diff options
Diffstat (limited to 'includes/WebRequest.php')
-rw-r--r-- | includes/WebRequest.php | 525 |
1 files changed, 397 insertions, 128 deletions
diff --git a/includes/WebRequest.php b/includes/WebRequest.php index 877f7cf6..940b693f 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -1,35 +1,28 @@ <?php /** * Deal with importing all those nasssty globals and things + * + * Copyright © 2003 Brion Vibber <brion@pobox.com> + * http://www.mediawiki.org/ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file */ -# Copyright (C) 2003 Brion Vibber <brion@pobox.com> -# http://www.mediawiki.org/ -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# http://www.gnu.org/copyleft/gpl.html - - -/** - * Some entry points may use this file without first enabling the - * autoloader. - */ -if ( !function_exists( '__autoload' ) ) { - require_once( dirname(__FILE__) . '/normal/UtfNormal.php' ); -} - /** * The WebRequest class encapsulates getting at data passed in the * URL or via a POSTed form, handling remove of "magic quotes" slashes, @@ -44,7 +37,12 @@ if ( !function_exists( '__autoload' ) ) { */ class WebRequest { protected $data, $headers = array(); - private $_response; + + /** + * Lazy-init response object + * @var WebResponse + */ + private $response; public function __construct() { /// @todo Fixme: this preemptive de-quoting can interfere with other web libraries @@ -67,6 +65,11 @@ class WebRequest { public function interpolateTitle() { global $wgUsePathInfo; + // bug 16019: title interpolation on API queries is useless and possible harmful + if ( defined( 'MW_API' ) ) { + return; + } + if ( $wgUsePathInfo ) { // PATH_INFO is mangled due to http://bugs.php.net/bug.php?id=31892 // And also by Apache 2.x, double slashes are converted to single slashes. @@ -160,6 +163,7 @@ class WebRequest { /** * Recursively strips slashes from the given array; * used for undoing the evil that is magic_quotes_gpc. + * * @param $arr array: will be modified * @return array the original array */ @@ -195,6 +199,7 @@ class WebRequest { /** * Recursively normalizes UTF-8 strings in the given array. + * * @param $data string or array * @return cleaned-up version of the given * @private @@ -214,9 +219,9 @@ class WebRequest { /** * Fetch a value from the given array or return $default if it's not set. * - * @param $arr array - * @param $name string - * @param $default mixed + * @param $arr Array + * @param $name String + * @param $default Mixed * @return mixed */ private function getGPCVal( $arr, $name, $default ) { @@ -247,9 +252,9 @@ class WebRequest { * non-freeform text inputs (e.g. predefined internal text keys * selected by a drop-down menu). For freeform input, see getText(). * - * @param $name string - * @param $default string: optional default (or NULL) - * @return string + * @param $name String + * @param $default String: optional default (or NULL) + * @return String */ public function getVal( $name, $default = null ) { $val = $this->getGPCVal( $this->data, $name, $default ); @@ -265,9 +270,10 @@ class WebRequest { /** * Set an aribtrary value into our get/post data. - * @param $key string Key name to use - * @param $value mixed Value to set - * @return mixed old value if one was present, null otherwise + * + * @param $key String: key name to use + * @param $value Mixed: value to set + * @return Mixed: old value if one was present, null otherwise */ public function setVal( $key, $value ) { $ret = isset( $this->data[$key] ) ? $this->data[$key] : null; @@ -280,9 +286,9 @@ class WebRequest { * If source was scalar, will return an array with a single element. * If no source and no default, returns NULL. * - * @param $name string - * @param $default array: optional default (or NULL) - * @return array + * @param $name String + * @param $default Array: optional default (or NULL) + * @return Array */ public function getArray( $name, $default = null ) { $val = $this->getGPCVal( $this->data, $name, $default ); @@ -299,9 +305,9 @@ class WebRequest { * If no source and no default, returns NULL. * If an array is returned, contents are guaranteed to be integers. * - * @param $name string - * @param $default array: option default (or NULL) - * @return array of ints + * @param $name String + * @param $default Array: option default (or NULL) + * @return Array of ints */ public function getIntArray( $name, $default = null ) { $val = $this->getArray( $name, $default ); @@ -315,9 +321,10 @@ class WebRequest { * Fetch an integer value from the input or return $default if not set. * Guaranteed to return an integer; non-numeric input will typically * return 0. - * @param $name string - * @param $default int - * @return int + * + * @param $name String + * @param $default Integer + * @return Integer */ public function getInt( $name, $default = 0 ) { return intval( $this->getVal( $name, $default ) ); @@ -327,8 +334,9 @@ class WebRequest { * Fetch an integer value from the input or return null if empty. * Guaranteed to return an integer or null; non-numeric input will * typically return null. - * @param $name string - * @return int + * + * @param $name String + * @return Integer */ public function getIntOrNull( $name ) { $val = $this->getVal( $name ); @@ -341,20 +349,35 @@ class WebRequest { * Fetch a boolean value from the input or return $default if not set. * Guaranteed to return true or false, with normal PHP semantics for * boolean interpretation of strings. - * @param $name string - * @param $default bool - * @return bool + * + * @param $name String + * @param $default Boolean + * @return Boolean */ public function getBool( $name, $default = false ) { - return $this->getVal( $name, $default ) ? true : false; + return (bool)$this->getVal( $name, $default ); + } + + /** + * Fetch a boolean value from the input or return $default if not set. + * Unlike getBool, the string "false" will result in boolean false, which is + * useful when interpreting information sent from JavaScript. + * + * @param $name String + * @param $default Boolean + * @return Boolean + */ + public function getFuzzyBool( $name, $default = false ) { + return $this->getBool( $name, $default ) && strcasecmp( $this->getVal( $name ), 'false' ) !== 0; } /** * Return true if the named value is set in the input, whatever that * value is (even "0"). Return false if the named value is not set. * Example use is checking for the presence of check boxes in forms. - * @param $name string - * @return bool + * + * @param $name String + * @return Boolean */ public function getCheck( $name ) { # Checkboxes and buttons are only present when clicked @@ -365,15 +388,15 @@ class WebRequest { /** * Fetch a text string from the given array or return $default if it's not - * set. \r is stripped from the text, and with some language modules there - * is an input transliteration applied. This should generally be used for - * form <textarea> and <input> fields. Used for user-supplied freeform text - * input (for which input transformations may be required - e.g. Esperanto - * x-coding). + * set. Carriage returns are stripped from the text, and with some language + * modules there is an input transliteration applied. This should generally + * be used for form <textarea> and <input> fields. Used for user-supplied + * freeform text input (for which input transformations may be required - e.g. + * Esperanto x-coding). * - * @param $name string - * @param $default string: optional - * @return string + * @param $name String + * @param $default String: optional + * @return String */ public function getText( $name, $default = '' ) { global $wgContLang; @@ -410,7 +433,7 @@ class WebRequest { * Note that values retrieved by the object may come from the * GET URL etc even on a POST request. * - * @return bool + * @return Boolean */ public function wasPosted() { return $_SERVER['REQUEST_METHOD'] == 'POST'; @@ -425,15 +448,32 @@ class WebRequest { * during the current request (in which case the cookie will * be sent back to the client at the end of the script run). * - * @return bool + * @return Boolean */ public function checkSessionCookie() { - return isset( $_COOKIE[session_name()] ); + return isset( $_COOKIE[ session_name() ] ); + } + + /** + * Get a cookie from the $_COOKIE jar + * + * @param $key String: the name of the cookie + * @param $prefix String: a prefix to use for the cookie name, if not $wgCookiePrefix + * @param $default Mixed: what to return if the value isn't found + * @return Mixed: cookie value or $default if the cookie not set + */ + public function getCookie( $key, $prefix = null, $default = null ) { + if( $prefix === null ) { + global $wgCookiePrefix; + $prefix = $wgCookiePrefix; + } + return $this->getGPCVal( $_COOKIE, $prefix . $key , $default ); } /** * Return the path portion of the request URI. - * @return string + * + * @return String */ public function getRequestURL() { if( isset( $_SERVER['REQUEST_URI']) && strlen($_SERVER['REQUEST_URI']) ) { @@ -468,7 +508,8 @@ class WebRequest { /** * Return the request URI with the canonical service and hostname. - * @return string + * + * @return String */ public function getFullRequestURL() { global $wgServer; @@ -478,7 +519,8 @@ class WebRequest { /** * Take an arbitrary query and rewrite the present URL to include it * @param $query String: query string fragment; do not include initial '?' - * @return string + * + * @return String */ public function appendQuery( $query ) { global $wgTitle; @@ -502,8 +544,9 @@ class WebRequest { /** * HTML-safe version of appendQuery(). + * * @param $query String: query string fragment; do not include initial '?' - * @return string + * @return String */ public function escapeAppendQuery( $query ) { return htmlspecialchars( $this->appendQuery( $query ) ); @@ -515,10 +558,11 @@ class WebRequest { /** * Appends or replaces value of query variables. + * * @param $array Array of values to replace/add to query * @param $onlyquery Bool: whether to only return the query string and not * the complete URL - * @return string + * @return String */ public function appendQueryArray( $array, $onlyquery = false ) { global $wgTitle; @@ -542,53 +586,59 @@ class WebRequest { global $wgUser; $limit = $this->getInt( 'limit', 0 ); - if( $limit < 0 ) $limit = 0; + if( $limit < 0 ) { + $limit = 0; + } if( ( $limit == 0 ) && ( $optionname != '' ) ) { $limit = (int)$wgUser->getOption( $optionname ); } - if( $limit <= 0 ) $limit = $deflimit; - if( $limit > 5000 ) $limit = 5000; # We have *some* limits... + if( $limit <= 0 ) { + $limit = $deflimit; + } + if( $limit > 5000 ) { + $limit = 5000; # We have *some* limits... + } $offset = $this->getInt( 'offset', 0 ); - if( $offset < 0 ) $offset = 0; + if( $offset < 0 ) { + $offset = 0; + } return array( $limit, $offset ); } /** * Return the path to the temporary file where PHP has stored the upload. + * * @param $key String: * @return string or NULL if no such file. */ public function getFileTempname( $key ) { - if( !isset( $_FILES[$key] ) ) { - return null; - } - return $_FILES[$key]['tmp_name']; + $file = new WebRequestUpload( $this, $key ); + return $file->getTempName(); } /** * Return the size of the upload, or 0. + * + * @deprecated * @param $key String: * @return integer */ public function getFileSize( $key ) { - if( !isset( $_FILES[$key] ) ) { - return 0; - } - return $_FILES[$key]['size']; + $file = new WebRequestUpload( $this, $key ); + return $file->getSize(); } /** * Return the upload error or 0 + * * @param $key String: * @return integer */ public function getUploadError( $key ) { - if( !isset( $_FILES[$key] ) || !isset( $_FILES[$key]['error'] ) ) { - return 0/*UPLOAD_ERR_OK*/; - } - return $_FILES[$key]['error']; + $file = new WebRequestUpload( $this, $key ); + return $file->getError(); } /** @@ -603,31 +653,33 @@ class WebRequest { * @return string or NULL if no such file. */ public function getFileName( $key ) { - global $wgContLang; - if( !isset( $_FILES[$key] ) ) { - return null; - } - $name = $_FILES[$key]['name']; + $file = new WebRequestUpload( $this, $key ); + return $file->getName(); + } - # Safari sends filenames in HTML-encoded Unicode form D... - # Horrid and evil! Let's try to make some kind of sense of it. - $name = Sanitizer::decodeCharReferences( $name ); - $name = $wgContLang->normalize( $name ); - wfDebug( "WebRequest::getFileName() '" . $_FILES[$key]['name'] . "' normalized to '$name'\n" ); - return $name; + /** + * Return a WebRequestUpload object corresponding to the key + * + * @param @key string + * @return WebRequestUpload + */ + public function getUpload( $key ) { + return new WebRequestUpload( $this, $key ); } /** * Return a handle to WebResponse style object, for setting cookies, * headers and other stuff, for Request being worked on. + * + * @return WebResponse */ public function response() { /* Lazy initialization of response object for this request */ - if ( !is_object( $this->_response ) ) { + if ( !is_object( $this->response ) ) { $class = ( $this instanceof FauxRequest ) ? 'FauxResponse' : 'WebResponse'; - $this->_response = new $class(); + $this->response = new $class(); } - return $this->_response; + return $this->response; } /** @@ -649,6 +701,9 @@ class WebRequest { } } else { $name = 'HTTP_' . str_replace( '-', '_', $name ); + if ( $name === 'HTTP_CONTENT_LENGTH' && !isset( $_SERVER[$name] ) ) { + $name = 'CONTENT_LENGTH'; + } if ( isset( $_SERVER[$name] ) ) { return $_SERVER[$name]; } else { @@ -657,27 +712,86 @@ class WebRequest { } } - /* + /** * Get data from $_SESSION - * @param $key String Name of key in $_SESSION - * @return mixed + * + * @param $key String: name of key in $_SESSION + * @return Mixed */ public function getSessionData( $key ) { - if( !isset( $_SESSION[$key] ) ) + if( !isset( $_SESSION[$key] ) ) { return null; + } return $_SESSION[$key]; } /** * Set session data - * @param $key String Name of key in $_SESSION - * @param $data mixed + * + * @param $key String: name of key in $_SESSION + * @param $data Mixed */ public function setSessionData( $key, $data ) { $_SESSION[$key] = $data; } /** + * Check if Internet Explorer will detect an incorrect cache extension in + * PATH_INFO or QUERY_STRING. If the request can't be allowed, show an error + * message or redirect to a safer URL. Returns true if the URL is OK, and + * false if an error message has been shown and the request should be aborted. + */ + public function checkUrlExtension( $extWhitelist = array() ) { + global $wgScriptExtension; + $extWhitelist[] = ltrim( $wgScriptExtension, '.' ); + if ( IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist ) ) { + if ( !$this->wasPosted() ) { + $newUrl = IEUrlExtension::fixUrlForIE6( + $this->getFullRequestURL(), $extWhitelist ); + if ( $newUrl !== false ) { + $this->doSecurityRedirect( $newUrl ); + return false; + } + } + wfHttpError( 403, 'Forbidden', + 'Invalid file extension found in the path info or query string.' ); + + return false; + } + return true; + } + + /** + * Attempt to redirect to a URL with a QUERY_STRING that's not dangerous in + * IE 6. Returns true if it was successful, false otherwise. + */ + protected function doSecurityRedirect( $url ) { + header( 'Location: ' . $url ); + header( 'Content-Type: text/html' ); + $encUrl = htmlspecialchars( $url ); + echo <<<HTML +<html> +<head> +<title>Security redirect</title> +</head> +<body> +<h1>Security redirect</h1> +<p> +We can't serve non-HTML content from the URL you have requested, because +Internet Explorer would interpret it as an incorrect and potentially dangerous +content type.</p> +<p>Instead, please use <a href="$encUrl">this URL</a>, which is the same as the URL you have requested, except that +"&*" is appended. This prevents Internet Explorer from seeing a bogus file +extension. +</p> +</body> +</html> +HTML; + echo "\n"; + return true; + } + + /** * Returns true if the PATH_INFO ends with an extension other than a script * extension. This could confuse IE for scripts that send arbitrary data which * is not HTML but may be detected as such. @@ -695,30 +809,163 @@ class WebRequest { */ public function isPathInfoBad() { global $wgScriptExtension; + $extWhitelist[] = ltrim( $wgScriptExtension, '.' ); + return IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist ); + } + + /** + * Parse the Accept-Language header sent by the client into an array + * @return array( languageCode => q-value ) sorted by q-value in descending order + * May contain the "language" '*', which applies to languages other than those explicitly listed. + * This is aligned with rfc2616 section 14.4 + */ + public function getAcceptLang() { + // Modified version of code found at http://www.thefutureoftheweb.com/blog/use-accept-language-header + $acceptLang = $this->getHeader( 'Accept-Language' ); + if ( !$acceptLang ) { + return array(); + } + + // Return the language codes in lower case + $acceptLang = strtolower( $acceptLang ); + + // Break up string into pieces (languages and q factors) + $lang_parse = null; + preg_match_all( '/([a-z]{1,8}(-[a-z]{1,8})?|\*)\s*(;\s*q\s*=\s*(1|0(\.[0-9]+)?)?)?/', + $acceptLang, $lang_parse ); - if ( isset( $_SERVER['QUERY_STRING'] ) - && preg_match( '/\.[^\\/:*?"<>|%]+(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) - { - // Bug 28235 - // Block only Internet Explorer, and requests with missing UA - // headers that could be IE users behind a privacy proxy. - if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) - || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) ) - { - return true; + if ( !count( $lang_parse[1] ) ) { + return array(); + } + + // Create a list like "en" => 0.8 + $langs = array_combine( $lang_parse[1], $lang_parse[4] ); + // Set default q factor to 1 + foreach ( $langs as $lang => $val ) { + if ( $val === '' ) { + $langs[$lang] = 1; + } else if ( $val == 0 ) { + unset($langs[$lang]); } } - if ( !isset( $_SERVER['PATH_INFO'] ) ) { - return false; + // Sort list + arsort( $langs, SORT_NUMERIC ); + return $langs; + } +} + +/** + * Object to access the $_FILES array + */ +class WebRequestUpload { + protected $request; + protected $doesExist; + protected $fileInfo; + + /** + * Constructor. Should only be called by WebRequest + * + * @param $request WebRequest The associated request + * @param $key string Key in $_FILES array (name of form field) + */ + public function __construct( $request, $key ) { + $this->request = $request; + $this->doesExist = isset( $_FILES[$key] ); + if ( $this->doesExist ) { + $this->fileInfo = $_FILES[$key]; } - $pi = $_SERVER['PATH_INFO']; - $dotPos = strrpos( $pi, '.' ); - if ( $dotPos === false ) { - return false; + } + + /** + * Return whether a file with this name was uploaded. + * + * @return bool + */ + public function exists() { + return $this->doesExist; + } + + /** + * Return the original filename of the uploaded file + * + * @return mixed Filename or null if non-existent + */ + public function getName() { + if ( !$this->exists() ) { + return null; + } + + global $wgContLang; + $name = $this->fileInfo['name']; + + # Safari sends filenames in HTML-encoded Unicode form D... + # Horrid and evil! Let's try to make some kind of sense of it. + $name = Sanitizer::decodeCharReferences( $name ); + $name = $wgContLang->normalize( $name ); + wfDebug( __METHOD__ . ": {$this->fileInfo['name']} normalized to '$name'\n" ); + return $name; + } + + /** + * Return the file size of the uploaded file + * + * @return int File size or zero if non-existent + */ + public function getSize() { + if ( !$this->exists() ) { + return 0; + } + + return $this->fileInfo['size']; + } + + /** + * Return the path to the temporary file + * + * @return mixed Path or null if non-existent + */ + public function getTempName() { + if ( !$this->exists() ) { + return null; + } + + return $this->fileInfo['tmp_name']; + } + + /** + * Return the upload error. See link for explanation + * http://www.php.net/manual/en/features.file-upload.errors.php + * + * @return int One of the UPLOAD_ constants, 0 if non-existent + */ + public function getError() { + if ( !$this->exists() ) { + return 0; # UPLOAD_ERR_OK } - $ext = substr( $pi, $dotPos ); - return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) ); + + return $this->fileInfo['error']; + } + + /** + * Returns whether this upload failed because of overflow of a maximum set + * in php.ini + * + * @return bool + */ + public function isIniSizeOverflow() { + if ( $this->getError() == UPLOAD_ERR_INI_SIZE ) { + # PHP indicated that upload_max_filesize is exceeded + return true; + } + + $contentLength = $this->request->getHeader( 'CONTENT_LENGTH' ); + if ( $contentLength > wfShorthandToInteger( ini_get( 'post_max_size' ) ) ) { + # post_max_size is exceeded + return true; + } + + return false; } } @@ -730,12 +977,12 @@ class WebRequest { class FauxRequest extends WebRequest { private $wasPosted = false; private $session = array(); - private $response; /** * @param $data Array of *non*-urlencoded key => value pairs, the * fake GET/POST values * @param $wasPosted Bool: whether to treat the data as POST + * @param $session Mixed: session array or null */ public function __construct( $data, $wasPosted = false, $session = null ) { if( is_array( $data ) ) { @@ -774,7 +1021,25 @@ class FauxRequest extends WebRequest { } public function appendQuery( $query ) { - $this->notImplemented( __METHOD__ ); + global $wgTitle; + $basequery = ''; + foreach( $this->data as $var => $val ) { + if ( $var == 'title' ) { + continue; + } + if ( is_array( $val ) ) { + /* This will happen given a request like + * http://en.wikipedia.org/w/index.php?title[]=Special:Userlogin&returnto[]=Main_Page + */ + continue; + } + $basequery .= '&' . urlencode( $var ) . '=' . urlencode( $val ); + } + $basequery .= '&' . $query; + + # Trim the extra & + $basequery = substr( $basequery, 1 ); + return $wgTitle->getLocalURL( $basequery ); } public function getHeader( $name ) { @@ -791,10 +1056,14 @@ class FauxRequest extends WebRequest { } public function setSessionData( $key, $data ) { - $this->notImplemented( __METHOD__ ); + $this->session[$key] = $data; } - public function isPathInfoBad() { + public function isPathInfoBad( $extWhitelist = array() ) { return false; } + + public function checkUrlExtension( $extWhitelist = array() ) { + return true; + } } |