Jump to content

Topic on Project:Support desk

Restricted Access to all ftp links

10
Volodymyr~mediawikiwiki (talkcontribs)

MediaWiki 1.22.4, MySQL 5.5.35, PHP 5

MediaWiki application – documents database.

Wiki pages may include links for downloading documents (doc, pdf, xls) from external ftp server.

These links should only be accessible for administrators, so simple users cannot access these links.

How to make that?

Users/passwords at our ftp server are made same as at our wiki engine to access ftp server automatically without the need to login manually.

What we already did:

 Example of links [ftp://user:password@IP address:port/folder/file.pdf DOCUMENT NAME]

‘user:password@IP address:port’ should not be at source code at all!

Please, help, who has any ideas, appropriate extensions or advise who knows …

Thanks

This post was posted by Volodymyr~mediawikiwiki, but signed as Volodymyr.

88.130.74.194 (talkcontribs)

Hi!

I could imagine the following:

Maybe you could use JavaScript (jQuery?) to modify FTP/SFTP links the way you like. However, that means you would have to have the user's password available in JavaScript in cleartext. My gut feeling is that this is no good idea.

Another possibility: Use a hook, which allows you to modify links while MediaWiki creates them. Manual:Hooks/LinkerMakeExternalLink might be a choice. In this hook, check $url to see, if it's a FTP/SFTP link and if so, use $wgUser to change $url so that it contains the current user's username/password the way you showed above.

However, note that this will have the drawback that you MUST deactivate caching - otherwise MediaWiki will serve users pages with the links, which have been created for other users. Not only that they would then be allowed to access the files although they should not, even worth: They will also be able to see the other users' passwords.

Volodymyr~mediawikiwiki (talkcontribs)

Please, can you give more direct advises for editing Linker.php and codes for using hooks in wikitext?

You can try at my installed wiki http://testpool.orgfree.com (all passwords at main page)

I guaranty free sightseeing around Kiev and Maidan and stand treat in local pub)))

This post was posted by Volodymyr~mediawikiwiki, but signed as Volodymyr.

88.130.123.198 (talkcontribs)

Hi!

There is no need to edit Linker.php; just put something like this in your LocalSettings.php file:

$wgHooks['LinkerMakeExternalLink'][] = 'modifyFTPLinks';

function modifyFTPLinks( &$url, &$text, &$link, &$attribs ) {
  global $wgUser;

  if(substr( $url, 0, 6 ) === "ftp://") {
    $username = $wgUser->whoIs();
    // Not sure if that works...
    $password = $wgUser->mPassword;

    $urlWithoutProtocol = substr($url, 6);
    $url = "ftp://" . $username . ":" . $password . "@" . $urlWithoutProtocol;
  }

 return TRUE;
}

The code is untested, but I think you see what I mean.

Fereal (talkcontribs)
$wgHooks['LinkerMakeExternalLink'][] = 'modifyFTPLinks';
 
function modifyFTPLinks( &$url, &$text, &$link, &$attribs ) {
  global $wgUser; 
  if(substr( $url, 0, 6 ) === "ftp://") {
    $username    = $wgUser->mName;
    $password    = $wgUser->mPassword;
    $ipAddress   = "Insert address here";
    $port        = "Insert port here";
	
    $urlWithoutProtocol = substr($url, 6);
    $url = "ftp://$username:$password@$ipAddress:$port/$urlWithoutProtocol";
  }
  return true;
}
Bawolff (talkcontribs)

This is a silly thing to hide. Users can get passwords by hitting view source in their browsers. You cannot tell the web browser what the password is, without telling the user, as the web browser is controlled by the user.

Fereal (talkcontribs)

The code is not meant to hide anything. As OP stated, the FTP's username and password are tied to MediaWiki, and the user's credentials are the one that will be used. The code dynamically redirects based on the user logged in.

In other words, the wiki source will look like

[ftp://folder/file.pdf DOCUMENT NAME]

And it would be redirected to ftp://mediawikiusername:mediawikipassword@ipaddress:port/folder/file.pdf. It would be up to the FTP server to allow or deny the access.

Yes, the user can see the hashed password, but it's his own password.

88.130.101.135 (talkcontribs)

> the user can see the hashed password, but it's his own password.

...as long as caching really is deactivated! When MediaWiki only caches one such page and there is a way to get that page from cache again, you have a major security problem as this can basically leak all your users' passwords! You must make really, really sure that caching definitely is deactivated completely. This again will have negative impact on performance.

Fereal (talkcontribs)
Bawolff (talkcontribs)

My apologies, I obviously didn't read closely enough.

Note, for this to work you need to disable both parser cache ($parser->disableCache()) and client cache.

Reply to "Restricted Access to all ftp links"