Extension talk:NamespaceReadRestrict

Latest comment: 9 years ago by Evilninja in topic Performance drop

Security concerns about use of isset

edit

If I recall correctly, the use of isset is an XSS vulnerability.--Jasper Deng (talk) 01:44, 12 September 2012 (UTC)Reply

I did a cursory google search and checked security for developers. I see nothing along those lines; let me know if you come up with anything. Leucosticte (talk) 02:26, 12 September 2012 (UTC)Reply
See Security for developers#Register globals and Template:Page security extension disclaimer.--Jasper Deng (talk) 02:38, 12 September 2012 (UTC)Reply
OK, I got rid of isset. I don't quite see what you're getting at with the latter link. Is the recently-added TitleReadWhitelist a secure means of accomplishing per-page restriction? If so, what is the issue you are concerned about? Leucosticte (talk) 13:39, 12 September 2012 (UTC)Reply
The use of isset allows XSS via register_globals. I'm not a proficient developer so you'd have to ask another developer exactly why this is a problem. However, your extension looks good now so I'm upgrading it. When it has been tested enough it can be given stable status.Jasper Deng (talk) 17:33, 12 September 2012 (UTC)Reply

Future development

edit

Per-page read restriction and a couple maintenance scripts, publicizeall.php and privatizeall.php, to determine what the default is (i.e. public or private). Also, publicizecategory.php and privatizecategory.php, to change the settings for everything in a category. Or maybe an API feature to publicize or privatize, and then people can just use bots to do the rest. The beginning of an effort to implement some of this is at User:Leucosticte/ReadRestrict2. (I changed the name to indicate the expanded scope of the extension project.) Leucosticte (talk) 21:53, 13 September 2012 (UTC)Reply

Performance drop

edit

I see a huge drop in performance when I use Extension:NamespaceReadRestrict. When activated, browsing the wiki becomes more and more sluggish, the PHP processes on the server (using php-fpm) are crunching CPU cycles and eventually the page loads, but it's just so much slower. I ran ab against the "Main Page" a few times and while ab is not the best benchmark around, the results were consistent:

$  diff ab.out ab_with-NamespaceReadRestrict.out
[...]
17c17
< Time taken for tests:   234.531 seconds
---
> Time taken for tests:   774.067 seconds
22,27c22,27
< Requests per second:    4.26 [#/sec] (mean)
< Time per request:       2345.306 [ms] (mean)
< Time per request:       234.531 [ms] (mean, across all concurrent requests)
< Transfer rate:          81.64 [Kbytes/sec] received
---
> Requests per second:    1.29 [#/sec] (mean)
> Time per request:       7740.672 [ms] (mean)
> Time per request:       774.067 [ms] (mean, across all concurrent requests)
> Transfer rate:          24.73 [Kbytes/sec] received

The config:

$wgGroupPermissions['*']['read']                = false;
# require_once("extensions/NamespaceReadRestrict/NamespaceReadRestrict.php");
$wgWhitelistRead = array(
        "Main Page",
        "MediaWiki:Common.css",
        "MediaWiki:Common.js"
);
# $wgPrivateNamespaces          = array (NS_PRIVATE, NS_PRIVATE_TALK);
# $wgAllowedReadNamespaces      = array (NS_MAIN, NS_CATEGORY, NS_PROJECT);
# $wgNonincludableNamespaces    = array_merge($wgNonincludableNamespaces, $wgPrivateNamespaces);

Any ideas what may cause this? -- Evilninja (talk) 22:10, 14 May 2015 (UTC)Reply

Return to "NamespaceReadRestrict" page.