Extension talk:NamespaceReadRestrict
Security concerns about use of isset[edit]
If I recall correctly, the use of isset is an XSS vulnerability.--Jasper Deng (talk) 01:44, 12 September 2012 (UTC)
- I did a cursory google search and checked security for developers. I see nothing along those lines; let me know if you come up with anything. Leucosticte (talk) 02:26, 12 September 2012 (UTC)
- See Security for developers#Register globals and Template:Page security extension disclaimer.--Jasper Deng (talk) 02:38, 12 September 2012 (UTC)
- OK, I got rid of isset. I don't quite see what you're getting at with the latter link. Is the recently-added TitleReadWhitelist a secure means of accomplishing per-page restriction? If so, what is the issue you are concerned about? Leucosticte (talk) 13:39, 12 September 2012 (UTC)
- The use of isset allows XSS via register_globals. I'm not a proficient developer so you'd have to ask another developer exactly why this is a problem. However, your extension looks good now so I'm upgrading it. When it has been tested enough it can be given stable status.Jasper Deng (talk) 17:33, 12 September 2012 (UTC)
- OK, I got rid of isset. I don't quite see what you're getting at with the latter link. Is the recently-added TitleReadWhitelist a secure means of accomplishing per-page restriction? If so, what is the issue you are concerned about? Leucosticte (talk) 13:39, 12 September 2012 (UTC)
- See Security for developers#Register globals and Template:Page security extension disclaimer.--Jasper Deng (talk) 02:38, 12 September 2012 (UTC)
Future development[edit]
Per-page read restriction and a couple maintenance scripts, publicizeall.php and privatizeall.php, to determine what the default is (i.e. public or private). Also, publicizecategory.php and privatizecategory.php, to change the settings for everything in a category. Or maybe an API feature to publicize or privatize, and then people can just use bots to do the rest. The beginning of an effort to implement some of this is at User:Leucosticte/ReadRestrict2. (I changed the name to indicate the expanded scope of the extension project.) Leucosticte (talk) 21:53, 13 September 2012 (UTC)
Performance drop[edit]
I see a huge drop in performance when I use Extension:NamespaceReadRestrict. When activated, browsing the wiki becomes more and more sluggish, the PHP processes on the server (using php-fpm) are crunching CPU cycles and eventually the page loads, but it's just so much slower. I ran ab against the "Main Page" a few times and while ab is not the best benchmark around, the results were consistent:
$ diff ab.out ab_with-NamespaceReadRestrict.out [...] 17c17 < Time taken for tests: 234.531 seconds --- > Time taken for tests: 774.067 seconds 22,27c22,27 < Requests per second: 4.26 [#/sec] (mean) < Time per request: 2345.306 [ms] (mean) < Time per request: 234.531 [ms] (mean, across all concurrent requests) < Transfer rate: 81.64 [Kbytes/sec] received --- > Requests per second: 1.29 [#/sec] (mean) > Time per request: 7740.672 [ms] (mean) > Time per request: 774.067 [ms] (mean, across all concurrent requests) > Transfer rate: 24.73 [Kbytes/sec] received
The config:
$wgGroupPermissions['*']['read'] = false;
# require_once("extensions/NamespaceReadRestrict/NamespaceReadRestrict.php");
$wgWhitelistRead = array(
"Main Page",
"MediaWiki:Common.css",
"MediaWiki:Common.js"
);
# $wgPrivateNamespaces = array (NS_PRIVATE, NS_PRIVATE_TALK);
# $wgAllowedReadNamespaces = array (NS_MAIN, NS_CATEGORY, NS_PROJECT);
# $wgNonincludableNamespaces = array_merge($wgNonincludableNamespaces, $wgPrivateNamespaces);
Any ideas what may cause this? -- Evilninja (talk) 22:10, 14 May 2015 (UTC)