Extension:ProtocolAccess

ProtocolAccess is an extension for MediaWiki that adds a very simplistic regexp-based access control for links of specific protocols.

Installation

 * 1) Download ProtocolAccess.php and ProtocolAccess.i18n.php, and save them in extensions/ProtocolAccess directory on your wiki.
 * 2) Insert this line in the LocalSettings.php file:
 * 3) Add an entry for each protocoll to be handled, with a list of each action to take:
 * 4) Create rules in the message-namespace

Usage
By adding rules for each protocol it is possible to do a very simplistic regexp-based access control. This makes it possible to limit access to such protocols as the file protocol.

Typical use include allowing the protocol as such, then adding the protocol specific rules. Those rules will be one or more explicit access rules and one implicit. If the first explicit access rule is whitelist, then it will be an implicit rule to block all accesses that isn't whitelisted. Imagine this as punching holes in a wall. In addition URLs can be blacklisted in a second step, covering up parts of the previous holes in the wall.

If access rules should be defined for a file protocol, that is the following is set in    then messages must be defined for MediaWiki&#58;Protocol-access-file-whitelist and MediaWiki&#58;Protocol-access-file-blaclist. These pages could be defined as shown in the following

This is examples, and because there are no active rues that will whitelist anything every file-link will fail. Explicitly allow each server and share
 * MediaWiki&#58;Protocol-access-file-whitelist
 * 1) [\\/]{2,}server1[\\/]share1[\\/]
 * 2) [\\/]{2,}server1[\\/]share2[\\/]
 * 3) [\\/]{2,}server2[\\/]share1[\\/]
 * 4) [\\/]{2,}server2[\\/]share2[\\/]

This will block the most obvious errors, like links to personal computer and links with credentials. Block local file paths. [\\/]\w: ^\w:
 * MediaWiki&#58;Protocol-access-file-blaclist

Block hidden files, usually only on mounted file systems [\\/:]\.[^\\/.]+ ^\.[^\\/.]+

Block relative file paths [\\/:]\.\.[\\/] [\\/:]\.\.$ ^\.\.[\\/] ^\.\.$

Block external URLs, we only allow intranets [\\/]{2,}[^\\/.]+\.[^\\/.]+\.[^\\/.]+[\\/:]

Block attempts on automatic log in [\\/]{2,}[^\\/.:@]+:[^\\/.:@]+@[^\\/.]+

Don't allow IP-addresses, its a common attack vector [\\/]{2,}(\d+\.){3}\d+

Don't allow comments, line terminators, wildcards, parenthesis (|#|/\*|\*/|\?|\(|\)|\{|\}|\[|\])

Lines must be indented to be used as rules, in addition rules can be commented out by prepending them with a hash mark.

Security
Note that this extension is for use on intranets and only block some foolish links. It does not give sufficient secutity and should not be used without due consiederation of the risks. Note also that various systems and browsers has their own access rules, and the extension does not override those rules.

In particular, you should turn off simple file sharing on all PCs connected to the net that is not used as servers, and remove or disable all anonymous users or null users.

Todo

 * The extension isn't tested together with Memcached
 * Default rules on most common protocols

Feedback
Use the discussion page for feedback, questions, feature requests and bug reports.