Extension talk:NamespaceReadRestrict

Security concerns about use of isset[edit]

If I recall correctly, the use of isset is an XSS vulnerability.--Jasper Deng (talk) 01:44, 12 September 2012 (UTC)

I did a cursory google search and checked security for developers. I see nothing along those lines; let me know if you come up with anything. Leucosticte (talk) 02:26, 12 September 2012 (UTC)

See Security for developers#Register globals and Template:Page security extension disclaimer.--Jasper Deng (talk) 02:38, 12 September 2012 (UTC)

OK, I got rid of isset. I don't quite see what you're getting at with the latter link. Is the recently-added TitleReadWhitelist a secure means of accomplishing per-page restriction? If so, what is the issue you are concerned about? Leucosticte (talk) 13:39, 12 September 2012 (UTC)

The use of isset allows XSS via register_globals. I'm not a proficient developer so you'd have to ask another developer exactly why this is a problem. However, your extension looks good now so I'm upgrading it. When it has been tested enough it can be given stable status.Jasper Deng (talk) 17:33, 12 September 2012 (UTC)

Future development[edit]

Per-page read restriction and a couple maintenance scripts, publicizeall.php and privatizeall.php, to determine what the default is (i.e. public or private). Also, publicizecategory.php and privatizecategory.php, to change the settings for everything in a category. Or maybe an API feature to publicize or privatize, and then people can just use bots to do the rest. The beginning of an effort to implement some of this is at User:Leucosticte/ReadRestrict2. (I changed the name to indicate the expanded scope of the extension project.) Leucosticte (talk) 21:53, 13 September 2012 (UTC)