X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FWebRequest.php;h=a1fa0eb775d00a2f78f708b0139b00bd0bdda029;hb=ecc5f63a84013155656b37c27da917a02328dbfc;hp=a703b6415ebfa79bd8fd793614253f2b4ece7136;hpb=9ec7cb086847a18de33df4931759f3cc4944fc38;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/WebRequest.php b/includes/WebRequest.php index a703b6415e..a1fa0eb775 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -25,8 +25,8 @@ /** * The WebRequest class encapsulates getting at data passed in the - * URL or via a POSTed form, handling remove of "magic quotes" slashes, - * stripping illegal input characters and normalizing Unicode sequences. + * URL or via a POSTed form stripping illegal input characters and + * normalizing Unicode sequences. * * Usually this is used via a global singleton, $wgRequest. You should * not create a second WebRequest object; make a FauxRequest object if @@ -57,10 +57,9 @@ class WebRequest { protected $protocol; public function __construct() { - /// @todo FIXME: This preemptive de-quoting can interfere with other web libraries - /// and increases our memory footprint. It would be cleaner to do on - /// demand; but currently we have no wrapper for $_SERVER etc. - $this->checkMagicQuotes(); + if ( function_exists( 'get_magic_quotes_gpc' ) && get_magic_quotes_gpc() ) { + throw new MWException( "MediaWiki does not function when magic quotes are enabled." ); + } // POST overrides GET data // We don't use $_REQUEST here to avoid interference from cookies... @@ -271,51 +270,6 @@ class WebRequest { return array(); } - /** - * Recursively strips slashes from the given array; - * used for undoing the evil that is magic_quotes_gpc. - * - * @param array $arr will be modified - * @param bool $topLevel Specifies if the array passed is from the top - * level of the source. In PHP5 magic_quotes only escapes the first level - * of keys that belong to an array. - * @return array The original array - * @see http://www.php.net/manual/en/function.get-magic-quotes-gpc.php#49612 - */ - private function &fix_magic_quotes( &$arr, $topLevel = true ) { - $clean = array(); - foreach ( $arr as $key => $val ) { - if ( is_array( $val ) ) { - $cleanKey = $topLevel ? stripslashes( $key ) : $key; - $clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], false ); - } else { - $cleanKey = stripslashes( $key ); - $clean[$cleanKey] = stripslashes( $val ); - } - } - $arr = $clean; - return $arr; - } - - /** - * If magic_quotes_gpc option is on, run the global arrays - * through fix_magic_quotes to strip out the stupid slashes. - * WARNING: This should only be done once! Running a second - * time could damage the values. - */ - private function checkMagicQuotes() { - $mustFixQuotes = function_exists( 'get_magic_quotes_gpc' ) - && get_magic_quotes_gpc(); - if ( $mustFixQuotes ) { - $this->fix_magic_quotes( $_COOKIE ); - $this->fix_magic_quotes( $_ENV ); - $this->fix_magic_quotes( $_GET ); - $this->fix_magic_quotes( $_POST ); - $this->fix_magic_quotes( $_REQUEST ); - $this->fix_magic_quotes( $_SERVER ); - } - } - /** * Recursively normalizes UTF-8 strings in the given array. * @@ -746,7 +700,7 @@ class WebRequest { /** * Take an arbitrary query and rewrite the present URL to include it - * @param string $query query string fragment; do not include initial '?' + * @param string $query Query string fragment; do not include initial '?' * * @return string */ @@ -754,17 +708,6 @@ class WebRequest { return $this->appendQueryArray( wfCgiToArray( $query ) ); } - /** - * HTML-safe version of appendQuery(). - * @deprecated: Deprecated in 1.20, warnings in 1.21, remove in 1.22. - * - * @param string $query Query string fragment; do not include initial '?' - * @return string - */ - public function escapeAppendQuery( $query ) { - return htmlspecialchars( $this->appendQuery( $query ) ); - } - /** * @param string $key * @param string $value @@ -829,7 +772,7 @@ class WebRequest { * Return the path to the temporary file where PHP has stored the upload. * * @param string $key - * @return string|null string or null if no such file. + * @return string|null String or null if no such file. */ public function getFileTempname( $key ) { $file = new WebRequestUpload( $this, $key ); @@ -856,7 +799,7 @@ class WebRequest { * Other than this the name is not verified for being a safe filename. * * @param string $key - * @return string|null string or null if no such file. + * @return string|null String or null if no such file. */ public function getFileName( $key ) { $file = new WebRequestUpload( $this, $key ); @@ -925,7 +868,7 @@ class WebRequest { /** * Get a request header, or false if it isn't set - * @param string $name case-insensitive header name + * @param string $name Case-insensitive header name * * @return string|bool False on failure */ @@ -1026,7 +969,7 @@ HTML; /** * Parse the Accept-Language header sent by the client into an array * - * @return array array( languageCode => q-value ) sorted by q-value in + * @return array Array( languageCode => q-value ) sorted by q-value in * descending order then appearing time in the header in ascending order. * May contain the "language" '*', which applies to languages other than those explicitly listed. * This is aligned with rfc2616 section 14.4 @@ -1309,7 +1252,7 @@ class FauxRequest extends WebRequest { private $session = array(); /** - * @param array $data of *non*-urlencoded key => value pairs, the + * @param array $data Array of *non*-urlencoded key => value pairs, the * fake GET/POST values * @param bool $wasPosted Whether to treat the data as POST * @param array|null $session Session array or null