Fixed via r10702-codex pending deploy.