* @file
* @ingroup Upload
*/
+use MediaWiki\MediaWikiServices;
/**
* @defgroup Upload Upload related
/**
* Create a form of UploadBase depending on wpSourceType and initializes it
*
- * @param WebRequest $request
+ * @param WebRequest &$request
* @param string|null $type
* @return null|UploadBase
*/
/**
* Initialize from a WebRequest. Override this in a subclass.
*
- * @param WebRequest $request
+ * @param WebRequest &$request
*/
abstract public function initializeFromRequest( &$request );
/**
* @param string $tempPath File system path to temporary file containing the upload
- * @param integer $fileSize
+ * @param int $fileSize
*/
protected function setTempFile( $tempPath, $fileSize = null ) {
$this->mTempPath = $tempPath;
* @param string $srcPath The source path
* @return string|bool The real path if it was a virtual URL Returns false on failure
*/
- function getRealPath( $srcPath ) {
+ public function getRealPath( $srcPath ) {
$repo = RepoGroup::singleton()->getLocalRepo();
if ( $repo->isVirtualUrl( $srcPath ) ) {
/** @todo Just make uploads work with storage paths UploadFromStash
* @return mixed Const self::OK or else an array with error information
*/
public function verifyUpload() {
-
/**
* If there was no filename or a zero size given, give up quick.
*/
$chunk = fread( $fp, 256 );
fclose( $fp );
- $magic = MimeMagic::singleton();
+ $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer();
$extMime = $magic->guessTypesForExtension( $this->mFinalExtension );
$ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime );
foreach ( $ieTypes as $ieType ) {
return $status;
}
- $mwProps = new MWFileProps( MimeMagic::singleton() );
+ $mwProps = new MWFileProps( MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer() );
$this->mFileProps = $mwProps->getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
$mime = $this->mFileProps['mime'];
# getTitle() sets some internal parameters like $this->mFinalExtension
$this->getTitle();
- $mwProps = new MWFileProps( MimeMagic::singleton() );
+ $mwProps = new MWFileProps( MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer() );
$this->mFileProps = $mwProps->getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
# check MIME type, if desired
*
* @param array $entry
*/
- function zipEntryCallback( $entry ) {
+ public function zipEntryCallback( $entry ) {
$names = [ $entry['name'] ];
// If there is a null character, cut off the name at it, because JDK's
*
* This should not assume that mTempPath is set.
*
- * @return array Array of warnings
+ * @return mixed[] Array of warnings
*/
public function checkWarnings() {
- global $wgLang;
-
$warnings = [];
$localFile = $this->getLocalFile();
$localFile->load( File::READ_LATEST );
$filename = $localFile->getName();
+ $hash = $this->getTempFileSha1Base36();
- /**
- * Check whether the resulting filename is different from the desired one,
- * but ignore things like ucfirst() and spaces/underscore things
- */
- $comparableName = str_replace( ' ', '_', $this->mDesiredDestName );
+ $badFileName = $this->checkBadFileName( $filename, $this->mDesiredDestName );
+ if ( $badFileName !== null ) {
+ $warnings['badfilename'] = $badFileName;
+ }
+
+ $unwantedFileExtensionDetails = $this->checkUnwantedFileExtensions( $this->mFinalExtension );
+ if ( $unwantedFileExtensionDetails !== null ) {
+ $warnings['filetype-unwanted-type'] = $unwantedFileExtensionDetails;
+ }
+
+ $fileSizeWarnings = $this->checkFileSize( $this->mFileSize );
+ if ( $fileSizeWarnings ) {
+ $warnings = array_merge( $warnings, $fileSizeWarnings );
+ }
+
+ $localFileExistsWarnings = $this->checkLocalFileExists( $localFile, $hash );
+ if ( $localFileExistsWarnings ) {
+ $warnings = array_merge( $warnings, $localFileExistsWarnings );
+ }
+
+ if ( $this->checkLocalFileWasDeleted( $localFile ) ) {
+ $warnings['was-deleted'] = $filename;
+ }
+
+ // If a file with the same name exists locally then the local file has already been tested
+ // for duplication of content
+ $ignoreLocalDupes = isset( $warnings[ 'exists '] );
+ $dupes = $this->checkAgainstExistingDupes( $hash, $ignoreLocalDupes );
+ if ( $dupes ) {
+ $warnings['duplicate'] = $dupes;
+ }
+
+ $archivedDupes = $this->checkAgainstArchiveDupes( $hash );
+ if ( $archivedDupes !== null ) {
+ $warnings['duplicate-archive'] = $archivedDupes;
+ }
+
+ return $warnings;
+ }
+
+ /**
+ * Check whether the resulting filename is different from the desired one,
+ * but ignore things like ucfirst() and spaces/underscore things
+ *
+ * @param string $filename
+ * @param string $desiredFileName
+ *
+ * @return string|null String that was determined to be bad or null if the filename is okay
+ */
+ private function checkBadFileName( $filename, $desiredFileName ) {
+ $comparableName = str_replace( ' ', '_', $desiredFileName );
$comparableName = Title::capitalize( $comparableName, NS_FILE );
- if ( $this->mDesiredDestName != $filename && $comparableName != $filename ) {
- $warnings['badfilename'] = $filename;
+ if ( $desiredFileName != $filename && $comparableName != $filename ) {
+ return $filename;
}
- // Check whether the file extension is on the unwanted list
- global $wgCheckFileExtensions, $wgFileExtensions;
+ return null;
+ }
+
+ /**
+ * @param string $fileExtension The file extension to check
+ *
+ * @return array|null array with the following keys:
+ * 0 => string The final extension being used
+ * 1 => string[] The extensions that are allowed
+ * 2 => int The number of extensions that are allowed.
+ */
+ private function checkUnwantedFileExtensions( $fileExtension ) {
+ global $wgCheckFileExtensions, $wgFileExtensions, $wgLang;
+
if ( $wgCheckFileExtensions ) {
$extensions = array_unique( $wgFileExtensions );
- if ( !$this->checkFileExtension( $this->mFinalExtension, $extensions ) ) {
- $warnings['filetype-unwanted-type'] = [ $this->mFinalExtension,
- $wgLang->commaList( $extensions ), count( $extensions ) ];
+ if ( !$this->checkFileExtension( $fileExtension, $extensions ) ) {
+ return [
+ $fileExtension,
+ $wgLang->commaList( $extensions ),
+ count( $extensions )
+ ];
}
}
+ return null;
+ }
+
+ /**
+ * @param int $fileSize
+ *
+ * @return array warnings
+ */
+ private function checkFileSize( $fileSize ) {
global $wgUploadSizeWarning;
- if ( $wgUploadSizeWarning && ( $this->mFileSize > $wgUploadSizeWarning ) ) {
- $warnings['large-file'] = [ $wgUploadSizeWarning, $this->mFileSize ];
+
+ $warnings = [];
+
+ if ( $wgUploadSizeWarning && ( $fileSize > $wgUploadSizeWarning ) ) {
+ $warnings['large-file'] = [ $wgUploadSizeWarning, $fileSize ];
}
- if ( $this->mFileSize == 0 ) {
+ if ( $fileSize == 0 ) {
$warnings['empty-file'] = true;
}
- $hash = $this->getTempFileSha1Base36();
+ return $warnings;
+ }
+
+ /**
+ * @param LocalFile $localFile
+ * @param string $hash sha1 hash of the file to check
+ *
+ * @return array warnings
+ */
+ private function checkLocalFileExists( LocalFile $localFile, $hash ) {
+ $warnings = [];
+
$exists = self::getExistsWarning( $localFile );
if ( $exists !== false ) {
$warnings['exists'] = $exists;
}
}
- if ( $localFile->wasDeleted() && !$localFile->exists() ) {
- $warnings['was-deleted'] = $filename;
- }
+ return $warnings;
+ }
- // Check dupes against existing files
+ private function checkLocalFileWasDeleted( LocalFile $localFile ) {
+ return $localFile->wasDeleted() && !$localFile->exists();
+ }
+
+ /**
+ * @param string $hash sha1 hash of the file to check
+ * @param bool $ignoreLocalDupes True to ignore local duplicates
+ *
+ * @return File[] Duplicate files, if found.
+ */
+ private function checkAgainstExistingDupes( $hash, $ignoreLocalDupes ) {
$dupes = RepoGroup::singleton()->findBySha1( $hash );
$title = $this->getTitle();
- // Remove all matches against self
foreach ( $dupes as $key => $dupe ) {
- if ( $title->equals( $dupe->getTitle() ) ) {
+ if (
+ ( $dupe instanceof LocalFile ) &&
+ $ignoreLocalDupes &&
+ $title->equals( $dupe->getTitle() )
+ ) {
unset( $dupes[$key] );
}
}
- if ( $dupes ) {
- $warnings['duplicate'] = $dupes;
- }
- // Check dupes against archives
+ return $dupes;
+ }
+
+ /**
+ * @param string $hash sha1 hash of the file to check
+ *
+ * @return string|null Name of the dupe or empty string if discovered (depending on visibility)
+ * null if the check discovered no dupes.
+ */
+ private function checkAgainstArchiveDupes( $hash ) {
$archivedFile = new ArchivedFile( null, 0, '', $hash );
if ( $archivedFile->getID() > 0 ) {
if ( $archivedFile->userCan( File::DELETED_FILE ) ) {
- $warnings['duplicate-archive'] = $archivedFile->getName();
+ return $archivedFile->getName();
} else {
- $warnings['duplicate-archive'] = '';
+ return '';
}
}
- return $warnings;
+ return null;
}
/**
* Returns the title of the file to be uploaded. Sets mTitleError in case
* the name was illegal.
*
- * @return Title The title of the file or null in case the name was illegal
+ * @return Title|null The title of the file or null in case the name was illegal
*/
public function getTitle() {
if ( $this->mTitle !== false ) {
$this->mFinalExtension = '';
# No extension, try guessing one
- $magic = MimeMagic::singleton();
+ $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer();
$mime = $magic->guessMimeType( $this->mTempPath );
if ( $mime !== 'unknown/unknown' ) {
# Get a space separated list of extensions
return $this->mTitle;
}
- // Windows may be broken with special characters, see bug 1780
+ // Windows may be broken with special characters, see T3780
if ( !preg_match( '/^[\x0-\x7f]*$/', $nt->getText() )
&& !RepoGroup::singleton()->getLocalRepo()->backendSupportsUnicodePaths()
) {
* @return bool
*/
public static function verifyExtension( $mime, $extension ) {
- $magic = MimeMagic::singleton();
+ $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer();
if ( !$mime || $mime == 'unknown' || $mime == 'unknown/unknown' ) {
if ( !$magic->isRecognizableExtension( $extension ) ) {
}
// Some browsers will interpret obscure xml encodings as UTF-8, while
- // PHP/expat will interpret the given encoding in the xml declaration (bug 47304)
+ // PHP/expat will interpret the given encoding in the xml declaration (T49304)
if ( $extension == 'svg' || strpos( $mime, 'image/svg' ) === 0 ) {
if ( self::checkXMLEncodingMissmatch( $file ) ) {
return true;
$filename,
[ $this, 'checkSvgScriptCallback' ],
true,
- [ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback' ]
+ [
+ 'processing_instruction_handler' => 'UploadBase::checkSvgPICallback',
+ 'external_dtd_handler' => 'UploadBase::checkSvgExternalDTD',
+ ]
);
if ( $check->wellFormed !== true ) {
- // Invalid xml (bug 58553)
- // But only when non-partial (bug 65724)
+ // Invalid xml (T60553)
+ // But only when non-partial (T67724)
return $partial ? false : [ 'uploadinvalidxml' ];
} elseif ( $check->filterMatch ) {
if ( $this->mSVGNSError ) {
* @return bool (true if the filter identified something bad)
*/
public static function checkSvgPICallback( $target, $data ) {
- // Don't allow external stylesheets (bug 57550)
+ // Don't allow external stylesheets (T59550)
if ( preg_match( '/xml-stylesheet/i', $target ) ) {
return [ 'upload-scripted-pi-callback' ];
}
return false;
}
+ /**
+ * Verify that DTD urls referenced are only the standard dtds
+ *
+ * Browsers seem to ignore external dtds. However just to be on the
+ * safe side, only allow dtds from the svg standard.
+ *
+ * @param string $type PUBLIC or SYSTEM
+ * @param string $publicId The well-known public identifier for the dtd
+ * @param string $systemId The url for the external dtd
+ * @return bool|array
+ */
+ public static function checkSvgExternalDTD( $type, $publicId, $systemId ) {
+ // This doesn't include the XHTML+MathML+SVG doctype since we don't
+ // allow XHTML anyways.
+ $allowedDTDs = [
+ 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd',
+ 'http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd',
+ 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd',
+ 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-tiny.dtd',
+ // https://phabricator.wikimedia.org/T168856
+ 'http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd',
+ ];
+ if ( $type !== 'PUBLIC'
+ || !in_array( $systemId, $allowedDTDs )
+ || strpos( $publicId, "-//W3C//" ) !== 0
+ ) {
+ return [ 'upload-scripted-dtd' ];
+ }
+ return false;
+ }
+
/**
* @todo Replace this with a whitelist filter!
* @param string $element
* @param array $attribs
+ * @param array $data
* @return bool
*/
public function checkSvgScriptCallback( $element, $attribs, $data = null ) {
-
list( $namespace, $strippedElement ) = $this->splitXmlNamespace( $element );
// We specifically don't include:
- // http://www.w3.org/1999/xhtml (bug 60771)
+ // http://www.w3.org/1999/xhtml (T62771)
static $validNamespaces = [
'',
'adobe:ns:meta/',
'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
'http://www.w3.org/2000/svg',
'http://www.w3.org/tr/rec-rdf-syntax/',
+ 'http://www.w3.org/2000/01/rdf-schema#',
];
// Inkscape mangles namespace definitions created by Adobe Illustrator.
* @return bool true if the CSS contains an illegal string, false if otherwise
*/
private static function checkCssFragment( $value ) {
-
# Forbid external stylesheets, for both reliability and to protect viewer's privacy
if ( stripos( $value, '@import' ) !== false ) {
return true;
* @return Status[]|bool
*/
public static function getSessionStatus( User $user, $statusKey ) {
- $key = wfMemcKey( 'uploadstatus', $user->getId() ?: md5( $user->getName() ), $statusKey );
+ $cache = MediaWikiServices::getInstance()->getMainObjectStash();
+ $key = $cache->makeKey( 'uploadstatus', $user->getId() ?: md5( $user->getName() ), $statusKey );
- return ObjectCache::getMainStashInstance()->get( $key );
+ return $cache->get( $key );
}
/**
* @return void
*/
public static function setSessionStatus( User $user, $statusKey, $value ) {
- $key = wfMemcKey( 'uploadstatus', $user->getId() ?: md5( $user->getName() ), $statusKey );
+ $cache = MediaWikiServices::getInstance()->getMainObjectStash();
+ $key = $cache->makeKey( 'uploadstatus', $user->getId() ?: md5( $user->getName() ), $statusKey );
- $cache = ObjectCache::getMainStashInstance();
if ( $value === false ) {
$cache->delete( $key );
} else {