dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security fix for API blocks query -- ipb_anon field wasn't being loaded when querying...
[lhc/web/wiklou.git] / includes / api / ApiQueryBlocks.php
1 <?php
2
3 /*
4 * Created on Sep 10, 2007
5 *
6 * API for MediaWiki 1.8+
7 *
8 * Copyright (C) 2007 Roan Kattouw <Firstname>.<Lastname>@home.nl
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 */
25
26 if (!defined('MEDIAWIKI')) {
27 // Eclipse helper - will be ignored in production
28 require_once ('ApiQueryBase.php');
29 }
30
31 /**
32 * Query module to enumerate all available pages.
33 *
34 * @ingroup API
35 */
36 class ApiQueryBlocks extends ApiQueryBase {
37
38 var $users;
39
40 public function __construct($query, $moduleName) {
41 parent :: __construct($query, $moduleName, 'bk');
42 }
43
44 public function execute() {
45 $this->run();
46 }
47
48 private function run() {
49 global $wgUser;
50
51 $params = $this->extractRequestParams();
52 if(isset($params['users']) && isset($params['ip']))
53 $this->dieUsage('bkusers and bkip cannot be used together', 'usersandip');
54
55 $prop = array_flip($params['prop']);
56 $fld_id = isset($prop['id']);
57 $fld_user = isset($prop['user']);
58 $fld_by = isset($prop['by']);
59 $fld_timestamp = isset($prop['timestamp']);
60 $fld_expiry = isset($prop['expiry']);
61 $fld_reason = isset($prop['reason']);
62 $fld_range = isset($prop['range']);
63 $fld_flags = isset($prop['flags']);
64
65 $result = $this->getResult();
66 $pageSet = $this->getPageSet();
67 $titles = $pageSet->getTitles();
68 $data = array();
69
70 $this->addTables('ipblocks');
71 if($fld_id)
72 $this->addFields('ipb_id');
73 if($fld_user)
74 $this->addFields(array('ipb_address', 'ipb_user'));
75 if($fld_user || $fld_flags)
76 $this->addFields('ipb_auto');
77 if($fld_by)
78 {
79 $this->addTables('user');
80 $this->addFields(array('ipb_by', 'user_name'));
81 $this->addWhere('user_id = ipb_by');
82 }
83 if($fld_timestamp)
84 $this->addFields('ipb_timestamp');
85 if($fld_expiry)
86 $this->addFields('ipb_expiry');
87 if($fld_reason)
88 $this->addFields('ipb_reason');
89 if($fld_range)
90 $this->addFields(array('ipb_range_start', 'ipb_range_end'));
91 if($fld_flags)
92 $this->addFields(array('ipb_anon_only', 'ipb_create_account', 'ipb_enable_autoblock', 'ipb_block_email', 'ipb_deleted'));
93
94 $this->addOption('LIMIT', $params['limit'] + 1);
95 $this->addWhereRange('ipb_timestamp', $params['dir'], $params['start'], $params['end']);
96 if(isset($params['ids']))
97 $this->addWhere(array('ipb_id' => $params['ids']));
98 if(isset($params['users']))
99 {
100 foreach((array)$params['users'] as $u)
101 $this->prepareUsername($u);
102 $this->addWhere(array('ipb_address' => $this->usernames));
103 }
104 if(isset($params['ip']))
105 {
106 list($ip, $range) = IP::parseCIDR($params['ip']);
107 if($ip && $range)
108 {
109 # We got a CIDR range
110 if($range < 16)
111 $this->dieUsage('CIDR ranges broader than /16 are not accepted', 'cidrtoobroad');
112 $lower = wfBaseConvert($ip, 10, 16, 8, false);
113 $upper = wfBaseConvert($ip + pow(2, 32 - $range) - 1, 10, 16, 8, false);
114 }
115 else
116 $lower = $upper = IP::toHex($params['ip']);
117 $prefix = substr($lower, 0, 4);
118 $this->addWhere(array(
119 "ipb_range_start LIKE '$prefix%'",
120 "ipb_range_start <= '$lower'",
121 "ipb_range_end >= '$upper'"
122 ));
123 }
124 if(!$wgUser->isAllowed('suppress'))
125 $this->addWhere(array('ipb_deleted' => 0));
126
127 // Purge expired entries on one in every 10 queries
128 if(!mt_rand(0, 10))
129 Block::purgeExpired();
130
131 $res = $this->select(__METHOD__);
132 $db = wfGetDB();
133
134 $count = 0;
135 while($row = $db->fetchObject($res))
136 {
137 if($count++ == $params['limit'])
138 {
139 // We've had enough
140 $this->setContinueEnumParameter('start', wfTimestamp(TS_ISO_8601, $row->ipb_timestamp));
141 break;
142 }
143 $block = array();
144 if($fld_id)
145 $block['id'] = $row->ipb_id;
146 if($fld_user && !$row->ipb_auto)
147 {
148 $block['user'] = $row->ipb_address;
149 }
150 if($fld_by)
151 {
152 $block['by'] = $row->user_name;
153 }
154 if($fld_timestamp)
155 $block['timestamp'] = wfTimestamp(TS_ISO_8601, $row->ipb_timestamp);
156 if($fld_expiry)
157 $block['expiry'] = Block::decodeExpiry($row->ipb_expiry, TS_ISO_8601);
158 if($fld_reason)
159 $block['reason'] = $row->ipb_reason;
160 if($fld_range)
161 {
162 $block['rangestart'] = $this->convertHexIP($row->ipb_range_start);
163 $block['rangeend'] = $this->convertHexIP($row->ipb_range_end);
164 }
165 if($fld_flags)
166 {
167 // For clarity, these flags use the same names as their action=block counterparts
168 if($row->ipb_auto)
169 $block['automatic'] = '';
170 if($row->ipb_anon_only)
171 $block['anononly'] = '';
172 if($row->ipb_create_account)
173 $block['nocreate'] = '';
174 if($row->ipb_enable_autoblock)
175 $block['autoblock'] = '';
176 if($row->ipb_block_email)
177 $block['noemail'] = '';
178 if($row->ipb_deleted)
179 $block['hidden'] = '';
180 }
181 $data[] = $block;
182 }
183 $result->setIndexedTagName($data, 'block');
184 $result->addValue('query', $this->getModuleName(), $data);
185 }
186
187 protected function prepareUsername($user)
188 {
189 if(!$user)
190 $this->dieUsage('User parameter may not be empty', 'param_user');
191 $name = User::isIP($user)
192 ? $user
193 : User::getCanonicalName($user, 'valid');
194 if($name === false)
195 $this->dieUsage("User name {$user} is not valid", 'param_user');
196 $this->usernames[] = $name;
197 }
198
199 protected function convertHexIP($ip)
200 {
201 // Converts a hexadecimal IP to nnn.nnn.nnn.nnn format
202 $dec = wfBaseConvert($ip, 16, 10);
203 $parts[0] = (int)($dec / (256*256*256));
204 $dec %= 256*256*256;
205 $parts[1] = (int)($dec / (256*256));
206 $dec %= 256*256;
207 $parts[2] = (int)($dec / 256);
208 $parts[3] = $dec % 256;
209 return implode('.', $parts);
210 }
211
212 public function getAllowedParams() {
213 return array (
214 'start' => array(
215 ApiBase :: PARAM_TYPE => 'timestamp'
216 ),
217 'end' => array(
218 ApiBase :: PARAM_TYPE => 'timestamp',
219 ),
220 'dir' => array(
221 ApiBase :: PARAM_TYPE => array(
222 'newer',
223 'older'
224 ),
225 ApiBase :: PARAM_DFLT => 'older'
226 ),
227 'ids' => array(
228 ApiBase :: PARAM_TYPE => 'integer',
229 ApiBase :: PARAM_ISMULTI => true
230 ),
231 'users' => array(
232 ApiBase :: PARAM_ISMULTI => true
233 ),
234 'ip' => null,
235 'limit' => array(
236 ApiBase :: PARAM_DFLT => 10,
237 ApiBase :: PARAM_TYPE => 'limit',
238 ApiBase :: PARAM_MIN => 1,
239 ApiBase :: PARAM_MAX => ApiBase :: LIMIT_BIG1,
240 ApiBase :: PARAM_MAX2 => ApiBase :: LIMIT_BIG2
241 ),
242 'prop' => array(
243 ApiBase :: PARAM_DFLT => 'id|user|by|timestamp|expiry|reason|flags',
244 ApiBase :: PARAM_TYPE => array(
245 'id',
246 'user',
247 'by',
248 'timestamp',
249 'expiry',
250 'reason',
251 'range',
252 'flags'
253 ),
254 ApiBase :: PARAM_ISMULTI => true
255 )
256 );
257 }
258
259 public function getParamDescription() {
260 return array (
261 'start' => 'The timestamp to start enumerating from',
262 'end' => 'The timestamp to stop enumerating at',
263 'dir' => 'The direction in which to enumerate',
264 'ids' => 'Pipe-separated list of block IDs to list (optional)',
265 'users' => 'Pipe-separated list of users to search for (optional)',
266 'ip' => array( 'Get all blocks applying to this IP or CIDR range, including range blocks.',
267 'Cannot be used together with bkusers. CIDR ranges broader than /16 are not accepted.'),
268 'limit' => 'The maximum amount of blocks to list',
269 'prop' => 'Which properties to get',
270 );
271 }
272
273 public function getDescription() {
274 return 'List all blocked users and IP addresses.';
275 }
276
277 protected function getExamples() {
278 return array ( 'api.php?action=query&list=blocks',
279 'api.php?action=query&list=blocks&bkusers=Alice|Bob'
280 );
281 }
282
283 public function getVersion() {
284 return __CLASS__ . ': $Id$';
285 }
286 }
Wiklou, le Wiki du Wiklou