Opened 3 weeks ago
Last modified 3 weeks ago
#4126 new defect
"Special contributions" template leaks PII
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | high | |
| Component: | Codex | Keywords: | seo analytics privacy |
| Cc: |
Description
E.g., https://codex.wordpress.org/Special:Contributions/Jany2786@gmail.com
This template should have a meta robots value of 'noindex, follow'.
Change History (5)
#2
@
3 weeks ago
For reference, that isn't the email address, it's the username. Those are old spam accounts that used the same values for email and username.
We no longer allow accounts to have email addresses as their username. Been like that for a few years. Usernames must be lowercase alphanum only.
This ticket was mentioned in Slack in #meta by tellyworth. View the logs.
3 weeks ago
#4
@
3 weeks ago
Can (should) we handle URLs with user=\w+@ in a special way? Force a 404 or 410, redact the address from the page, something like that? Just in case there are any ancient non-spam addresses in there.
#5
@
3 weeks ago
Hmm, we should probably avoid trying to do anything clever with the URLs on request, but, we can definitely control indexing of these (types of) URLs, and, separately, I've plans to keep them out of Google Analytics etc by doing some housekeeping in Google Tag Manager before tracking scripts fire.
Also applies to the "Special: Log" template - see https://codex.wordpress.org/index.php?title=Special:Log&type=&user=Sassyloving25@gmail+com&page=Sassyloving25&year=2018&month=11&hide_tag_log=1