Extension:ProtocolAccess

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
ProtocolAccess
Release status: unmaintained
Implementation Special page
Description Access control for links of specific protocols
Author(s) John Erling Blad
Latest version 0.1 (2009-11-23)
License GPL
Download ProtocolAccess.php, ProtocolAccess.i18n.php
Translate the ProtocolAccess extension if it is available at translatewiki.net
Check usage and version matrix.

ProtocolAccess is an extension for MediaWiki that adds a very simplistic regexp-based access control for links of specific protocols.

Installation[edit]

  1. Download ProtocolAccess.php and ProtocolAccess.i18n.php, and save them in extensions/ProtocolAccess directory on your wiki.
  2. Insert this line in the LocalSettings.php file:
    include_once('extensions/ProtocolAccess/ProtocolAccess.php');
    
  3. Add an entry for each protocoll to be handled, with a list of each action to take:
    $wgProtocolAccess['file://'] = array('whitelist', 'blacklist');
    
  4. Create rules in the message-namespace

Usage[edit]

By adding rules for each protocol it is possible to do a very simplistic regexp-based access control. This makes it possible to limit access to such protocols as the file protocol.

Typical use include allowing the protocol as such, then adding the protocol specific rules. Those rules will be one or more explicit access rules and one implicit. If the first explicit access rule is whitelist, then it will be an implicit rule to block all accesses that isn't whitelisted. Imagine this as punching holes in a wall. In addition URLs can be blacklisted in a second step, covering up parts of the previous holes in the wall.

If access rules should be defined for a file protocol, that is the following is set in LocalSettings.php

$wgProtocolAccess['file://'] = array('whitelist', 'blacklist');

then messages must be defined for MediaWiki:Protocol-access-file-whitelist and MediaWiki:Protocol-access-file-blaclist. These pages could be defined as shown in the following

MediaWiki:Protocol-access-file-whitelist

This is examples, and because there are no active rues that will whitelist anything every file-link will fail.

Explicitly allow each server and share

#[\\/]{2,}server1[\\/]share1[\\/]
#[\\/]{2,}server1[\\/]share2[\\/]
#[\\/]{2,}server2[\\/]share1[\\/]
#[\\/]{2,}server2[\\/]share2[\\/]
MediaWiki:Protocol-access-file-blaclist

This will block the most obvious errors, like links to personal computer and links with credentials.

Block local file paths.

[\\/]\w:
^\w:

Block hidden files, usually only on mounted file systems

[\\/:]\.[^\\/.]+
^\.[^\\/.]+

Block relative file paths

[\\/:]\.\.[\\/]
[\\/:]\.\.$
^\.\.[\\/]
^\.\.$

Block external URLs, we only allow intranets

[\\/]{2,}[^\\/.]+\.[^\\/.]+\.[^\\/.]+[\\/:]

Block attempts on automatic log in

[\\/]{2,}[^\\/.:@]+:[^\\/.:@]+@[^\\/.]+

Don't allow IP-addresses, its a common attack vector

[\\/]{2,}(\d+\.){3}\d+

Don't allow comments, line terminators, wildcards, parenthesis

(;|#|/\*|\*/|\?|\(|\)|\{|\}|\[|\])

Lines must be indented to be used as rules, in addition rules can be commented out by prepending them with a hash mark.

Security[edit]

Note that this extension is for use on intranets and only block some foolish links. It does not give sufficient secutity and should not be used without due consiederation of the risks. Note also that various systems and browsers has their own access rules, and the extension does not override those rules.

In particular, you should turn off simple file sharing on all PCs connected to the net that is not used as servers, and remove or disable all anonymous users or null users.

Todo[edit]

  • The extension isn't tested together with Memcached
  • Default rules on most common protocols
  • Register the message page to get refresh of pages after updates

Feedback[edit]

Use the discussion page for feedback, questions, feature requests and bug reports.