| Platonides | |
| Jul 29 2009, 7:49 PM |
| F5861: lockdown-implementation2-r53959.patch | |
| Nov 21 2014, 10:42 PM |
mediawiki hooks
Special:Search has longtime been a hole for security extensions wanting to hide page content.
I provide here several new Search hooks to close that, when full namespaces are to be hidden, along the code for lockdown to make use of them.
Version: 1.16.x
Severity: enhancement
Attached:
I'm a bit leery of adding another hook point that would need to be handled and maintained... would it be better to stick with checking page permissions here, so only one point needs to be handled in the lockdown?
SearchGetNearMatchComplete could be handled directly by Special:Search (and SearchGetNearMatchBefore was added for completeness), but it's probably also interesting for extensions wishing to expand the Go options.
OTOH SearchEngineReplacePrefixesComplete and SearchableNamespaces are needed.
SpecialSearch already handles the case of going to show a page which you shouldn't see, by removing the sumamry and leaking just the title (if it removed the entry it would break pagination). Those two hooks adjust the namespaces where search is performed to include just those you are allowed to read.