Hiding Referers
Hiding Referers is a hack that prevents the logging of the refering URL. This is important when wiki software is used within a private corporate intranet. The referer URL typically contains the page name which might have confidential information such as partner identification or project code names and status.
The standard HTTP_REFERER header sent to a website anytime you link to it allows any of the site to view the originating URL. In the case of Wikis, the URL usually contains the page title and thus might contain confidential information such as project code names. See headers output test page for an example of what an externally linked server can see from you.
This addition (built on the 1.7.1 version) creates external links as:
http://yoursite.com/HideReferer.php?hr_url=http://externalsite.com
which hides the true refering page.
UPDATED to handle URLs with & in them—that data doesn't appear to exist in $_GET...
HideReferer.php edit
Copy the following script and save it to HideReferer.php somewhere in the web-browseable path of your wiki. Note that a simple header("Location:url") doesn't work—the HTTP_REFERER isn't changed.
<?php
if (isset($_GET['hr_url'])) {
die("<html><body onLoad='location.href=\"" .
str_replace("'","%27",
str_replace('"','%22',
substr($_SERVER['argv'][0],7))) . "\"'></body></html>");
}
function HideReferer($url) {
global $wg_hr_Referer;
$newurl = $wg_hr_Referer . "?hr_url=" . $url;
return $newurl;
}
?>
LocalSettings.php edit
$wg_hr_Referer = "http://yoursite.com/HideReferer.php";
include("/var/www/ilab/HideReferer.php");
includes/Parser.php edit
In two places, add the call to the HideReferer function: function replaceExternalLinks() and function replaceFreeExternalLinks()
# Normalize any HTML entities in input.... etc... $url = HideReferer($url); $url = Sanitizer::decodeCharReferences( $url );
It's the same in both functions, slightly different comments leading up to it.