X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2FHttpFunctions.php;h=3f42038242ebf7c8eeca86df5d5bf9e4597738b2;hp=697391b6d020b27c52ca490d24257b8d25561292;hb=e3bd13db0c285f312e31bb1b7271af4628cca80c;hpb=6ae9367cddf8565c948f4d9458b07bb688f2ddc2

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 697391b6d0..3f42038242 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -60,7 +60,7 @@ class Http {
 	 * @param string $caller The method making this request, for profiling
 	 * @return string|bool (bool)false on failure or a string on success
 	 */
-	public static function request( $method, $url, $options = array(), $caller = __METHOD__ ) {
+	public static function request( $method, $url, $options = [], $caller = __METHOD__ ) {
 		wfDebug( "HTTP: $method: $url\n" );
 
 		$options['method'] = strtoupper( $method );
@@ -80,7 +80,8 @@ class Http {
 		} else {
 			$errors = $status->getErrorsByType( 'error' );
 			$logger = LoggerFactory::getInstance( 'http' );
-			$logger->warning( $status->getWikiText(), array( 'caller' => $caller ) );
+			$logger->warning( $status->getWikiText( null, null, 'en' ),
+				[ 'error' => $errors, 'caller' => $caller, 'content' => $req->getContent() ] );
 			return false;
 		}
 	}
@@ -94,16 +95,16 @@ class Http {
 	 * @param string $url
 	 * @param array $options
 	 * @param string $caller The method making this request, for profiling
-	 * @return string
+	 * @return string|bool false on error
 	 */
-	public static function get( $url, $options = array(), $caller = __METHOD__ ) {
+	public static function get( $url, $options = [], $caller = __METHOD__ ) {
 		$args = func_get_args();
 		if ( isset( $args[1] ) && ( is_string( $args[1] ) || is_numeric( $args[1] ) ) ) {
 			// Second was used to be the timeout
 			// And third parameter used to be $options
 			wfWarn( "Second parameter should not be a timeout.", 2 );
 			$options = isset( $args[2] ) && is_array( $args[2] ) ?
-				$args[2] : array();
+				$args[2] : [];
 			$options['timeout'] = $args[1];
 			$caller = __METHOD__;
 		}
@@ -117,9 +118,9 @@ class Http {
 	 * @param string $url
 	 * @param array $options
 	 * @param string $caller The method making this request, for profiling
-	 * @return string
+	 * @return string|bool false on error
 	 */
-	public static function post( $url, $options = array(), $caller = __METHOD__ ) {
+	public static function post( $url, $options = [], $caller = __METHOD__ ) {
 		return Http::request( 'POST', $url, $options, $caller );
 	}
 
@@ -130,14 +131,14 @@ class Http {
 	 * @return bool
 	 */
 	public static function isLocalURL( $url ) {
-		global $wgCommandLineMode, $wgLocalVirtualHosts, $wgConf;
+		global $wgCommandLineMode, $wgLocalVirtualHosts;
 
 		if ( $wgCommandLineMode ) {
 			return false;
 		}
 
 		// Extract host part
-		$matches = array();
+		$matches = [];
 		if ( preg_match( '!^http://([\w.-]+)[/:].*$!', $url, $matches ) ) {
 			$host = $matches[1];
 			// Split up dotwise
@@ -155,9 +156,7 @@ class Http {
 					$domain = $domainPart . '.' . $domain;
 				}
 
-				if ( in_array( $domain, $wgLocalVirtualHosts )
-					|| $wgConf->isLocalVHost( $domain )
-				) {
+				if ( in_array( $domain, $wgLocalVirtualHosts ) ) {
 					return true;
 				}
 			}
@@ -235,7 +234,7 @@ class MWHttpRequest {
 	protected $sslVerifyCert = true;
 	protected $caInfo = null;
 	protected $method = "GET";
-	protected $reqHeaders = array();
+	protected $reqHeaders = [];
 	protected $url;
 	protected $parsedUrl;
 	protected $callback;
@@ -247,10 +246,10 @@ class MWHttpRequest {
 	 */
 	protected $cookieJar;
 
-	protected $headerList = array();
+	protected $headerList = [];
 	protected $respVersion = "0.9";
 	protected $respStatus = "200 Ok";
-	protected $respHeaders = array();
+	protected $respHeaders = [];
 
 	public $status;
 
@@ -271,7 +270,7 @@ class MWHttpRequest {
 	 * @param Profiler $profiler An instance of the profiler for profiling, or null
 	 */
 	protected function __construct(
-		$url, $options = array(), $caller = __METHOD__, $profiler = null
+		$url, $options = [], $caller = __METHOD__, $profiler = null
 	) {
 		global $wgHTTPTimeout, $wgHTTPConnectTimeout;
 
@@ -298,8 +297,8 @@ class MWHttpRequest {
 			$this->setUserAgent( $options['userAgent'] );
 		}
 
-		$members = array( "postData", "proxy", "noProxy", "sslVerifyHost", "caInfo",
-				"method", "followRedirects", "maxRedirects", "sslVerifyCert", "callback" );
+		$members = [ "postData", "proxy", "noProxy", "sslVerifyHost", "caInfo",
+				"method", "followRedirects", "maxRedirects", "sslVerifyCert", "callback" ];
 
 		foreach ( $members as $o ) {
 			if ( isset( $options[$o] ) ) {
@@ -426,7 +425,7 @@ class MWHttpRequest {
 	 * @return array
 	 */
 	public function getHeaderList() {
-		$list = array();
+		$list = [];
 
 		if ( $this->cookieJar ) {
 			$this->reqHeaders['Cookie'] =
@@ -497,7 +496,7 @@ class MWHttpRequest {
 		$this->proxySetup(); // set up any proxy as needed
 
 		if ( !$this->callback ) {
-			$this->setCallback( array( $this, 'read' ) );
+			$this->setCallback( [ $this, 'read' ] );
 		}
 
 		if ( !isset( $this->reqHeaders['User-Agent'] ) ) {
@@ -748,7 +747,7 @@ class MWHttpRequest {
 class CurlHttpRequest extends MWHttpRequest {
 	const SUPPORTS_FILE_POSTS = true;
 
-	protected $curlOptions = array();
+	protected $curlOptions = [];
 	protected $headerText = "";
 
 	/**
@@ -779,7 +778,7 @@ class CurlHttpRequest extends MWHttpRequest {
 
 		$this->curlOptions[CURLOPT_HTTP_VERSION] = CURL_HTTP_VERSION_1_0;
 		$this->curlOptions[CURLOPT_WRITEFUNCTION] = $this->callback;
-		$this->curlOptions[CURLOPT_HEADERFUNCTION] = array( $this, "readHeader" );
+		$this->curlOptions[CURLOPT_HEADERFUNCTION] = [ $this, "readHeader" ];
 		$this->curlOptions[CURLOPT_MAXREDIRS] = $this->maxRedirects;
 		$this->curlOptions[CURLOPT_ENCODING] = ""; # Enable compression
 
@@ -797,7 +796,22 @@ class CurlHttpRequest extends MWHttpRequest {
 			$this->curlOptions[CURLOPT_HEADER] = true;
 		} elseif ( $this->method == 'POST' ) {
 			$this->curlOptions[CURLOPT_POST] = true;
-			$this->curlOptions[CURLOPT_POSTFIELDS] = $this->postData;
+			$postData = $this->postData;
+			// Don't interpret POST parameters starting with '@' as file uploads, because this
+			// makes it impossible to POST plain values starting with '@' (and causes security
+			// issues potentially exposing the contents of local files).
+			// The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+			// but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+			if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+				$this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
+			} elseif ( is_array( $postData ) ) {
+				// In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+				// is an array, but not if it's a string. So convert $req['body'] to a string
+				// for safety.
+				$postData = wfArrayToCgi( $postData );
+			}
+			$this->curlOptions[CURLOPT_POSTFIELDS] = $postData;
+
 			// Suppress 'Expect: 100-continue' header, as some servers
 			// will reject it with a 417 and Curl won't auto retry
 			// with HTTP 1.0 fallback
@@ -818,7 +832,7 @@ class CurlHttpRequest extends MWHttpRequest {
 			MediaWiki\suppressWarnings();
 			if ( !curl_setopt( $curlHandle, CURLOPT_FOLLOWLOCATION, true ) ) {
 				wfDebug( __METHOD__ . ": Couldn't set CURLOPT_FOLLOWLOCATION. " .
-					"Probably safe_mode or open_basedir is set.\n" );
+					"Probably open_basedir is set.\n" );
 				// Continue the processing. If it were in curl_setopt_array,
 				// processing would have halted on its entry
 			}
@@ -863,8 +877,8 @@ class CurlHttpRequest extends MWHttpRequest {
 		}
 
 		if ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
-			if ( strval( ini_get( 'open_basedir' ) ) !== '' || wfIniGetBool( 'safe_mode' ) ) {
-				wfDebug( "Cannot follow redirects in safe mode\n" );
+			if ( strval( ini_get( 'open_basedir' ) ) !== '' ) {
+				wfDebug( "Cannot follow redirects when open_basedir is set\n" );
 				return false;
 			}
 		}
@@ -875,7 +889,7 @@ class CurlHttpRequest extends MWHttpRequest {
 
 class PhpHttpRequest extends MWHttpRequest {
 
-	private $fopenErrors = array();
+	private $fopenErrors = [];
 
 	/**
 	 * @param string $url
@@ -897,10 +911,10 @@ class PhpHttpRequest extends MWHttpRequest {
 	 * @throws DomainException
 	 */
 	protected function getCertOptions() {
-		$certOptions = array();
-		$certLocations = array();
+		$certOptions = [];
+		$certLocations = [];
 		if ( $this->caInfo ) {
-			$certLocations = array( 'manual' => $this->caInfo );
+			$certLocations = [ 'manual' => $this->caInfo ];
 		} elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
 			// @codingStandardsIgnoreStart Generic.Files.LineLength
 			// Default locations, based on
@@ -909,7 +923,7 @@ class PhpHttpRequest extends MWHttpRequest {
 			// PHP 5.6+ gets the CA location from OpenSSL as long as it is not set manually,
 			// so we should leave capath/cafile empty there.
 			// @codingStandardsIgnoreEnd
-			$certLocations = array_filter( array(
+			$certLocations = array_filter( [
 				getenv( 'SSL_CERT_DIR' ),
 				getenv( 'SSL_CERT_PATH' ),
 				'/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al
@@ -917,7 +931,7 @@ class PhpHttpRequest extends MWHttpRequest {
 				'/etc/pki/tls/certs/ca-bundle.trust.crt',
 				'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
 				'/System/Library/OpenSSL', # OSX
-			) );
+			] );
 		}
 
 		foreach ( $certLocations as $key => $cert ) {
@@ -945,7 +959,7 @@ class PhpHttpRequest extends MWHttpRequest {
 	 */
 	public function errorHandler( $errno, $errstr ) {
 		$n = count( $this->fopenErrors ) + 1;
-		$this->fopenErrors += array( "errno$n" => $errno, "errstr$n" => $errstr );
+		$this->fopenErrors += [ "errno$n" => $errno, "errstr$n" => $errstr ];
 	}
 
 	public function execute() {
@@ -972,8 +986,8 @@ class PhpHttpRequest extends MWHttpRequest {
 		}
 
 		// Set up PHP stream context
-		$options = array(
-			'http' => array(
+		$options = [
+			'http' => [
 				'method' => $this->method,
 				'header' => implode( "\r\n", $this->getHeaderList() ),
 				'protocol_version' => '1.1',
@@ -983,17 +997,17 @@ class PhpHttpRequest extends MWHttpRequest {
 				// Curl options in case curlwrappers are installed
 				'curl_verify_ssl_host' => $this->sslVerifyHost ? 2 : 0,
 				'curl_verify_ssl_peer' => $this->sslVerifyCert,
-			),
-			'ssl' => array(
+			],
+			'ssl' => [
 				'verify_peer' => $this->sslVerifyCert,
 				'SNI_enabled' => true,
 				'ciphers' => 'HIGH:!SSLv2:!SSLv3:-ADH:-kDH:-kECDH:-DSS',
 				'disable_compression' => true,
-			),
-		);
+			],
+		];
 
 		if ( $this->proxy ) {
-			$options['http']['proxy'] = $this->urlToTCP( $this->proxy );
+			$options['http']['proxy'] = $this->urlToTcp( $this->proxy );
 			$options['http']['request_fulluri'] = true;
 		}
 
@@ -1015,11 +1029,11 @@ class PhpHttpRequest extends MWHttpRequest {
 
 		$context = stream_context_create( $options );
 
-		$this->headerList = array();
+		$this->headerList = [];
 		$reqCount = 0;
 		$url = $this->url;
 
-		$result = array();
+		$result = [];
 
 		if ( $this->profiler ) {
 			$profileSection = $this->profiler->scopedProfileIn(
@@ -1028,8 +1042,8 @@ class PhpHttpRequest extends MWHttpRequest {
 		}
 		do {
 			$reqCount++;
-			$this->fopenErrors = array();
-			set_error_handler( array( $this, 'errorHandler' ) );
+			$this->fopenErrors = [];
+			set_error_handler( [ $this, 'errorHandler' ] );
 			$fh = fopen( $url, "r", false, $context );
 			restore_error_handler();