searchterm

jenkins-bot (Code Review) Thu, 18 Aug 2016 15:48:25 -0700

jenkins-bot has submitted this change and it was merged.

Change subject: Issue 301 redirects for Special:Search/searchterm
......................................................................



Issue 301 redirects for Special:Search/searchterm

Including the search term, which is PII, in the page title allows for
leaking this information through page view dumps. Instead of happily
handling these issue a 301 redirect to tell clients they should not
be issueing these requests, and should instead use the search query
parameter. Dumps at wikimedia remove 30[123] response codes from the
dump output so this will also stop leaking the PII.

Change-Id: Icce7cc4585e90742a8dd3513e7c9f7276e479cd7
---
M includes/specials/SpecialSearch.php
A tests/phpunit/specials/SpecialSearchTest.php
2 files changed, 42 insertions(+), 9 deletions(-)

Approvals:
  Smalyshev: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/specials/SpecialSearch.php 
b/includes/specials/SpecialSearch.php
index 9690d45..26b86f9 100644
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -100,6 +100,25 @@
         * @param string $par
         */
        public function execute( $par ) {
+               $request = $this->getRequest();
+
+               // Fetch the search term
+               $search = str_replace( "\n", " ", $request->getText( 'search' ) 
);
+
+               // Historically search terms have been accepted not only in the 
search query
+               // parameter, but also as part of the primary url. This can 
have PII implications
+               // in releasing page view data. As such issue a 301 redirect to 
the correct
+               // URL.
+               if ( strlen( $par ) && !strlen( $search ) ) {
+                       $query = $request->getValues();
+                       unset( $query['title'] );
+                       // Strip underscores from title parameter; most of the 
time we'll want
+                       // text form here. But don't strip underscores from 
actual text params!
+                       $query['search'] = str_replace( '_', ' ', $par );
+                       $this->getOutput()->redirect( 
$this->getPageTitle()->getFullURL( $query ), 301 );
+                       return;
+               }
+
                $this->setHeaders();
                $this->outputHeader();
                $out = $this->getOutput();
@@ -109,15 +128,6 @@
                        'mediawiki.ui.input', 
'mediawiki.widgets.SearchInputWidget.styles',
                ] );
                $this->addHelpLink( 'Help:Searching' );
-
-               // Strip underscores from title parameter; most of the time 
we'll want
-               // text form here. But don't strip underscores from actual text 
params!
-               $titleParam = str_replace( '_', ' ', $par );
-
-               $request = $this->getRequest();
-
-               // Fetch the search term
-               $search = str_replace( "\n", " ", $request->getText( 'search', 
$titleParam ) );
 
                $this->load();
                if ( !is_null( $request->getVal( 'nsRemember' ) ) ) {
diff --git a/tests/phpunit/specials/SpecialSearchTest.php 
b/tests/phpunit/specials/SpecialSearchTest.php
new file mode 100644
index 0000000..20e88f5
--- /dev/null
+++ b/tests/phpunit/specials/SpecialSearchTest.php
@@ -0,0 +1,23 @@
+<?php
+
+class SpecialSearchText extends \PHPUnit_Framework_TestCase {
+       public function testSubPageRedirect() {
+               $ctx = new RequestContext;
+
+               SpecialPageFactory::executePath(
+                       Title::newFromText( 'Special:Search/foo_bar' ),
+                       $ctx
+               );
+               $url = $ctx->getOutput()->getRedirect();
+               // some older versions of hhvm have a bug that doesn't parse 
relative
+               // urls with a port, so help it out a little bit.
+               // https://github.com/facebook/hhvm/issues/7136
+               $url = wfExpandUrl( $url, PROTO_CURRENT );
+
+               $parts = parse_url( $url );
+               $this->assertEquals( '/w/index.php', $parts['path'] );
+               parse_str( $parts['query'], $query );
+               $this->assertEquals( 'Special:Search', $query['title'] );
+               $this->assertEquals( 'foo bar', $query['search'] );
+       }
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/305315
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Icce7cc4585e90742a8dd3513e7c9f7276e479cd7
Gerrit-PatchSet: 4
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: EBernhardson <ebernhard...@wikimedia.org>
Gerrit-Reviewer: DCausse <dcau...@wikimedia.org>
Gerrit-Reviewer: EBernhardson <ebernhard...@wikimedia.org>
Gerrit-Reviewer: Florianschmidtwelzow <florian.schmidt.stargatewis...@gmail.com>
Gerrit-Reviewer: Smalyshev <smalys...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: Issue 301 redirects for Special:Search/searchterm

Reply via email to