dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "Fix changes list misaligned arrow"
[lhc/web/wiklou.git] / includes / http / PhpHttpRequest.php
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 *
18 * @file
19 */
20
21 class PhpHttpRequest extends MWHttpRequest {
22
23 private $fopenErrors = [];
24
25 /**
26 * @param string $url
27 * @return string
28 */
29 protected function urlToTcp( $url ) {
30 $parsedUrl = parse_url( $url );
31
32 return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
33 }
34
35 /**
36 * Returns an array with a 'capath' or 'cafile' key
37 * that is suitable to be merged into the 'ssl' sub-array of
38 * a stream context options array.
39 * Uses the 'caInfo' option of the class if it is provided, otherwise uses the system
40 * default CA bundle if PHP supports that, or searches a few standard locations.
41 * @return array
42 * @throws DomainException
43 */
44 protected function getCertOptions() {
45 $certOptions = [];
46 $certLocations = [];
47 if ( $this->caInfo ) {
48 $certLocations = [ 'manual' => $this->caInfo ];
49 } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
50 // Default locations, based on
51 // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
52 // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves.
53 // PHP 5.6+ gets the CA location from OpenSSL as long as it is not set manually,
54 // so we should leave capath/cafile empty there.
55 $certLocations = array_filter( [
56 getenv( 'SSL_CERT_DIR' ),
57 getenv( 'SSL_CERT_PATH' ),
58 '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al
59 '/etc/ssl/certs', # Debian et al
60 '/etc/pki/tls/certs/ca-bundle.trust.crt',
61 '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
62 '/System/Library/OpenSSL', # OSX
63 ] );
64 }
65
66 foreach ( $certLocations as $key => $cert ) {
67 if ( is_dir( $cert ) ) {
68 $certOptions['capath'] = $cert;
69 break;
70 } elseif ( is_file( $cert ) ) {
71 $certOptions['cafile'] = $cert;
72 break;
73 } elseif ( $key === 'manual' ) {
74 // fail more loudly if a cert path was manually configured and it is not valid
75 throw new DomainException( "Invalid CA info passed: $cert" );
76 }
77 }
78
79 return $certOptions;
80 }
81
82 /**
83 * Custom error handler for dealing with fopen() errors.
84 * fopen() tends to fire multiple errors in succession, and the last one
85 * is completely useless (something like "fopen: failed to open stream")
86 * so normal methods of handling errors programmatically
87 * like get_last_error() don't work.
88 * @internal
89 * @param int $errno
90 * @param string $errstr
91 */
92 public function errorHandler( $errno, $errstr ) {
93 $n = count( $this->fopenErrors ) + 1;
94 $this->fopenErrors += [ "errno$n" => $errno, "errstr$n" => $errstr ];
95 }
96
97 /**
98 * @see MWHttpRequest::execute
99 *
100 * @return Status
101 */
102 public function execute() {
103 $this->prepare();
104
105 if ( is_array( $this->postData ) ) {
106 $this->postData = wfArrayToCgi( $this->postData );
107 }
108
109 if ( $this->parsedUrl['scheme'] != 'http'
110 && $this->parsedUrl['scheme'] != 'https' ) {
111 $this->status->fatal( 'http-invalid-scheme', $this->parsedUrl['scheme'] );
112 }
113
114 $this->reqHeaders['Accept'] = "*/*";
115 $this->reqHeaders['Connection'] = 'Close';
116 if ( $this->method == 'POST' ) {
117 // Required for HTTP 1.0 POSTs
118 $this->reqHeaders['Content-Length'] = strlen( $this->postData );
119 if ( !isset( $this->reqHeaders['Content-Type'] ) ) {
120 $this->reqHeaders['Content-Type'] = "application/x-www-form-urlencoded";
121 }
122 }
123
124 // Set up PHP stream context
125 $options = [
126 'http' => [
127 'method' => $this->method,
128 'header' => implode( "\r\n", $this->getHeaderList() ),
129 'protocol_version' => '1.1',
130 'max_redirects' => $this->followRedirects ? $this->maxRedirects : 0,
131 'ignore_errors' => true,
132 'timeout' => $this->timeout,
133 // Curl options in case curlwrappers are installed
134 'curl_verify_ssl_host' => $this->sslVerifyHost ? 2 : 0,
135 'curl_verify_ssl_peer' => $this->sslVerifyCert,
136 ],
137 'ssl' => [
138 'verify_peer' => $this->sslVerifyCert,
139 'SNI_enabled' => true,
140 'ciphers' => 'HIGH:!SSLv2:!SSLv3:-ADH:-kDH:-kECDH:-DSS',
141 'disable_compression' => true,
142 ],
143 ];
144
145 if ( $this->proxy ) {
146 $options['http']['proxy'] = $this->urlToTcp( $this->proxy );
147 $options['http']['request_fulluri'] = true;
148 }
149
150 if ( $this->postData ) {
151 $options['http']['content'] = $this->postData;
152 }
153
154 if ( $this->sslVerifyHost ) {
155 // PHP 5.6.0 deprecates CN_match, in favour of peer_name which
156 // actually checks SubjectAltName properly.
157 if ( version_compare( PHP_VERSION, '5.6.0', '>=' ) ) {
158 $options['ssl']['peer_name'] = $this->parsedUrl['host'];
159 } else {
160 $options['ssl']['CN_match'] = $this->parsedUrl['host'];
161 }
162 }
163
164 $options['ssl'] += $this->getCertOptions();
165
166 $context = stream_context_create( $options );
167
168 $this->headerList = [];
169 $reqCount = 0;
170 $url = $this->url;
171
172 $result = [];
173
174 if ( $this->profiler ) {
175 $profileSection = $this->profiler->scopedProfileIn(
176 __METHOD__ . '-' . $this->profileName
177 );
178 }
179 do {
180 $reqCount++;
181 $this->fopenErrors = [];
182 set_error_handler( [ $this, 'errorHandler' ] );
183 $fh = fopen( $url, "r", false, $context );
184 restore_error_handler();
185
186 if ( !$fh ) {
187 // HACK for instant commons.
188 // If we are contacting (commons|upload).wikimedia.org
189 // try again with CN_match for en.wikipedia.org
190 // as php does not handle SubjectAltName properly
191 // prior to "peer_name" option in php 5.6
192 if ( isset( $options['ssl']['CN_match'] )
193 && ( $options['ssl']['CN_match'] === 'commons.wikimedia.org'
194 || $options['ssl']['CN_match'] === 'upload.wikimedia.org' )
195 ) {
196 $options['ssl']['CN_match'] = 'en.wikipedia.org';
197 $context = stream_context_create( $options );
198 continue;
199 }
200 break;
201 }
202
203 $result = stream_get_meta_data( $fh );
204 $this->headerList = $result['wrapper_data'];
205 $this->parseHeader();
206
207 if ( !$this->followRedirects ) {
208 break;
209 }
210
211 # Handle manual redirection
212 if ( !$this->isRedirect() || $reqCount > $this->maxRedirects ) {
213 break;
214 }
215 # Check security of URL
216 $url = $this->getResponseHeader( "Location" );
217
218 if ( !Http::isValidURI( $url ) ) {
219 $this->logger->debug( __METHOD__ . ": insecure redirection\n" );
220 break;
221 }
222 } while ( true );
223 if ( $this->profiler ) {
224 $this->profiler->scopedProfileOut( $profileSection );
225 }
226
227 $this->setStatus();
228
229 if ( $fh === false ) {
230 if ( $this->fopenErrors ) {
231 $this->logger->warning( __CLASS__
232 . ': error opening connection: {errstr1}', $this->fopenErrors );
233 }
234 $this->status->fatal( 'http-request-error' );
235 return Status::wrap( $this->status ); // TODO B/C; move this to callers
236 }
237
238 if ( $result['timed_out'] ) {
239 $this->status->fatal( 'http-timed-out', $this->url );
240 return Status::wrap( $this->status ); // TODO B/C; move this to callers
241 }
242
243 // If everything went OK, or we received some error code
244 // get the response body content.
245 if ( $this->status->isOK() || (int)$this->respStatus >= 300 ) {
246 while ( !feof( $fh ) ) {
247 $buf = fread( $fh, 8192 );
248
249 if ( $buf === false ) {
250 $this->status->fatal( 'http-read-error' );
251 break;
252 }
253
254 if ( strlen( $buf ) ) {
255 call_user_func( $this->callback, $fh, $buf );
256 }
257 }
258 }
259 fclose( $fh );
260
261 return Status::wrap( $this->status ); // TODO B/C; move this to callers
262 }
263 }
Wiklou, le Wiki du Wiklou