X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=api.php;h=77dc52a4fb2faf679de93be55f80e3e247fdbc00;hb=ef5b93b1e21e69472e8ca0fc539ff153350ae4a2;hp=fd56db4ff3ba0af78bec422c9369eec0019ef093;hpb=c01eb06e5ef995c4163e6dacb9a596226db5d57e;p=lhc%2Fweb%2Fwiklou.git diff --git a/api.php b/api.php index fd56db4ff3..77dc52a4fb 100644 --- a/api.php +++ b/api.php @@ -1,10 +1,9 @@ +* Copyright (C) 2006 Yuri Astrakhan @gmail.com * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,95 +21,68 @@ * http://www.gnu.org/copyleft/gpl.html */ -$wgApiStartTime = microtime(true); - -/** - * When no format parameter is given, this format will be used - */ -define('API_DEFAULT_FORMAT', 'xmlfm'); - -/** - * Location of all api-related files (must end with a slash '/') - */ -define('API_DIR', 'includes/api/'); - -/** - * List of classes and containing files. +/** + * This file is the entry point for all API queries. It begins by checking + * whether the API is enabled on this wiki; if not, it informs the user that + * s/he should set $wgEnableAPI to true and exits. Otherwise, it constructs + * a new ApiMain using the parameter passed to it as an argument in the URL + * ('?action=') and with write-enabled set to the value of $wgEnableWriteAPI + * as specified in LocalSettings.php. It then invokes "execute()" on the + * ApiMain object instance, which produces output in the format sepecified + * in the URL. */ -$wgApiAutoloadClasses = array ( - - 'ApiMain' => API_DIR . 'ApiMain.php', - - // Utility classes - 'ApiBase' => API_DIR . 'ApiBase.php', - 'ApiQueryBase' => API_DIR . 'ApiQueryBase.php', - 'ApiResult' => API_DIR . 'ApiResult.php', - 'ApiPageSet' => API_DIR . 'ApiPageSet.php', - - // Formats - 'ApiFormatBase' => API_DIR . 'ApiFormatBase.php', - 'ApiFormatYaml' => API_DIR . 'ApiFormatYaml.php', - 'ApiFormatXml' => API_DIR . 'ApiFormatXml.php', - 'ApiFormatJson' => API_DIR . 'ApiFormatJson.php', - - // Modules (action=...) - should match the $apiModules list - 'ApiHelp' => API_DIR . 'ApiHelp.php', - 'ApiLogin' => API_DIR . 'ApiLogin.php', - 'ApiQuery' => API_DIR . 'ApiQuery.php', - - // Query items (meta/prop/list=...) - 'ApiQuerySiteinfo' => API_DIR . 'ApiQuerySiteinfo.php', - 'ApiQueryInfo' => API_DIR . 'ApiQueryInfo.php', - 'ApiQueryRevisions' => API_DIR . 'ApiQueryRevisions.php', - 'ApiQueryAllpages' => API_DIR . 'ApiQueryAllpages.php' -); - -/** - * List of available modules: action name => module class - * The class must also be listed in the $wgApiAutoloadClasses array. - */ -$wgApiModules = array ( - 'help' => 'ApiHelp', - 'login' => 'ApiLogin', - 'query' => 'ApiQuery' -); - -/** - * List of available formats: format name => format class - * The class must also be listed in the $wgApiAutoloadClasses array. - */ -$wgApiFormats = array ( - 'json' => 'ApiFormatJson', - 'jsonfm' => 'ApiFormatJson', - 'xml' => 'ApiFormatXml', - 'xmlfm' => 'ApiFormatXml', - 'yaml' => 'ApiFormatYaml', - 'yamlfm' => 'ApiFormatYaml' -); // Initialise common code require (dirname(__FILE__) . '/includes/WebStart.php'); + wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_URL'] ) ) { + $url = $_SERVER['SCRIPT_URL']; +} else { + $url = $_SERVER['PHP_SELF']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled -// The next line should be -// if (isset ($wgEnableAPI) && !$wgEnableAPI) { -// but will be in a safe mode until api is stabler -if (!isset ($wgEnableAPI) || !$wgEnableAPI) { +if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; echo '
$wgEnableAPI=true;
'; die(-1); } -$wgAutoloadClasses = array_merge($wgAutoloadClasses, $wgApiAutoloadClasses); +/* Construct an ApiMain with the arguments passed via the URL. What we get back + * is some form of an ApiMain, possibly even one that produces an error message, + * but we don't care here, as that is handled by the ctor. + */ +$processor = new ApiMain($wgRequest, $wgEnableWriteAPI); -if (!isset($wgEnableWriteAPI)) - $wgEnableWriteAPI = false; // This should be 'true' later, once the api is stable. - -$processor = new ApiMain($wgApiStartTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI); +// Process data & print results $processor->execute(); +// Execute any deferred updates +wfDoUpdates(); + +// Log what the user did, for book-keeping purposes. wfProfileOut('api.php'); wfLogProfilingData(); -exit; // Done! -?> + +// Shut down the database +wfGetLBFactory()->shutdown(); +