Special:Search: Remove token from URL when saving settings

When JS is enabled, use POST/Redirect/GET to make unintentional
setting changes less likely. (Otherwise, we have to use GET to avoid
breaking things such as Firefox's "Add a Keyword for this Search",
though we can still redirect.)

Also use the checkbox field for the token so the token is only sent
when saving settings (and not shown otherwise).

Bug: 68827
Change-Id: I869e554d2a207ff06e2f8d9667752111e2fa2ea1

diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php
index 7a870c0..fb1f64b 100644 (file)
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -95,6 +95,16 @@ class SpecialSearch extends SpecialPage {
                $search = str_replace( "\n", " ", $request->getText( 'search', $titleParam ) );
 
                $this->load();
+               if ( !is_null( $request->getVal( 'nsRemember' ) ) ) {
+                       $this->saveNamespaces();
+                       // Remove the token from the URL to prevent the user from inadvertently
+                       // exposing it (e.g. by pasting it into a public wiki page) or undoing
+                       // later settings changes (e.g. by reloading the page).
+                       $query = $request->getValues();
+                       unset( $query['title'], $query['nsRemember'] );
+                       $out->redirect( $this->getPageTitle()->getFullURL( $query ) );
+                       return;
+               }
 
                $this->searchEngineType = $request->getVal( 'srbackend' );
 
@@ -209,7 +219,6 @@ class SpecialSearch extends SpecialPage {
                $search = $this->getSearchEngine();
                $search->setLimitOffset( $this->limit, $this->offset );
                $search->setNamespaces( $this->namespaces );
-               $this->saveNamespaces();
                $search->prefix = $this->mPrefix;
                $term = $search->transformSearchTerm( $term );
 
@@ -510,9 +519,8 @@ class SpecialSearch extends SpecialPage {
                $request = $this->getRequest();
 
                if ( $user->isLoggedIn() &&
-                       !is_null( $request->getVal( 'nsRemember' ) ) &&
                        $user->matchEditToken(
-                               $request->getVal( 'nsToken' ),
+                               $request->getVal( 'nsRemember' ),
                                'searchnamespace',
                                $request
                        )
@@ -522,7 +530,7 @@ class SpecialSearch extends SpecialPage {
                        foreach ( MWNamespace::getValidNamespaces() as $n ) {
                                $user->setOption( 'searchNs' . $n, false );
                        }
-                       // The request parameters include all the namespaces we just searched.
+                       // The request parameters include all the namespaces to be searched.
                        // Even if they're the same as an existing profile, they're not eaten.
                        foreach ( $this->namespaces as $n ) {
                                $user->setOption( 'searchNs' . $n, true );
@@ -937,18 +945,17 @@ class SpecialSearch extends SpecialPage {
                $remember = '';
                $user = $this->getUser();
                if ( $user->isLoggedIn() ) {
-                       $remember .= Html::hidden(
-                               'nsToken',
-                               $user->getEditToken(
-                                       'searchnamespace',
-                                       $this->getRequest()
-                               )
-                       ) .
-                       Xml::checkLabel(
+                       $remember .= Xml::checkLabel(
                                wfMessage( 'powersearch-remember' )->text(),
                                'nsRemember',
                                'mw-search-powersearch-remember',
-                               false
+                               false,
+                               // The token goes here rather than in a hidden field so it
+                               // is only sent when necessary (not every form submission).
+                               array( 'value' => $user->getEditToken(
+                                       'searchnamespace',
+                                       $this->getRequest()
+                               ) )
                        );
                }
 

diff --git a/resources/src/mediawiki.special/mediawiki.special.search.js b/resources/src/mediawiki.special/mediawiki.special.search.js
index 60cf46a..a4128f9 100644 (file)
--- a/resources/src/mediawiki.special/mediawiki.special.search.js
+++ b/resources/src/mediawiki.special/mediawiki.special.search.js
@@ -48,6 +48,11 @@
                        } );
                } ).trigger( 'change' );
 
+               // When saving settings, use the proper request method (POST instead of GET).
+               $( '#mw-search-powersearch-remember' ).change( function () {
+                       this.form.method = this.checked ? 'post' : 'get';
+               } ).trigger( 'change' );
+
        } );
 
 }( mediaWiki, jQuery ) );