3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
20 use MediaWiki\Logger\LoggerFactory
;
22 class PhpHttpRequest
extends MWHttpRequest
{
24 private $fopenErrors = [];
30 protected function urlToTcp( $url ) {
31 $parsedUrl = parse_url( $url );
33 return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
37 * Returns an array with a 'capath' or 'cafile' key
38 * that is suitable to be merged into the 'ssl' sub-array of
39 * a stream context options array.
40 * Uses the 'caInfo' option of the class if it is provided, otherwise uses the system
41 * default CA bundle if PHP supports that, or searches a few standard locations.
43 * @throws DomainException
45 protected function getCertOptions() {
48 if ( $this->caInfo
) {
49 $certLocations = [ 'manual' => $this->caInfo
];
50 } elseif ( version_compare( PHP_VERSION
, '5.6.0', '<' ) ) {
51 // @codingStandardsIgnoreStart Generic.Files.LineLength
52 // Default locations, based on
53 // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
54 // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves.
55 // PHP 5.6+ gets the CA location from OpenSSL as long as it is not set manually,
56 // so we should leave capath/cafile empty there.
57 // @codingStandardsIgnoreEnd
58 $certLocations = array_filter( [
59 getenv( 'SSL_CERT_DIR' ),
60 getenv( 'SSL_CERT_PATH' ),
61 '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al
62 '/etc/ssl/certs', # Debian et al
63 '/etc/pki/tls/certs/ca-bundle.trust.crt',
64 '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
65 '/System/Library/OpenSSL', # OSX
69 foreach ( $certLocations as $key => $cert ) {
70 if ( is_dir( $cert ) ) {
71 $certOptions['capath'] = $cert;
73 } elseif ( is_file( $cert ) ) {
74 $certOptions['cafile'] = $cert;
76 } elseif ( $key === 'manual' ) {
77 // fail more loudly if a cert path was manually configured and it is not valid
78 throw new DomainException( "Invalid CA info passed: $cert" );
86 * Custom error handler for dealing with fopen() errors.
87 * fopen() tends to fire multiple errors in succession, and the last one
88 * is completely useless (something like "fopen: failed to open stream")
89 * so normal methods of handling errors programmatically
90 * like get_last_error() don't work.
92 public function errorHandler( $errno, $errstr ) {
93 $n = count( $this->fopenErrors
) +
1;
94 $this->fopenErrors +
= [ "errno$n" => $errno, "errstr$n" => $errstr ];
97 public function execute() {
101 if ( is_array( $this->postData
) ) {
102 $this->postData
= wfArrayToCgi( $this->postData
);
105 if ( $this->parsedUrl
['scheme'] != 'http'
106 && $this->parsedUrl
['scheme'] != 'https' ) {
107 $this->status
->fatal( 'http-invalid-scheme', $this->parsedUrl
['scheme'] );
110 $this->reqHeaders
['Accept'] = "*/*";
111 $this->reqHeaders
['Connection'] = 'Close';
112 if ( $this->method
== 'POST' ) {
113 // Required for HTTP 1.0 POSTs
114 $this->reqHeaders
['Content-Length'] = strlen( $this->postData
);
115 if ( !isset( $this->reqHeaders
['Content-Type'] ) ) {
116 $this->reqHeaders
['Content-Type'] = "application/x-www-form-urlencoded";
120 // Set up PHP stream context
123 'method' => $this->method
,
124 'header' => implode( "\r\n", $this->getHeaderList() ),
125 'protocol_version' => '1.1',
126 'max_redirects' => $this->followRedirects ?
$this->maxRedirects
: 0,
127 'ignore_errors' => true,
128 'timeout' => $this->timeout
,
129 // Curl options in case curlwrappers are installed
130 'curl_verify_ssl_host' => $this->sslVerifyHost ?
2 : 0,
131 'curl_verify_ssl_peer' => $this->sslVerifyCert
,
134 'verify_peer' => $this->sslVerifyCert
,
135 'SNI_enabled' => true,
136 'ciphers' => 'HIGH:!SSLv2:!SSLv3:-ADH:-kDH:-kECDH:-DSS',
137 'disable_compression' => true,
141 if ( $this->proxy
) {
142 $options['http']['proxy'] = $this->urlToTcp( $this->proxy
);
143 $options['http']['request_fulluri'] = true;
146 if ( $this->postData
) {
147 $options['http']['content'] = $this->postData
;
150 if ( $this->sslVerifyHost
) {
151 // PHP 5.6.0 deprecates CN_match, in favour of peer_name which
152 // actually checks SubjectAltName properly.
153 if ( version_compare( PHP_VERSION
, '5.6.0', '>=' ) ) {
154 $options['ssl']['peer_name'] = $this->parsedUrl
['host'];
156 $options['ssl']['CN_match'] = $this->parsedUrl
['host'];
160 $options['ssl'] +
= $this->getCertOptions();
162 $context = stream_context_create( $options );
164 $this->headerList
= [];
170 if ( $this->profiler
) {
171 $profileSection = $this->profiler
->scopedProfileIn(
172 __METHOD__
. '-' . $this->profileName
177 $this->fopenErrors
= [];
178 set_error_handler( [ $this, 'errorHandler' ] );
179 $fh = fopen( $url, "r", false, $context );
180 restore_error_handler();
183 // HACK for instant commons.
184 // If we are contacting (commons|upload).wikimedia.org
185 // try again with CN_match for en.wikipedia.org
186 // as php does not handle SubjectAltName properly
187 // prior to "peer_name" option in php 5.6
188 if ( isset( $options['ssl']['CN_match'] )
189 && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org'
190 ||
$options['ssl']['CN_match'] === 'upload.wikimedia.org' )
192 $options['ssl']['CN_match'] = 'en.wikipedia.org';
193 $context = stream_context_create( $options );
199 $result = stream_get_meta_data( $fh );
200 $this->headerList
= $result['wrapper_data'];
201 $this->parseHeader();
203 if ( !$this->followRedirects
) {
207 # Handle manual redirection
208 if ( !$this->isRedirect() ||
$reqCount > $this->maxRedirects
) {
211 # Check security of URL
212 $url = $this->getResponseHeader( "Location" );
214 if ( !Http
::isValidURI( $url ) ) {
215 wfDebug( __METHOD__
. ": insecure redirection\n" );
219 if ( $this->profiler
) {
220 $this->profiler
->scopedProfileOut( $profileSection );
225 if ( $fh === false ) {
226 if ( $this->fopenErrors
) {
227 LoggerFactory
::getInstance( 'http' )->warning( __CLASS__
228 . ': error opening connection: {errstr1}', $this->fopenErrors
);
230 $this->status
->fatal( 'http-request-error' );
231 return $this->status
;
234 if ( $result['timed_out'] ) {
235 $this->status
->fatal( 'http-timed-out', $this->url
);
236 return $this->status
;
239 // If everything went OK, or we received some error code
240 // get the response body content.
241 if ( $this->status
->isOK() ||
(int)$this->respStatus
>= 300 ) {
242 while ( !feof( $fh ) ) {
243 $buf = fread( $fh, 8192 );
245 if ( $buf === false ) {
246 $this->status
->fatal( 'http-read-error' );
250 if ( strlen( $buf ) ) {
251 call_user_func( $this->callback
, $fh, $buf );
257 return $this->status
;