From 1d2c770a9e0a427085e52e7e535eadc032ee1faf Mon Sep 17 00:00:00 2001 From: Kevin Israel Date: Fri, 4 Jul 2014 14:36:00 -0400 Subject: [PATCH] Special:Search: Remove token from URL when saving settings When JS is enabled, use POST/Redirect/GET to make unintentional setting changes less likely. (Otherwise, we have to use GET to avoid breaking things such as Firefox's "Add a Keyword for this Search", though we can still redirect.) Also use the checkbox field for the token so the token is only sent when saving settings (and not shown otherwise). Bug: 68827 Change-Id: I869e554d2a207ff06e2f8d9667752111e2fa2ea1 --- includes/specials/SpecialSearch.php | 33 +++++++++++-------- .../mediawiki.special.search.js | 5 +++ 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php index 7a870c0f59..fb1f64b409 100644 --- a/includes/specials/SpecialSearch.php +++ b/includes/specials/SpecialSearch.php @@ -95,6 +95,16 @@ class SpecialSearch extends SpecialPage { $search = str_replace( "\n", " ", $request->getText( 'search', $titleParam ) ); $this->load(); + if ( !is_null( $request->getVal( 'nsRemember' ) ) ) { + $this->saveNamespaces(); + // Remove the token from the URL to prevent the user from inadvertently + // exposing it (e.g. by pasting it into a public wiki page) or undoing + // later settings changes (e.g. by reloading the page). + $query = $request->getValues(); + unset( $query['title'], $query['nsRemember'] ); + $out->redirect( $this->getPageTitle()->getFullURL( $query ) ); + return; + } $this->searchEngineType = $request->getVal( 'srbackend' ); @@ -209,7 +219,6 @@ class SpecialSearch extends SpecialPage { $search = $this->getSearchEngine(); $search->setLimitOffset( $this->limit, $this->offset ); $search->setNamespaces( $this->namespaces ); - $this->saveNamespaces(); $search->prefix = $this->mPrefix; $term = $search->transformSearchTerm( $term ); @@ -510,9 +519,8 @@ class SpecialSearch extends SpecialPage { $request = $this->getRequest(); if ( $user->isLoggedIn() && - !is_null( $request->getVal( 'nsRemember' ) ) && $user->matchEditToken( - $request->getVal( 'nsToken' ), + $request->getVal( 'nsRemember' ), 'searchnamespace', $request ) @@ -522,7 +530,7 @@ class SpecialSearch extends SpecialPage { foreach ( MWNamespace::getValidNamespaces() as $n ) { $user->setOption( 'searchNs' . $n, false ); } - // The request parameters include all the namespaces we just searched. + // The request parameters include all the namespaces to be searched. // Even if they're the same as an existing profile, they're not eaten. foreach ( $this->namespaces as $n ) { $user->setOption( 'searchNs' . $n, true ); @@ -937,18 +945,17 @@ class SpecialSearch extends SpecialPage { $remember = ''; $user = $this->getUser(); if ( $user->isLoggedIn() ) { - $remember .= Html::hidden( - 'nsToken', - $user->getEditToken( - 'searchnamespace', - $this->getRequest() - ) - ) . - Xml::checkLabel( + $remember .= Xml::checkLabel( wfMessage( 'powersearch-remember' )->text(), 'nsRemember', 'mw-search-powersearch-remember', - false + false, + // The token goes here rather than in a hidden field so it + // is only sent when necessary (not every form submission). + array( 'value' => $user->getEditToken( + 'searchnamespace', + $this->getRequest() + ) ) ); } diff --git a/resources/src/mediawiki.special/mediawiki.special.search.js b/resources/src/mediawiki.special/mediawiki.special.search.js index 60cf46a491..a4128f9e97 100644 --- a/resources/src/mediawiki.special/mediawiki.special.search.js +++ b/resources/src/mediawiki.special/mediawiki.special.search.js @@ -48,6 +48,11 @@ } ); } ).trigger( 'change' ); + // When saving settings, use the proper request method (POST instead of GET). + $( '#mw-search-powersearch-remember' ).change( function () { + this.form.method = this.checked ? 'post' : 'get'; + } ).trigger( 'change' ); + } ); }( mediaWiki, jQuery ) ); -- 2.20.1