[MediaWiki-l] Source protection

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Source protection

Drium Yrvak
Hi all!

I'm helping set up a Mediawiki for a site. Unfortunately, it's in a fairly
drama-filled environment, where plagiarism is so common as to make us feel
that we'd like to protect how we did certain things. Our wiki uses a lot of
SQL integration and took a while to set up, and other wikis in the hobby
don't use SQL a lot. To make a long story short, we want to prevent those
competing sites from just copypasting our SQL code and reverse-engineering
how we did things from that. If they want to figure it out on their own
they certainly can, but we don't want people to just take our code.

Luckily, by virtue of how the site is handled, the wiki doesn't allow
anyone but the administrators to make or edit pages. That means we disabled
account creation, and to protect certain pages (like history and view
source) using the Lockdown extension, we simply restricted their access to
the Users group.

Sadly, it's still possible to catch the wiki code of our pages using the
Diff parameter, and no doubt  few other pages. We disabled Special:Export
and Special:Compare, for example. But using any page that lists edits, like
Recent Changes, people can just compare two old versions of a page and see
the raw wiki code.

How would one go about preventing access to the Diff parameter unless
they're a User? Are there other ways to grab the raw wiki source code we
should know about?

I know this is against Mediawiki's usual open source policy. I apologize!
But if you could still help it'd be greatly appreciated.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Source protection

Brian Wolff
Honestly, at that point, you'd probably be better setting up some sort
of proxy thing, where non-logged in users view some sort of proxy that
only proxies the page view (not allowing any url parameters through or
viewing any special pages), and logged in users actually deal with MW.

The biggest thing you missed is probably ?action=raw .
Special:Expandtemplates is also another vector (via {{msgnw:page name
here}}). I assume you've also disabled the api.

There's probably a lot of others. MediaWiki is not designed to hide
the wikitext source of pages.

--
Brian

On Wed, Jan 10, 2018 at 7:01 AM, Drium Yrvak <[hidden email]> wrote:

> Hi all!
>
> I'm helping set up a Mediawiki for a site. Unfortunately, it's in a fairly
> drama-filled environment, where plagiarism is so common as to make us feel
> that we'd like to protect how we did certain things. Our wiki uses a lot of
> SQL integration and took a while to set up, and other wikis in the hobby
> don't use SQL a lot. To make a long story short, we want to prevent those
> competing sites from just copypasting our SQL code and reverse-engineering
> how we did things from that. If they want to figure it out on their own
> they certainly can, but we don't want people to just take our code.
>
> Luckily, by virtue of how the site is handled, the wiki doesn't allow
> anyone but the administrators to make or edit pages. That means we disabled
> account creation, and to protect certain pages (like history and view
> source) using the Lockdown extension, we simply restricted their access to
> the Users group.
>
> Sadly, it's still possible to catch the wiki code of our pages using the
> Diff parameter, and no doubt  few other pages. We disabled Special:Export
> and Special:Compare, for example. But using any page that lists edits, like
> Recent Changes, people can just compare two old versions of a page and see
> the raw wiki code.
>
> How would one go about preventing access to the Diff parameter unless
> they're a User? Are there other ways to grab the raw wiki source code we
> should know about?
>
> I know this is against Mediawiki's usual open source policy. I apologize!
> But if you could still help it'd be greatly appreciated.
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Source protection

Drium Yrvak
We did indeed disable all non-view actions for people who aren't Users, so
that includes raw.

We didn't disable Special:Expandtemplates, so thanks for pointing that out!
The API is indeed disabled.

I thought about doing the proxy thing but that was starting to be a lot of
trouble. We might have to tear open whatever file the parameters are in and
hack apart Diff there, if there's no other way.

On Wed, Jan 10, 2018 at 3:01 AM, Brian Wolff <[hidden email]> wrote:

> Honestly, at that point, you'd probably be better setting up some sort
> of proxy thing, where non-logged in users view some sort of proxy that
> only proxies the page view (not allowing any url parameters through or
> viewing any special pages), and logged in users actually deal with MW.
>
> The biggest thing you missed is probably ?action=raw .
> Special:Expandtemplates is also another vector (via {{msgnw:page name
> here}}). I assume you've also disabled the api.
>
> There's probably a lot of others. MediaWiki is not designed to hide
> the wikitext source of pages.
>
> --
> Brian
>
> On Wed, Jan 10, 2018 at 7:01 AM, Drium Yrvak <[hidden email]> wrote:
> > Hi all!
> >
> > I'm helping set up a Mediawiki for a site. Unfortunately, it's in a
> fairly
> > drama-filled environment, where plagiarism is so common as to make us
> feel
> > that we'd like to protect how we did certain things. Our wiki uses a lot
> of
> > SQL integration and took a while to set up, and other wikis in the hobby
> > don't use SQL a lot. To make a long story short, we want to prevent those
> > competing sites from just copypasting our SQL code and
> reverse-engineering
> > how we did things from that. If they want to figure it out on their own
> > they certainly can, but we don't want people to just take our code.
> >
> > Luckily, by virtue of how the site is handled, the wiki doesn't allow
> > anyone but the administrators to make or edit pages. That means we
> disabled
> > account creation, and to protect certain pages (like history and view
> > source) using the Lockdown extension, we simply restricted their access
> to
> > the Users group.
> >
> > Sadly, it's still possible to catch the wiki code of our pages using the
> > Diff parameter, and no doubt  few other pages. We disabled Special:Export
> > and Special:Compare, for example. But using any page that lists edits,
> like
> > Recent Changes, people can just compare two old versions of a page and
> see
> > the raw wiki code.
> >
> > How would one go about preventing access to the Diff parameter unless
> > they're a User? Are there other ways to grab the raw wiki source code we
> > should know about?
> >
> > I know this is against Mediawiki's usual open source policy. I apologize!
> > But if you could still help it'd be greatly appreciated.
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l