Version 1.3.0

WikiMANNia · web-flow · commit 925f1458bf24 · 2026-03-20T18:28:39.000+01:00
Version 1.3.0 (Oct 11, 2025)
* Add oldid parameter blocking to special pages and comprehensive tests
diff --git a/README.md b/README.md
@@ -34,3 +34,7 @@ intensive.
 1.2.0 (Aug 13, 2025)
 
 * Fix 403 handling and add login links to prevent nginx 404 fallthrough
+
+1.3.0 (Oct 11, 2025)
+
+* Add oldid parameter blocking to special pages and comprehensive tests
diff --git a/extension.json b/extension.json
@@ -1,7 +1,7 @@
 {
 	"name": "CrawlerProtection",
 	"author": "MyWikis LLC",
-	"version": "1.2.0",
+	"version": "1.3.0",
 	"description": "Suite of protective measures to protect wikis from crawlers.",
 	"type": "hook",
 	"requires": {
diff --git a/includes/Hooks.php b/includes/Hooks.php
@@ -95,6 +95,7 @@ public function onMediaWikiPerformAction(
 
 	/**
 	 * Block Special:RecentChangesLinked, Special:WhatLinksHere, and Special:MobileDiff for anonymous users.
+	 * Also blocks any special page access with ?oldid parameter.
 	 *
 	 * @param SpecialPage $special
 	 * @param string|null $subPage
@@ -129,6 +130,18 @@ public function onSpecialPageBeforeExecute( $special, $subPage ) {
 			return false;
 		}
 
+		// Also block if oldid parameter is present
+		$request = $special->getContext()->getRequest();
+		$oldId = (int)$request->getVal( 'oldid' );
+		if ( $oldId > 0 ) {
+			if ( $denyFast ) {
+				$this->denyAccessWith418();
+			}
+			$out = $special->getContext()->getOutput();
+			$this->denyAccess( $out );
+			return false;
+		}
+
 		return true;
 	}
 
diff --git a/tests/phpunit/unit/HooksTest.php b/tests/phpunit/unit/HooksTest.php
@@ -30,6 +30,9 @@ class HooksTest extends TestCase {
 	/** @var string */
 	private static string $specialPageClassName;
 
+	/** @var string */
+	private static string $contextClassName;
+
 	public static function setUpBeforeClass(): void {
 		parent::setUpBeforeClass();
 
@@ -60,6 +63,10 @@ public static function setUpBeforeClass(): void {
 		self::$webRequestClassName = class_exists( '\MediaWiki\Request\WebRequest' )
 			? '\MediaWiki\Request\WebRequest'
 			: '\WebRequest';
+
+		self::$contextClassName = class_exists( '\MediaWiki\Context\RequestContext' )
+			? '\MediaWiki\Context\RequestContext'
+			: '\RequestContext';
 	}
 
 	/**
@@ -368,4 +375,150 @@ public function provideBlockedSpecialPages() {
 			'MobileDiff mixed case' => [ 'MoBiLeDiFf' ],
 		];
 	}
+
+	/**
+	 * @covers ::onMediaWikiPerformAction
+	 */
+	public function testOldIdBlocksAnonymous() {
+		$output = $this->createMock( self::$outputPageClassName );
+
+		$request = $this->createMock( self::$webRequestClassName );
+		$request->method( 'getVal' )->willReturnMap( [
+			[ 'oldid', null, '1234' ],
+		] );
+
+		$user = $this->createMock( self::$userClassName );
+		$user->method( 'isRegistered' )->willReturn( false );
+
+		$article = $this->createMock( self::$articleClassName );
+		$title = $this->createMock( self::$titleClassName );
+		$wiki = $this->createMock( self::$actionEntryPointClassName );
+
+		$runner = $this->getMockBuilder( Hooks::class )
+			->onlyMethods( [ 'denyAccess' ] )
+			->getMock();
+		$runner->expects( $this->once() )->method( 'denyAccess' );
+
+		$result = $runner->onMediaWikiPerformAction( $output, $article, $title, $user, $request, $wiki );
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * @covers ::onMediaWikiPerformAction
+	 */
+	public function testOldIdAllowsLoggedIn() {
+		$output = $this->createMock( self::$outputPageClassName );
+
+		$request = $this->createMock( self::$webRequestClassName );
+		$request->method( 'getVal' )->willReturnMap( [
+			[ 'oldid', null, '1234' ],
+		] );
+
+		$user = $this->createMock( self::$userClassName );
+		$user->method( 'isRegistered' )->willReturn( true );
+
+		$article = $this->createMock( self::$articleClassName );
+		$title = $this->createMock( self::$titleClassName );
+		$wiki = $this->createMock( self::$actionEntryPointClassName );
+
+		$runner = $this->getMockBuilder( Hooks::class )
+			->onlyMethods( [ 'denyAccess' ] )
+			->getMock();
+		$runner->expects( $this->never() )->method( 'denyAccess' );
+
+		$result = $runner->onMediaWikiPerformAction( $output, $article, $title, $user, $request, $wiki );
+		$this->assertTrue( $result );
+	}
+
+	/**
+	 * @covers ::onSpecialPageBeforeExecute
+	 */
+	public function testSpecialPageWithOldIdBlocksAnonymous() {
+		$output = $this->createMock( self::$outputPageClassName );
+
+		$request = $this->createMock( self::$webRequestClassName );
+		$request->method( 'getVal' )->willReturnMap( [
+			[ 'oldid', null, '4463' ],
+		] );
+
+		$user = $this->createMock( self::$userClassName );
+		$user->method( 'isRegistered' )->willReturn( false );
+
+		$context = $this->createMock( self::$contextClassName );
+		$context->method( 'getUser' )->willReturn( $user );
+		$context->method( 'getOutput' )->willReturn( $output );
+		$context->method( 'getRequest' )->willReturn( $request );
+
+		$special = $this->createMock( self::$specialPageClassName );
+		$special->method( 'getContext' )->willReturn( $context );
+		$special->method( 'getName' )->willReturn( 'Login' );
+
+		$runner = $this->getMockBuilder( Hooks::class )
+			->onlyMethods( [ 'denyAccess' ] )
+			->getMock();
+		$runner->expects( $this->once() )->method( 'denyAccess' );
+
+		$result = $runner->onSpecialPageBeforeExecute( $special, null );
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * @covers ::onSpecialPageBeforeExecute
+	 */
+	public function testSpecialPageWithOldIdAllowsLoggedIn() {
+		$output = $this->createMock( self::$outputPageClassName );
+
+		$request = $this->createMock( self::$webRequestClassName );
+		$request->method( 'getVal' )->willReturnMap( [
+			[ 'oldid', null, '4463' ],
+		] );
+
+		$user = $this->createMock( self::$userClassName );
+		$user->method( 'isRegistered' )->willReturn( true );
+
+		$context = $this->createMock( self::$contextClassName );
+		$context->method( 'getUser' )->willReturn( $user );
+		$context->method( 'getRequest' )->willReturn( $request );
+
+		$special = $this->createMock( self::$specialPageClassName );
+		$special->method( 'getContext' )->willReturn( $context );
+		$special->method( 'getName' )->willReturn( 'Login' );
+
+		$runner = $this->getMockBuilder( Hooks::class )
+			->onlyMethods( [ 'denyAccess' ] )
+			->getMock();
+		$runner->expects( $this->never() )->method( 'denyAccess' );
+
+		$result = $runner->onSpecialPageBeforeExecute( $special, null );
+		$this->assertTrue( $result );
+	}
+
+	/**
+	 * @covers ::onSpecialPageBeforeExecute
+	 */
+	public function testSpecialPageWithoutOldIdAllowsAnonymous() {
+		$request = $this->createMock( self::$webRequestClassName );
+		$request->method( 'getVal' )->willReturnMap( [
+			[ 'oldid', null, null ],
+		] );
+
+		$user = $this->createMock( self::$userClassName );
+		$user->method( 'isRegistered' )->willReturn( false );
+
+		$context = $this->createMock( self::$contextClassName );
+		$context->method( 'getUser' )->willReturn( $user );
+		$context->method( 'getRequest' )->willReturn( $request );
+
+		$special = $this->createMock( self::$specialPageClassName );
+		$special->method( 'getContext' )->willReturn( $context );
+		$special->method( 'getName' )->willReturn( 'Login' );
+
+		$runner = $this->getMockBuilder( Hooks::class )
+			->onlyMethods( [ 'denyAccess' ] )
+			->getMock();
+		$runner->expects( $this->never() )->method( 'denyAccess' );
+
+		$result = $runner->onSpecialPageBeforeExecute( $special, null );
+		$this->assertTrue( $result );
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "CrawlerProtection",`
`3`	`3`	`"author": "MyWikis LLC",`
`4`		`- "version": "1.2.0",`
	`4`	`+ "version": "1.3.0",`
`5`	`5`	`"description": "Suite of protective measures to protect wikis from crawlers.",`
`6`	`6`	`"type": "hook",`
`7`	`7`	`"requires": {`