EBernhardson has uploaded a new change for review.
https://gerrit.wikimedia.org/r/305315
Change subject: Issue 301 redirects for Special:Search/searchterm
......................................................................
Issue 301 redirects for Special:Search/searchterm
Including the search term, which is PII, in the page title allows for
leaking this information through page view dumps. Instead of happily
handling these issue a 301 redirect to tell clients they should not
be issueing these requests, and should instead use the search query
parameter. Dumps at wikimedia remove 30[123] response codes from the
dump output so this will also stop leaking the PII.
Change-Id: Icce7cc4585e90742a8dd3513e7c9f7276e479cd7
---
M includes/specials/SpecialSearch.php
1 file changed, 19 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/15/305315/1
diff --git a/includes/specials/SpecialSearch.php
b/includes/specials/SpecialSearch.php
index 9690d45..eaf7953 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -100,6 +100,25 @@
* @param string $par
*/
public function execute( $par ) {
+ $request = $this->getRequest();
+
+ // Fetch the search term
+ $search = str_replace( "\n", " ", $request->getText( 'search' )
);
+
+ // Historically search terms have been accepted not only in the
search query
+ // parameter, but also as part of the primary url. This can
have PII implications
+ // in releasing page view data. As such issue a 301 redirect to
the correct
+ // URL.
+ if ( strlen( $par ) && !strlen( $search ) ) {
+ $query = $request->getValues();
+ unset( $query['title'] );
+ // Strip underscores from title parameter; most of the
time we'll want
+ // text form here. But don't strip underscores from
actual text params!
+ $query['search'] = str_replace( '_', ' ', $par );
+ $this->getOutput()->redirect(
$this->getPageTitle()->getFullURL( $query ), 301 );
+ return;
+ }
+
$this->setHeaders();
$this->outputHeader();
$out = $this->getOutput();
@@ -110,14 +129,6 @@
] );
$this->addHelpLink( 'Help:Searching' );
- // Strip underscores from title parameter; most of the time
we'll want
- // text form here. But don't strip underscores from actual text
params!
- $titleParam = str_replace( '_', ' ', $par );
-
- $request = $this->getRequest();
-
- // Fetch the search term
- $search = str_replace( "\n", " ", $request->getText( 'search',
$titleParam ) );
$this->load();
if ( !is_null( $request->getVal( 'nsRemember' ) ) ) {
--
To view, visit https://gerrit.wikimedia.org/r/305315
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icce7cc4585e90742a8dd3513e7c9f7276e479cd7
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: EBernhardson <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
