dépôts / lhc / web / wiklou.git / blob
? search:


9f6d277f8dad157acfc23951b09ac53eb46c00a8
[lhc/web/wiklou.git] / includes / WebRequest.php
1 <?php
2 /**
3 * Deal with importing all those nasssty globals and things
4 *
5 * Copyright © 2003 Brion Vibber <brion@pobox.com>
6 * http://www.mediawiki.org/
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21 * http://www.gnu.org/copyleft/gpl.html
22 *
23 * @file
24 */
25
26 /**
27 * The WebRequest class encapsulates getting at data passed in the
28 * URL or via a POSTed form, handling remove of "magic quotes" slashes,
29 * stripping illegal input characters and normalizing Unicode sequences.
30 *
31 * Usually this is used via a global singleton, $wgRequest. You should
32 * not create a second WebRequest object; make a FauxRequest object if
33 * you want to pass arbitrary data to some function in place of the web
34 * input.
35 *
36 * @ingroup HTTP
37 */
38 class WebRequest {
39 protected $data, $headers = array();
40
41 /**
42 * Lazy-init response object
43 * @var WebResponse
44 */
45 private $response;
46
47 /**
48 * Cached client IP address
49 * @var String
50 */
51 private $ip;
52
53 public function __construct() {
54 /// @todo FIXME: This preemptive de-quoting can interfere with other web libraries
55 /// and increases our memory footprint. It would be cleaner to do on
56 /// demand; but currently we have no wrapper for $_SERVER etc.
57 $this->checkMagicQuotes();
58
59 // POST overrides GET data
60 // We don't use $_REQUEST here to avoid interference from cookies...
61 $this->data = $_POST + $_GET;
62 }
63
64 /**
65 * Extract the PATH_INFO variable even when it isn't a reasonable
66 * value. On some large webhosts, PATH_INFO includes the script
67 * path as well as everything after it.
68 *
69 * @param $want string: If this is not 'all', then the function
70 * will return an empty array if it determines that the URL is
71 * inside a rewrite path.
72 *
73 * @return Array: 'title' key is the title of the article.
74 */
75 static public function getPathInfo( $want = 'all' ) {
76 // PATH_INFO is mangled due to http://bugs.php.net/bug.php?id=31892
77 // And also by Apache 2.x, double slashes are converted to single slashes.
78 // So we will use REQUEST_URI if possible.
79 $matches = array();
80 if ( !empty( $_SERVER['REQUEST_URI'] ) ) {
81 // Slurp out the path portion to examine...
82 $url = $_SERVER['REQUEST_URI'];
83 if ( !preg_match( '!^https?://!', $url ) ) {
84 $url = 'http://unused' . $url;
85 }
86 $a = parse_url( $url );
87 if( $a ) {
88 $path = isset( $a['path'] ) ? $a['path'] : '';
89
90 global $wgScript;
91 if( $path == $wgScript && $want !== 'all' ) {
92 // Script inside a rewrite path?
93 // Abort to keep from breaking...
94 return $matches;
95 }
96 // Raw PATH_INFO style
97 $matches = self::extractTitle( $path, "$wgScript/$1" );
98
99 if( !$matches
100 && isset( $_SERVER['SCRIPT_NAME'] )
101 && preg_match( '/\.php5?/', $_SERVER['SCRIPT_NAME'] ) )
102 {
103 # Check for SCRIPT_NAME, we handle index.php explicitly
104 # But we do have some other .php files such as img_auth.php
105 # Don't let root article paths clober the parsing for them
106 $matches = self::extractTitle( $path, $_SERVER['SCRIPT_NAME'] . "/$1" );
107 }
108
109 global $wgArticlePath;
110 if( !$matches && $wgArticlePath ) {
111 $matches = self::extractTitle( $path, $wgArticlePath );
112 }
113
114 global $wgActionPaths;
115 if( !$matches && $wgActionPaths ) {
116 $matches = self::extractTitle( $path, $wgActionPaths, 'action' );
117 }
118
119 global $wgVariantArticlePath, $wgContLang;
120 if( !$matches && $wgVariantArticlePath ) {
121 $variantPaths = array();
122 foreach( $wgContLang->getVariants() as $variant ) {
123 $variantPaths[$variant] =
124 str_replace( '$2', $variant, $wgVariantArticlePath );
125 }
126 $matches = self::extractTitle( $path, $variantPaths, 'variant' );
127 }
128
129 wfRunHooks( 'WebRequestGetPathInfoRequestURI', array( $path, &$matches ) );
130 }
131 } elseif ( isset( $_SERVER['ORIG_PATH_INFO'] ) && $_SERVER['ORIG_PATH_INFO'] != '' ) {
132 // Mangled PATH_INFO
133 // http://bugs.php.net/bug.php?id=31892
134 // Also reported when ini_get('cgi.fix_pathinfo')==false
135 $matches['title'] = substr( $_SERVER['ORIG_PATH_INFO'], 1 );
136
137 } elseif ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != '') ) {
138 // Regular old PATH_INFO yay
139 $matches['title'] = substr( $_SERVER['PATH_INFO'], 1 );
140 }
141
142 return $matches;
143 }
144
145 /**
146 * Work out an appropriate URL prefix containing scheme and host, based on
147 * information detected from $_SERVER
148 *
149 * @return string
150 */
151 public static function detectServer() {
152 list( $proto, $stdPort ) = self::detectProtocolAndStdPort();
153
154 $varNames = array( 'HTTP_HOST', 'SERVER_NAME', 'HOSTNAME', 'SERVER_ADDR' );
155 $host = 'localhost';
156 $port = $stdPort;
157 foreach ( $varNames as $varName ) {
158 if ( !isset( $_SERVER[$varName] ) ) {
159 continue;
160 }
161 $parts = IP::splitHostAndPort( $_SERVER[$varName] );
162 if ( !$parts ) {
163 // Invalid, do not use
164 continue;
165 }
166 $host = $parts[0];
167 if ( $parts[1] === false ) {
168 if ( isset( $_SERVER['SERVER_PORT'] ) ) {
169 $port = $_SERVER['SERVER_PORT'];
170 } // else leave it as $stdPort
171 } else {
172 $port = $parts[1];
173 }
174 break;
175 }
176
177 return $proto . '://' . IP::combineHostAndPort( $host, $port, $stdPort );
178 }
179
180 /**
181 * @return array
182 */
183 public static function detectProtocolAndStdPort() {
184 return ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'on' ) ? array( 'https', 443 ) : array( 'http', 80 );
185 }
186
187 /**
188 * @return string
189 */
190 public static function detectProtocol() {
191 list( $proto, $stdPort ) = self::detectProtocolAndStdPort();
192 return $proto;
193 }
194
195 /**
196 * Check for title, action, and/or variant data in the URL
197 * and interpolate it into the GET variables.
198 * This should only be run after $wgContLang is available,
199 * as we may need the list of language variants to determine
200 * available variant URLs.
201 */
202 public function interpolateTitle() {
203 global $wgUsePathInfo;
204
205 // bug 16019: title interpolation on API queries is useless and sometimes harmful
206 if ( defined( 'MW_API' ) ) {
207 return;
208 }
209
210 if ( $wgUsePathInfo ) {
211 $matches = self::getPathInfo( 'title' );
212 foreach( $matches as $key => $val) {
213 $this->data[$key] = $_GET[$key] = $_REQUEST[$key] = $val;
214 }
215 }
216 }
217
218 /**
219 * URL rewriting function; tries to extract page title and,
220 * optionally, one other fixed parameter value from a URL path.
221 *
222 * @param $path string: the URL path given from the client
223 * @param $bases array: one or more URLs, optionally with $1 at the end
224 * @param $key string: if provided, the matching key in $bases will be
225 * passed on as the value of this URL parameter
226 * @return array of URL variables to interpolate; empty if no match
227 */
228 static function extractTitle( $path, $bases, $key = false ) {
229 foreach( (array)$bases as $keyValue => $base ) {
230 // Find the part after $wgArticlePath
231 $base = str_replace( '$1', '', $base );
232 $baseLen = strlen( $base );
233 if( substr( $path, 0, $baseLen ) == $base ) {
234 $raw = substr( $path, $baseLen );
235 if( $raw !== '' ) {
236 $matches = array( 'title' => rawurldecode( $raw ) );
237 if( $key ) {
238 $matches[$key] = $keyValue;
239 }
240 return $matches;
241 }
242 }
243 }
244 return array();
245 }
246
247 /**
248 * Recursively strips slashes from the given array;
249 * used for undoing the evil that is magic_quotes_gpc.
250 *
251 * @param $arr array: will be modified
252 * @param $topLevel bool Specifies if the array passed is from the top
253 * level of the source. In PHP5 magic_quotes only escapes the first level
254 * of keys that belong to an array.
255 * @return array the original array
256 * @see http://www.php.net/manual/en/function.get-magic-quotes-gpc.php#49612
257 */
258 private function &fix_magic_quotes( &$arr, $topLevel = true ) {
259 $clean = array();
260 foreach( $arr as $key => $val ) {
261 if( is_array( $val ) ) {
262 $cleanKey = $topLevel ? stripslashes( $key ) : $key;
263 $clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], false );
264 } else {
265 $cleanKey = stripslashes( $key );
266 $clean[$cleanKey] = stripslashes( $val );
267 }
268 }
269 $arr = $clean;
270 return $arr;
271 }
272
273 /**
274 * If magic_quotes_gpc option is on, run the global arrays
275 * through fix_magic_quotes to strip out the stupid slashes.
276 * WARNING: This should only be done once! Running a second
277 * time could damage the values.
278 */
279 private function checkMagicQuotes() {
280 $mustFixQuotes = function_exists( 'get_magic_quotes_gpc' )
281 && get_magic_quotes_gpc();
282 if( $mustFixQuotes ) {
283 $this->fix_magic_quotes( $_COOKIE );
284 $this->fix_magic_quotes( $_ENV );
285 $this->fix_magic_quotes( $_GET );
286 $this->fix_magic_quotes( $_POST );
287 $this->fix_magic_quotes( $_REQUEST );
288 $this->fix_magic_quotes( $_SERVER );
289 }
290 }
291
292 /**
293 * Recursively normalizes UTF-8 strings in the given array.
294 *
295 * @param $data string or array
296 * @return cleaned-up version of the given
297 * @private
298 */
299 function normalizeUnicode( $data ) {
300 if( is_array( $data ) ) {
301 foreach( $data as $key => $val ) {
302 $data[$key] = $this->normalizeUnicode( $val );
303 }
304 } else {
305 global $wgContLang;
306 $data = isset( $wgContLang ) ? $wgContLang->normalize( $data ) : UtfNormal::cleanUp( $data );
307 }
308 return $data;
309 }
310
311 /**
312 * Fetch a value from the given array or return $default if it's not set.
313 *
314 * @param $arr Array
315 * @param $name String
316 * @param $default Mixed
317 * @return mixed
318 */
319 private function getGPCVal( $arr, $name, $default ) {
320 # PHP is so nice to not touch input data, except sometimes:
321 # http://us2.php.net/variables.external#language.variables.external.dot-in-names
322 # Work around PHP *feature* to avoid *bugs* elsewhere.
323 $name = strtr( $name, '.', '_' );
324 if( isset( $arr[$name] ) ) {
325 global $wgContLang;
326 $data = $arr[$name];
327 if( isset( $_GET[$name] ) && !is_array( $data ) ) {
328 # Check for alternate/legacy character encoding.
329 if( isset( $wgContLang ) ) {
330 $data = $wgContLang->checkTitleEncoding( $data );
331 }
332 }
333 $data = $this->normalizeUnicode( $data );
334 return $data;
335 } else {
336 taint( $default );
337 return $default;
338 }
339 }
340
341 /**
342 * Fetch a scalar from the input or return $default if it's not set.
343 * Returns a string. Arrays are discarded. Useful for
344 * non-freeform text inputs (e.g. predefined internal text keys
345 * selected by a drop-down menu). For freeform input, see getText().
346 *
347 * @param $name String
348 * @param $default String: optional default (or NULL)
349 * @return String
350 */
351 public function getVal( $name, $default = null ) {
352 $val = $this->getGPCVal( $this->data, $name, $default );
353 if( is_array( $val ) ) {
354 $val = $default;
355 }
356 if( is_null( $val ) ) {
357 return $val;
358 } else {
359 return (string)$val;
360 }
361 }
362
363 /**
364 * Set an arbitrary value into our get/post data.
365 *
366 * @param $key String: key name to use
367 * @param $value Mixed: value to set
368 * @return Mixed: old value if one was present, null otherwise
369 */
370 public function setVal( $key, $value ) {
371 $ret = isset( $this->data[$key] ) ? $this->data[$key] : null;
372 $this->data[$key] = $value;
373 return $ret;
374 }
375
376 /**
377 * Fetch an array from the input or return $default if it's not set.
378 * If source was scalar, will return an array with a single element.
379 * If no source and no default, returns NULL.
380 *
381 * @param $name String
382 * @param $default Array: optional default (or NULL)
383 * @return Array
384 */
385 public function getArray( $name, $default = null ) {
386 $val = $this->getGPCVal( $this->data, $name, $default );
387 if( is_null( $val ) ) {
388 return null;
389 } else {
390 return (array)$val;
391 }
392 }
393
394 /**
395 * Fetch an array of integers, or return $default if it's not set.
396 * If source was scalar, will return an array with a single element.
397 * If no source and no default, returns NULL.
398 * If an array is returned, contents are guaranteed to be integers.
399 *
400 * @param $name String
401 * @param $default Array: option default (or NULL)
402 * @return Array of ints
403 */
404 public function getIntArray( $name, $default = null ) {
405 $val = $this->getArray( $name, $default );
406 if( is_array( $val ) ) {
407 $val = array_map( 'intval', $val );
408 }
409 return $val;
410 }
411
412 /**
413 * Fetch an integer value from the input or return $default if not set.
414 * Guaranteed to return an integer; non-numeric input will typically
415 * return 0.
416 *
417 * @param $name String
418 * @param $default Integer
419 * @return Integer
420 */
421 public function getInt( $name, $default = 0 ) {
422 return intval( $this->getVal( $name, $default ) );
423 }
424
425 /**
426 * Fetch an integer value from the input or return null if empty.
427 * Guaranteed to return an integer or null; non-numeric input will
428 * typically return null.
429 *
430 * @param $name String
431 * @return Integer
432 */
433 public function getIntOrNull( $name ) {
434 $val = $this->getVal( $name );
435 return is_numeric( $val )
436 ? intval( $val )
437 : null;
438 }
439
440 /**
441 * Fetch a boolean value from the input or return $default if not set.
442 * Guaranteed to return true or false, with normal PHP semantics for
443 * boolean interpretation of strings.
444 *
445 * @param $name String
446 * @param $default Boolean
447 * @return Boolean
448 */
449 public function getBool( $name, $default = false ) {
450 return (bool)$this->getVal( $name, $default );
451 }
452
453 /**
454 * Fetch a boolean value from the input or return $default if not set.
455 * Unlike getBool, the string "false" will result in boolean false, which is
456 * useful when interpreting information sent from JavaScript.
457 *
458 * @param $name String
459 * @param $default Boolean
460 * @return Boolean
461 */
462 public function getFuzzyBool( $name, $default = false ) {
463 return $this->getBool( $name, $default ) && strcasecmp( $this->getVal( $name ), 'false' ) !== 0;
464 }
465
466 /**
467 * Return true if the named value is set in the input, whatever that
468 * value is (even "0"). Return false if the named value is not set.
469 * Example use is checking for the presence of check boxes in forms.
470 *
471 * @param $name String
472 * @return Boolean
473 */
474 public function getCheck( $name ) {
475 # Checkboxes and buttons are only present when clicked
476 # Presence connotes truth, abscense false
477 $val = $this->getVal( $name, null );
478 return isset( $val );
479 }
480
481 /**
482 * Fetch a text string from the given array or return $default if it's not
483 * set. Carriage returns are stripped from the text, and with some language
484 * modules there is an input transliteration applied. This should generally
485 * be used for form <textarea> and <input> fields. Used for user-supplied
486 * freeform text input (for which input transformations may be required - e.g.
487 * Esperanto x-coding).
488 *
489 * @param $name String
490 * @param $default String: optional
491 * @return String
492 */
493 public function getText( $name, $default = '' ) {
494 global $wgContLang;
495 $val = $this->getVal( $name, $default );
496 return str_replace( "\r\n", "\n",
497 $wgContLang->recodeInput( $val ) );
498 }
499
500 /**
501 * Extracts the given named values into an array.
502 * If no arguments are given, returns all input values.
503 * No transformation is performed on the values.
504 *
505 * @return array
506 */
507 public function getValues() {
508 $names = func_get_args();
509 if ( count( $names ) == 0 ) {
510 $names = array_keys( $this->data );
511 }
512
513 $retVal = array();
514 foreach ( $names as $name ) {
515 $value = $this->getVal( $name );
516 if ( !is_null( $value ) ) {
517 $retVal[$name] = $value;
518 }
519 }
520 return $retVal;
521 }
522
523 /**
524 * Returns the names of all input values excluding those in $exclude.
525 *
526 * @param $exclude Array
527 * @return array
528 */
529 public function getValueNames( $exclude = array() ) {
530 return array_diff( array_keys( $this->getValues() ), $exclude );
531 }
532
533 /**
534 * Get the values passed in the query string.
535 * No transformation is performed on the values.
536 *
537 * @return Array
538 */
539 public function getQueryValues() {
540 return $_GET;
541 }
542
543 /**
544 * Returns true if the present request was reached by a POST operation,
545 * false otherwise (GET, HEAD, or command-line).
546 *
547 * Note that values retrieved by the object may come from the
548 * GET URL etc even on a POST request.
549 *
550 * @return Boolean
551 */
552 public function wasPosted() {
553 return isset( $_SERVER['REQUEST_METHOD'] ) && $_SERVER['REQUEST_METHOD'] == 'POST';
554 }
555
556 /**
557 * Returns true if there is a session cookie set.
558 * This does not necessarily mean that the user is logged in!
559 *
560 * If you want to check for an open session, use session_id()
561 * instead; that will also tell you if the session was opened
562 * during the current request (in which case the cookie will
563 * be sent back to the client at the end of the script run).
564 *
565 * @return Boolean
566 */
567 public function checkSessionCookie() {
568 return isset( $_COOKIE[ session_name() ] );
569 }
570
571 /**
572 * Get a cookie from the $_COOKIE jar
573 *
574 * @param $key String: the name of the cookie
575 * @param $prefix String: a prefix to use for the cookie name, if not $wgCookiePrefix
576 * @param $default Mixed: what to return if the value isn't found
577 * @return Mixed: cookie value or $default if the cookie not set
578 */
579 public function getCookie( $key, $prefix = null, $default = null ) {
580 if( $prefix === null ) {
581 global $wgCookiePrefix;
582 $prefix = $wgCookiePrefix;
583 }
584 return $this->getGPCVal( $_COOKIE, $prefix . $key , $default );
585 }
586
587 /**
588 * Return the path and query string portion of the request URI.
589 * This will be suitable for use as a relative link in HTML output.
590 *
591 * @return String
592 */
593 public function getRequestURL() {
594 if( isset( $_SERVER['REQUEST_URI'] ) && strlen( $_SERVER['REQUEST_URI'] ) ) {
595 $base = $_SERVER['REQUEST_URI'];
596 } elseif ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] ) && strlen( $_SERVER['HTTP_X_ORIGINAL_URL'] ) ) {
597 // Probably IIS; doesn't set REQUEST_URI
598 $base = $_SERVER['HTTP_X_ORIGINAL_URL'];
599 } elseif( isset( $_SERVER['SCRIPT_NAME'] ) ) {
600 $base = $_SERVER['SCRIPT_NAME'];
601 if( isset( $_SERVER['QUERY_STRING'] ) && $_SERVER['QUERY_STRING'] != '' ) {
602 $base .= '?' . $_SERVER['QUERY_STRING'];
603 }
604 } else {
605 // This shouldn't happen!
606 throw new MWException( "Web server doesn't provide either " .
607 "REQUEST_URI, HTTP_X_ORIGINAL_URL or SCRIPT_NAME. Report details " .
608 "of your web server configuration to http://bugzilla.wikimedia.org/" );
609 }
610 // User-agents should not send a fragment with the URI, but
611 // if they do, and the web server passes it on to us, we
612 // need to strip it or we get false-positive redirect loops
613 // or weird output URLs
614 $hash = strpos( $base, '#' );
615 if( $hash !== false ) {
616 $base = substr( $base, 0, $hash );
617 }
618 if( $base[0] == '/' ) {
619 return $base;
620 } else {
621 // We may get paths with a host prepended; strip it.
622 return preg_replace( '!^[^:]+://[^/]+/!', '/', $base );
623 }
624 }
625
626 /**
627 * Return the request URI with the canonical service and hostname, path,
628 * and query string. This will be suitable for use as an absolute link
629 * in HTML or other output.
630 *
631 * If $wgServer is protocol-relative, this will return a fully
632 * qualified URL with the protocol that was used for this request.
633 *
634 * @return String
635 */
636 public function getFullRequestURL() {
637 return wfExpandUrl( $this->getRequestURL(), PROTO_CURRENT );
638 }
639
640 /**
641 * Take an arbitrary query and rewrite the present URL to include it
642 * @param $query String: query string fragment; do not include initial '?'
643 *
644 * @return String
645 */
646 public function appendQuery( $query ) {
647 return $this->appendQueryArray( wfCgiToArray( $query ) );
648 }
649
650 /**
651 * HTML-safe version of appendQuery().
652 *
653 * @param $query String: query string fragment; do not include initial '?'
654 * @return String
655 */
656 public function escapeAppendQuery( $query ) {
657 return htmlspecialchars( $this->appendQuery( $query ) );
658 }
659
660 /**
661 * @param $key
662 * @param $value
663 * @param $onlyquery bool
664 * @return String
665 */
666 public function appendQueryValue( $key, $value, $onlyquery = false ) {
667 return $this->appendQueryArray( array( $key => $value ), $onlyquery );
668 }
669
670 /**
671 * Appends or replaces value of query variables.
672 *
673 * @param $array Array of values to replace/add to query
674 * @param $onlyquery Bool: whether to only return the query string and not
675 * the complete URL
676 * @return String
677 */
678 public function appendQueryArray( $array, $onlyquery = false ) {
679 global $wgTitle;
680 $newquery = $this->getQueryValues();
681 unset( $newquery['title'] );
682 $newquery = array_merge( $newquery, $array );
683 $query = wfArrayToCGI( $newquery );
684 return $onlyquery ? $query : $wgTitle->getLocalURL( $query );
685 }
686
687 /**
688 * Check for limit and offset parameters on the input, and return sensible
689 * defaults if not given. The limit must be positive and is capped at 5000.
690 * Offset must be positive but is not capped.
691 *
692 * @param $deflimit Integer: limit to use if no input and the user hasn't set the option.
693 * @param $optionname String: to specify an option other than rclimit to pull from.
694 * @return array first element is limit, second is offset
695 */
696 public function getLimitOffset( $deflimit = 50, $optionname = 'rclimit' ) {
697 global $wgUser;
698
699 $limit = $this->getInt( 'limit', 0 );
700 if( $limit < 0 ) {
701 $limit = 0;
702 }
703 if( ( $limit == 0 ) && ( $optionname != '' ) ) {
704 $limit = (int)$wgUser->getOption( $optionname );
705 }
706 if( $limit <= 0 ) {
707 $limit = $deflimit;
708 }
709 if( $limit > 5000 ) {
710 $limit = 5000; # We have *some* limits...
711 }
712
713 $offset = $this->getInt( 'offset', 0 );
714 if( $offset < 0 ) {
715 $offset = 0;
716 }
717
718 return array( $limit, $offset );
719 }
720
721 /**
722 * Return the path to the temporary file where PHP has stored the upload.
723 *
724 * @param $key String:
725 * @return string or NULL if no such file.
726 */
727 public function getFileTempname( $key ) {
728 $file = new WebRequestUpload( $this, $key );
729 return $file->getTempName();
730 }
731
732 /**
733 * Return the size of the upload, or 0.
734 *
735 * @deprecated since 1.17
736 * @param $key String:
737 * @return integer
738 */
739 public function getFileSize( $key ) {
740 $file = new WebRequestUpload( $this, $key );
741 return $file->getSize();
742 }
743
744 /**
745 * Return the upload error or 0
746 *
747 * @param $key String:
748 * @return integer
749 */
750 public function getUploadError( $key ) {
751 $file = new WebRequestUpload( $this, $key );
752 return $file->getError();
753 }
754
755 /**
756 * Return the original filename of the uploaded file, as reported by
757 * the submitting user agent. HTML-style character entities are
758 * interpreted and normalized to Unicode normalization form C, in part
759 * to deal with weird input from Safari with non-ASCII filenames.
760 *
761 * Other than this the name is not verified for being a safe filename.
762 *
763 * @param $key String:
764 * @return string or NULL if no such file.
765 */
766 public function getFileName( $key ) {
767 $file = new WebRequestUpload( $this, $key );
768 return $file->getName();
769 }
770
771 /**
772 * Return a WebRequestUpload object corresponding to the key
773 *
774 * @param $key string
775 * @return WebRequestUpload
776 */
777 public function getUpload( $key ) {
778 return new WebRequestUpload( $this, $key );
779 }
780
781 /**
782 * Return a handle to WebResponse style object, for setting cookies,
783 * headers and other stuff, for Request being worked on.
784 *
785 * @return WebResponse
786 */
787 public function response() {
788 /* Lazy initialization of response object for this request */
789 if ( !is_object( $this->response ) ) {
790 $class = ( $this instanceof FauxRequest ) ? 'FauxResponse' : 'WebResponse';
791 $this->response = new $class();
792 }
793 return $this->response;
794 }
795
796 /**
797 * Initialise the header list
798 */
799 private function initHeaders() {
800 if ( count( $this->headers ) ) {
801 return;
802 }
803
804 if ( function_exists( 'apache_request_headers' ) ) {
805 foreach ( apache_request_headers() as $tempName => $tempValue ) {
806 $this->headers[ strtoupper( $tempName ) ] = $tempValue;
807 }
808 } else {
809 foreach ( $_SERVER as $name => $value ) {
810 if ( substr( $name, 0, 5 ) === 'HTTP_' ) {
811 $name = str_replace( '_', '-', substr( $name, 5 ) );
812 $this->headers[$name] = $value;
813 } elseif ( $name === 'CONTENT_LENGTH' ) {
814 $this->headers['CONTENT-LENGTH'] = $value;
815 }
816 }
817 }
818 }
819
820 /**
821 * Get an array containing all request headers
822 *
823 * @return Array mapping header name to its value
824 */
825 public function getAllHeaders() {
826 $this->initHeaders();
827 return $this->headers;
828 }
829
830 /**
831 * Get a request header, or false if it isn't set
832 * @param $name String: case-insensitive header name
833 *
834 * @return string|false
835 */
836 public function getHeader( $name ) {
837 $this->initHeaders();
838 $name = strtoupper( $name );
839 if ( isset( $this->headers[$name] ) ) {
840 return $this->headers[$name];
841 } else {
842 return false;
843 }
844 }
845
846 /**
847 * Get data from $_SESSION
848 *
849 * @param $key String: name of key in $_SESSION
850 * @return Mixed
851 */
852 public function getSessionData( $key ) {
853 if( !isset( $_SESSION[$key] ) ) {
854 return null;
855 }
856 return $_SESSION[$key];
857 }
858
859 /**
860 * Set session data
861 *
862 * @param $key String: name of key in $_SESSION
863 * @param $data Mixed
864 */
865 public function setSessionData( $key, $data ) {
866 $_SESSION[$key] = $data;
867 }
868
869 /**
870 * Check if Internet Explorer will detect an incorrect cache extension in
871 * PATH_INFO or QUERY_STRING. If the request can't be allowed, show an error
872 * message or redirect to a safer URL. Returns true if the URL is OK, and
873 * false if an error message has been shown and the request should be aborted.
874 *
875 * @param $extWhitelist array
876 * @return bool
877 */
878 public function checkUrlExtension( $extWhitelist = array() ) {
879 global $wgScriptExtension;
880 $extWhitelist[] = ltrim( $wgScriptExtension, '.' );
881 if ( IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist ) ) {
882 if ( !$this->wasPosted() ) {
883 $newUrl = IEUrlExtension::fixUrlForIE6(
884 $this->getFullRequestURL(), $extWhitelist );
885 if ( $newUrl !== false ) {
886 $this->doSecurityRedirect( $newUrl );
887 return false;
888 }
889 }
890 throw new HttpError( 403,
891 'Invalid file extension found in the path info or query string.' );
892 }
893 return true;
894 }
895
896 /**
897 * Attempt to redirect to a URL with a QUERY_STRING that's not dangerous in
898 * IE 6. Returns true if it was successful, false otherwise.
899 *
900 * @param $url string
901 * @return bool
902 */
903 protected function doSecurityRedirect( $url ) {
904 header( 'Location: ' . $url );
905 header( 'Content-Type: text/html' );
906 $encUrl = htmlspecialchars( $url );
907 echo <<<HTML
908 <html>
909 <head>
910 <title>Security redirect</title>
911 </head>
912 <body>
913 <h1>Security redirect</h1>
914 <p>
915 We can't serve non-HTML content from the URL you have requested, because
916 Internet Explorer would interpret it as an incorrect and potentially dangerous
917 content type.</p>
918 <p>Instead, please use <a href="$encUrl">this URL</a>, which is the same as the URL you have requested, except that
919 "&amp;*" is appended. This prevents Internet Explorer from seeing a bogus file
920 extension.
921 </p>
922 </body>
923 </html>
924 HTML;
925 echo "\n";
926 return true;
927 }
928
929 /**
930 * Returns true if the PATH_INFO ends with an extension other than a script
931 * extension. This could confuse IE for scripts that send arbitrary data which
932 * is not HTML but may be detected as such.
933 *
934 * Various past attempts to use the URL to make this check have generally
935 * run up against the fact that CGI does not provide a standard method to
936 * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
937 * but only by prefixing it with the script name and maybe some other stuff,
938 * the extension is not mangled. So this should be a reasonably portable
939 * way to perform this security check.
940 *
941 * Also checks for anything that looks like a file extension at the end of
942 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
943 * if there was no dot before the question mark (bug 28235).
944 *
945 * @deprecated Use checkUrlExtension().
946 *
947 * @param $extWhitelist array
948 *
949 * @return bool
950 */
951 public function isPathInfoBad( $extWhitelist = array() ) {
952 global $wgScriptExtension;
953 $extWhitelist[] = ltrim( $wgScriptExtension, '.' );
954 return IEUrlExtension::areServerVarsBad( $_SERVER, $extWhitelist );
955 }
956
957 /**
958 * Parse the Accept-Language header sent by the client into an array
959 * @return array array( languageCode => q-value ) sorted by q-value in descending order
960 * May contain the "language" '*', which applies to languages other than those explicitly listed.
961 * This is aligned with rfc2616 section 14.4
962 */
963 public function getAcceptLang() {
964 // Modified version of code found at http://www.thefutureoftheweb.com/blog/use-accept-language-header
965 $acceptLang = $this->getHeader( 'Accept-Language' );
966 if ( !$acceptLang ) {
967 return array();
968 }
969
970 // Return the language codes in lower case
971 $acceptLang = strtolower( $acceptLang );
972
973 // Break up string into pieces (languages and q factors)
974 $lang_parse = null;
975 preg_match_all( '/([a-z]{1,8}(-[a-z]{1,8})*|\*)\s*(;\s*q\s*=\s*(1(\.0{0,3})?|0(\.[0-9]{0,3})?)?)?/',
976 $acceptLang, $lang_parse );
977
978 if ( !count( $lang_parse[1] ) ) {
979 return array();
980 }
981
982 // Create a list like "en" => 0.8
983 $langs = array_combine( $lang_parse[1], $lang_parse[4] );
984 // Set default q factor to 1
985 foreach ( $langs as $lang => $val ) {
986 if ( $val === '' ) {
987 $langs[$lang] = 1;
988 } elseif ( $val == 0 ) {
989 unset($langs[$lang]);
990 }
991 }
992
993 // Sort list
994 arsort( $langs, SORT_NUMERIC );
995 return $langs;
996 }
997
998 /**
999 * Fetch the raw IP from the request
1000 *
1001 * @return String
1002 */
1003 protected function getRawIP() {
1004 if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
1005 return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
1006 } else {
1007 return null;
1008 }
1009 }
1010
1011 /**
1012 * Work out the IP address based on various globals
1013 * For trusted proxies, use the XFF client IP (first of the chain)
1014 * @return string
1015 */
1016 public function getIP() {
1017 global $wgUsePrivateIPs;
1018
1019 # Return cached result
1020 if ( $this->ip !== null ) {
1021 return $this->ip;
1022 }
1023
1024 # collect the originating ips
1025 $ip = $this->getRawIP();
1026
1027 # Append XFF
1028 $forwardedFor = $this->getHeader( 'X-Forwarded-For' );
1029 if ( $forwardedFor !== false ) {
1030 $ipchain = array_map( 'trim', explode( ',', $forwardedFor ) );
1031 $ipchain = array_reverse( $ipchain );
1032 if ( $ip ) {
1033 array_unshift( $ipchain, $ip );
1034 }
1035
1036 # Step through XFF list and find the last address in the list which is a trusted server
1037 # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
1038 foreach ( $ipchain as $i => $curIP ) {
1039 $curIP = IP::canonicalize( $curIP );
1040 if ( wfIsTrustedProxy( $curIP ) ) {
1041 if ( isset( $ipchain[$i + 1] ) ) {
1042 if ( $wgUsePrivateIPs || IP::isPublic( $ipchain[$i + 1 ] ) ) {
1043 $ip = $ipchain[$i + 1];
1044 }
1045 }
1046 } else {
1047 break;
1048 }
1049 }
1050 }
1051
1052 # Allow extensions to improve our guess
1053 wfRunHooks( 'GetIP', array( &$ip ) );
1054
1055 if ( !$ip ) {
1056 throw new MWException( "Unable to determine IP" );
1057 }
1058
1059 wfDebug( "IP: $ip\n" );
1060 $this->ip = $ip;
1061 return $ip;
1062 }
1063 }
1064
1065 /**
1066 * Object to access the $_FILES array
1067 */
1068 class WebRequestUpload {
1069 protected $request;
1070 protected $doesExist;
1071 protected $fileInfo;
1072
1073 /**
1074 * Constructor. Should only be called by WebRequest
1075 *
1076 * @param $request WebRequest The associated request
1077 * @param $key string Key in $_FILES array (name of form field)
1078 */
1079 public function __construct( $request, $key ) {
1080 $this->request = $request;
1081 $this->doesExist = isset( $_FILES[$key] );
1082 if ( $this->doesExist ) {
1083 $this->fileInfo = $_FILES[$key];
1084 }
1085 }
1086
1087 /**
1088 * Return whether a file with this name was uploaded.
1089 *
1090 * @return bool
1091 */
1092 public function exists() {
1093 return $this->doesExist;
1094 }
1095
1096 /**
1097 * Return the original filename of the uploaded file
1098 *
1099 * @return mixed Filename or null if non-existent
1100 */
1101 public function getName() {
1102 if ( !$this->exists() ) {
1103 return null;
1104 }
1105
1106 global $wgContLang;
1107 $name = $this->fileInfo['name'];
1108
1109 # Safari sends filenames in HTML-encoded Unicode form D...
1110 # Horrid and evil! Let's try to make some kind of sense of it.
1111 $name = Sanitizer::decodeCharReferences( $name );
1112 $name = $wgContLang->normalize( $name );
1113 wfDebug( __METHOD__ . ": {$this->fileInfo['name']} normalized to '$name'\n" );
1114 return $name;
1115 }
1116
1117 /**
1118 * Return the file size of the uploaded file
1119 *
1120 * @return int File size or zero if non-existent
1121 */
1122 public function getSize() {
1123 if ( !$this->exists() ) {
1124 return 0;
1125 }
1126
1127 return $this->fileInfo['size'];
1128 }
1129
1130 /**
1131 * Return the path to the temporary file
1132 *
1133 * @return mixed Path or null if non-existent
1134 */
1135 public function getTempName() {
1136 if ( !$this->exists() ) {
1137 return null;
1138 }
1139
1140 return $this->fileInfo['tmp_name'];
1141 }
1142
1143 /**
1144 * Return the upload error. See link for explanation
1145 * http://www.php.net/manual/en/features.file-upload.errors.php
1146 *
1147 * @return int One of the UPLOAD_ constants, 0 if non-existent
1148 */
1149 public function getError() {
1150 if ( !$this->exists() ) {
1151 return 0; # UPLOAD_ERR_OK
1152 }
1153
1154 return $this->fileInfo['error'];
1155 }
1156
1157 /**
1158 * Returns whether this upload failed because of overflow of a maximum set
1159 * in php.ini
1160 *
1161 * @return bool
1162 */
1163 public function isIniSizeOverflow() {
1164 if ( $this->getError() == UPLOAD_ERR_INI_SIZE ) {
1165 # PHP indicated that upload_max_filesize is exceeded
1166 return true;
1167 }
1168
1169 $contentLength = $this->request->getHeader( 'CONTENT_LENGTH' );
1170 if ( $contentLength > wfShorthandToInteger( ini_get( 'post_max_size' ) ) ) {
1171 # post_max_size is exceeded
1172 return true;
1173 }
1174
1175 return false;
1176 }
1177 }
1178
1179 /**
1180 * WebRequest clone which takes values from a provided array.
1181 *
1182 * @ingroup HTTP
1183 */
1184 class FauxRequest extends WebRequest {
1185 private $wasPosted = false;
1186 private $session = array();
1187
1188 /**
1189 * @param $data Array of *non*-urlencoded key => value pairs, the
1190 * fake GET/POST values
1191 * @param $wasPosted Bool: whether to treat the data as POST
1192 * @param $session Mixed: session array or null
1193 */
1194 public function __construct( $data, $wasPosted = false, $session = null ) {
1195 if( is_array( $data ) ) {
1196 $this->data = $data;
1197 } else {
1198 throw new MWException( "FauxRequest() got bogus data" );
1199 }
1200 $this->wasPosted = $wasPosted;
1201 if( $session )
1202 $this->session = $session;
1203 }
1204
1205 /**
1206 * @param $method string
1207 * @throws MWException
1208 */
1209 private function notImplemented( $method ) {
1210 throw new MWException( "{$method}() not implemented" );
1211 }
1212
1213 /**
1214 * @param $name string
1215 * @param $default string
1216 * @return string
1217 */
1218 public function getText( $name, $default = '' ) {
1219 # Override; don't recode since we're using internal data
1220 return (string)$this->getVal( $name, $default );
1221 }
1222
1223 /**
1224 * @return Array
1225 */
1226 public function getValues() {
1227 return $this->data;
1228 }
1229
1230 /**
1231 * @return array
1232 */
1233 public function getQueryValues() {
1234 if ( $this->wasPosted ) {
1235 return array();
1236 } else {
1237 return $this->data;
1238 }
1239 }
1240
1241 /**
1242 * @return bool
1243 */
1244 public function wasPosted() {
1245 return $this->wasPosted;
1246 }
1247
1248 public function checkSessionCookie() {
1249 return false;
1250 }
1251
1252 public function getRequestURL() {
1253 $this->notImplemented( __METHOD__ );
1254 }
1255
1256 /**
1257 * @param $name
1258 * @return bool|string
1259 */
1260 public function getHeader( $name ) {
1261 return isset( $this->headers[$name] ) ? $this->headers[$name] : false;
1262 }
1263
1264 /**
1265 * @param $name string
1266 * @param $val string
1267 */
1268 public function setHeader( $name, $val ) {
1269 $this->headers[$name] = $val;
1270 }
1271
1272 /**
1273 * @param $key
1274 * @return mixed
1275 */
1276 public function getSessionData( $key ) {
1277 if( isset( $this->session[$key] ) )
1278 return $this->session[$key];
1279 }
1280
1281 /**
1282 * @param $key
1283 * @param $data
1284 */
1285 public function setSessionData( $key, $data ) {
1286 $this->session[$key] = $data;
1287 }
1288
1289 /**
1290 * @return array|Mixed|null
1291 */
1292 public function getSessionArray() {
1293 return $this->session;
1294 }
1295
1296 /**
1297 * @param array $extWhitelist
1298 * @return bool
1299 */
1300 public function isPathInfoBad( $extWhitelist = array() ) {
1301 return false;
1302 }
1303
1304 /**
1305 * @param array $extWhitelist
1306 * @return bool
1307 */
1308 public function checkUrlExtension( $extWhitelist = array() ) {
1309 return true;
1310 }
1311
1312 /**
1313 * @return string
1314 */
1315 protected function getRawIP() {
1316 return '127.0.0.1';
1317 }
1318 }
1319
1320 /**
1321 * Similar to FauxRequest, but only fakes URL parameters and method
1322 * (POST or GET) and use the base request for the remaining stuff
1323 * (cookies, session and headers).
1324 *
1325 * @ingroup HTTP
1326 */
1327 class DerivativeRequest extends FauxRequest {
1328 private $base;
1329
1330 public function __construct( WebRequest $base, $data, $wasPosted = false ) {
1331 $this->base = $base;
1332 parent::__construct( $data, $wasPosted );
1333 }
1334
1335 public function getCookie( $key, $prefix = null, $default = null ) {
1336 return $this->base->getCookie( $key, $prefix, $default );
1337 }
1338
1339 public function checkSessionCookie() {
1340 return $this->base->checkSessionCookie();
1341 }
1342
1343 public function getHeader( $name ) {
1344 return $this->base->getHeader( $name );
1345 }
1346
1347 public function getAllHeaders() {
1348 return $this->base->getAllHeaders();
1349 }
1350
1351 public function getSessionData( $key ) {
1352 return $this->base->getSessionData( $key );
1353 }
1354
1355 public function setSessionData( $key, $data ) {
1356 return $this->base->setSessionData( $key, $data );
1357 }
1358
1359 public function getAcceptLang() {
1360 return $this->base->getAcceptLang();
1361 }
1362
1363 public function getIP() {
1364 return $this->base->getIP();
1365 }
1366 }
Wiklou, le Wiki du Wiklou