Topic on Project:Support desk

Restricted Access to all ftp links

10 comments • 22:19, 1 April 2014 10 years ago

10

Volodymyr~mediawikiwiki (talkcontribs)

MediaWiki 1.22.4, MySQL 5.5.35, PHP 5

MediaWiki application – documents database.

Wiki pages may include links for downloading documents (doc, pdf, xls) from external ftp server.

These links should only be accessible for administrators, so simple users cannot access these links.

How to make that?

Users/passwords at our ftp server are made same as at our wiki engine to access ftp server automatically without the need to login manually.

What we already did:

 Example of links [ftp://user:password@IP address:port/folder/file.pdf DOCUMENT NAME]

‘user:password@IP address:port’ should not be at source code at all!

Please, help, who has any ideas, appropriate extensions or advise who knows …

Thanks

This post was posted by Volodymyr~mediawikiwiki, but signed as Volodymyr.

Reply Edited by Flow talk page manager 18:41, 27 March 2014 10 years ago

88.130.74.194 (talkcontribs)

Hi!

I could imagine the following:

Maybe you could use JavaScript (jQuery?) to modify FTP/SFTP links the way you like. However, that means you would have to have the user's password available in JavaScript in cleartext. My gut feeling is that this is no good idea.

Another possibility: Use a hook, which allows you to modify links while MediaWiki creates them. Manual:Hooks/LinkerMakeExternalLink might be a choice. In this hook, check $url to see, if it's a FTP/SFTP link and if so, use $wgUser to change $url so that it contains the current user's username/password the way you showed above.

However, note that this will have the drawback that you MUST deactivate caching - otherwise MediaWiki will serve users pages with the links, which have been created for other users. Not only that they would then be allowed to access the files although they should not, even worth: They will also be able to see the other users' passwords.

Reply Edited 18:03, 25 March 2014 10 years ago

Volodymyr~mediawikiwiki (talkcontribs)

Please, can you give more direct advises for editing Linker.php and codes for using hooks in wikitext?

You can try at my installed wiki http://testpool.orgfree.com (all passwords at main page)

I guaranty free sightseeing around Kiev and Maidan and stand treat in local pub)))

This post was posted by Volodymyr~mediawikiwiki, but signed as Volodymyr.

Reply Edited by Flow talk page manager 18:57, 27 March 2014 10 years ago

88.130.123.198 (talkcontribs)

Hi!

There is no need to edit Linker.php; just put something like this in your LocalSettings.php file:

$wgHooks['LinkerMakeExternalLink'][] = 'modifyFTPLinks';

function modifyFTPLinks( &$url, &$text, &$link, &$attribs ) {
  global $wgUser;

  if(substr( $url, 0, 6 ) === "ftp://") {
    $username = $wgUser->whoIs();
    // Not sure if that works...
    $password = $wgUser->mPassword;

    $urlWithoutProtocol = substr($url, 6);
    $url = "ftp://" . $username . ":" . $password . "@" . $urlWithoutProtocol;
  }

 return TRUE;
}

The code is untested, but I think you see what I mean.

Reply Edited 00:18, 28 March 2014 10 years ago

Fereal (talkcontribs)

$wgHooks['LinkerMakeExternalLink'][] = 'modifyFTPLinks';
 
function modifyFTPLinks( &$url, &$text, &$link, &$attribs ) {
  global $wgUser; 
  if(substr( $url, 0, 6 ) === "ftp://") {
    $username    = $wgUser->mName;
    $password    = $wgUser->mPassword;
    $ipAddress   = "Insert address here";
    $port        = "Insert port here";
	
    $urlWithoutProtocol = substr($url, 6);
    $url = "ftp://$username:$password@$ipAddress:$port/$urlWithoutProtocol";
  }
  return true;
}

Reply 00:21, 28 March 2014 10 years ago

Bawolff (talkcontribs)

This is a silly thing to hide. Users can get passwords by hitting view source in their browsers. You cannot tell the web browser what the password is, without telling the user, as the web browser is controlled by the user.

Reply 04:36, 1 April 2014 10 years ago

Fereal (talkcontribs)

The code is not meant to hide anything. As OP stated, the FTP's username and password are tied to MediaWiki, and the user's credentials are the one that will be used. The code dynamically redirects based on the user logged in.

In other words, the wiki source will look like

[ftp://folder/file.pdf DOCUMENT NAME]

And it would be redirected to ftp://mediawikiusername:mediawikipassword@ipaddress:port/folder/file.pdf. It would be up to the FTP server to allow or deny the access.

Yes, the user can see the hashed password, but it's his own password.

Reply 06:22, 1 April 2014 10 years ago

88.130.101.135 (talkcontribs)

> the user can see the hashed password, but it's his own password.

...as long as caching really is deactivated! When MediaWiki only caches one such page and there is a way to get that page from cache again, you have a major security problem as this can basically leak all your users' passwords! You must make really, really sure that caching definitely is deactivated completely. This again will have negative impact on performance.

Reply 12:01, 1 April 2014 10 years ago

Fereal (talkcontribs)

Couldn't you just disable per-page caching whenever the ftp condition is met

global $wgOut;
$wgOut->enableClientCache(false);

Extensions_FAQ#How_do_I_disable_caching_for_pages_using_my_extension.3F

Reply 13:42, 1 April 2014 10 years ago

Bawolff (talkcontribs)

My apologies, I obviously didn't read closely enough.

Note, for this to work you need to disable both parser cache ($parser->disableCache()) and client cache.

Reply 22:19, 1 April 2014 10 years ago

Reply to "Restricted Access to all ftp links"