Fix oldid parameter not blocked on Special pages for anonymous users

[Copilot]

Problem

Anonymous users were able to access Special pages with the oldid query parameter, bypassing crawler protection. While regular pages correctly blocked this parameter, Special pages were not being checked.

Example from server logs showing the issue:

GET /index.php?oldid=4463&title=Spécial%3AConnexion HTTP/1.1" 200 20620

This request to Special:Connexion (Login) with oldid=4463 returned 200 OK instead of being blocked with 403 Forbidden.

Root Cause

The extension uses two hooks to protect pages:

1. onMediaWikiPerformAction - Handles regular page views and correctly checks for oldid parameter
2. onSpecialPageBeforeExecute - Handles Special page views but only checked for specific page names (recentchangeslinked, whatlinkshere) without checking for the oldid parameter

When a Special page was accessed with an oldid parameter, it went through the second hook which didn't have the oldid check, allowing the request to proceed.

Solution

Added oldid parameter checking to the onSpecialPageBeforeExecute method to ensure consistent blocking across all page types:

// Also block if oldid parameter is present
$request = $special->getContext()->getRequest();
$oldId = (int)$request->getVal( 'oldid' );
if ( $oldId > 0 ) {
    $out = $special->getContext()->getOutput();
    $this->denyAccess( $out );
    return false;
}

Testing

Added comprehensive test coverage including:

• Verification that oldid blocks anonymous users on regular pages
• Verification that oldid blocks anonymous users on Special pages (fixes the bug)
• Verification that logged-in users can still access pages with oldid
• Verification that Special pages without oldid remain accessible to anonymous users

Impact

• ✅ Anonymous users accessing ANY page (regular or Special) with oldid parameter now consistently receive 403 Forbidden
• ✅ Logged-in users are unaffected and can still access revision history
• ✅ Normal Special page access (without oldid) remains functional for anonymous users
• ✅ All existing functionality is preserved

Fixes issue where crawlers could access revision history through Special page URLs.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>oldid not not blocked</issue_title>
<issue_description>Thanks for this extension !

for oldid, the request is not blocked

xxx:443 186.194.xx.xx - - [11/Oct/2025:15:12:34 +0200] "GET /index.php?diff=cur&oldid=1214&title=Fabrication_de_Kephir HTTP/1.1" 403 19460 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
xxx:443 194.32.xx.xx - - [11/Oct/2025:15:12:42 +0200] "GET /index.php?oldid=4463&title=Sp%C3%A9cial%3AConnexion HTTP/1.1" 200 20620 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36"
</issue_description>

<agent_instructions>Ensure whenever oldid is in the query parameters, the page access is denied for anonymous users just like for the other conditions.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes #8

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.