API: Warn about POST without Content-Type

HHVM sniffs the content type and so probably correctly guesses
application/x-www-form-urlencoded and fills in $_POST, while PHP 7 does
not sniff and so doesn't fill in $_POST.

Since there are clients that have been expecting the HHVM behavior, give
a warning both to let them know and so we can have some idea of how many
such clients there are.

This also adds any warnings and errors as an HTML comment at the top of
the auto-generated help page, to hopefully make it easier for people
getting that unexpectedly to find out why.

Bug: T230735
Change-Id: I017b7afe808844d74d376f6436894a5a2f525a9f

diff --git a/includes/api/ApiHelp.php b/includes/api/ApiHelp.php
index 988957b..2627715 100644 (file)
--- a/includes/api/ApiHelp.php
+++ b/includes/api/ApiHelp.php
@@ -66,6 +66,23 @@ class ApiHelp extends ApiBase {
                        ApiResult::setSubelementsList( $data, 'help' );
                        $result->addValue( null, $this->getModuleName(), $data );
                } else {
+                       // Show any errors at the top of the HTML
+                       $transform = [
+                               'Types' => [ 'AssocAsObject' => true ],
+                               'Strip' => 'all',
+                       ];
+                       $errors = array_filter( [
+                               'errors' => $this->getResult()->getResultData( [ 'errors' ], $transform ),
+                               'warnings' => $this->getResult()->getResultData( [ 'warnings' ], $transform ),
+                       ] );
+                       if ( $errors ) {
+                               $json = FormatJson::encode( $errors, true, FormatJson::UTF8_OK );
+                               // Escape any "--", some parsers might interpret that as end-of-comment.
+                               // The above already escaped any "<" and ">".
+                               $json = str_replace( '--', '-\u002D', $json );
+                               $html = "<!-- API warnings and errors:\n$json\n-->\n$html";
+                       }
+
                        $result->reset();
                        $result->addValue( null, 'text', $html, ApiResult::NO_SIZE_CHECK );
                        $result->addValue( null, 'mime', 'text/html', ApiResult::NO_SIZE_CHECK );

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 554ab6a..428024a 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1539,6 +1539,12 @@ class ApiMain extends ApiBase {
                        $this->dieWithErrorOrDebug( [ 'apierror-mustbeposted', $this->mAction ] );
                }
 
+               if ( $request->wasPosted() && !$request->getHeader( 'Content-Type' ) ) {
+                       $this->addDeprecation(
+                               'apiwarn-deprecation-post-without-content-type', 'post-without-content-type'
+                       );
+               }
+
                // See if custom printer is used
                $this->mPrinter = $module->getCustomPrinter();
                if ( is_null( $this->mPrinter ) ) {

diff --git a/includes/api/i18n/en.json b/includes/api/i18n/en.json
index 6625863..8b42a07 100644 (file)
--- a/includes/api/i18n/en.json
+++ b/includes/api/i18n/en.json
@@ -1908,6 +1908,7 @@
        "apiwarn-deprecation-missingparam": "Because <var>$1</var> was not specified, a legacy format has been used for the output. This format is deprecated, and in the future the new format will always be used.",
        "apiwarn-deprecation-parameter": "The parameter <var>$1</var> has been deprecated.",
        "apiwarn-deprecation-parse-headitems": "<kbd>prop=headitems</kbd> is deprecated since MediaWiki 1.28. Use <kbd>prop=headhtml</kbd> when creating new HTML documents, or <kbd>prop=modules|jsconfigvars</kbd> when updating a document client-side.",
+       "apiwarn-deprecation-post-without-content-type": "A POST request was made without a <code>Content-Type</code> header. This does not work reliably.",
        "apiwarn-deprecation-purge-get": "Use of <kbd>action=purge</kbd> via GET is deprecated. Use POST instead.",
        "apiwarn-deprecation-withreplacement": "<kbd>$1</kbd> has been deprecated. Please use <kbd>$2</kbd> instead.",
        "apiwarn-difftohidden": "Couldn't diff to r$1: content is hidden.",

diff --git a/includes/api/i18n/qqq.json b/includes/api/i18n/qqq.json
index d5de23f..87f056b 100644 (file)
--- a/includes/api/i18n/qqq.json
+++ b/includes/api/i18n/qqq.json
@@ -1795,6 +1795,7 @@
        "apiwarn-deprecation-missingparam": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name.",
        "apiwarn-deprecation-parameter": "{{doc-apierror}}\n\nParameters:\n* $1 - Parameter name.",
        "apiwarn-deprecation-parse-headitems": "{{doc-apierror}}",
+       "apiwarn-deprecation-post-without-content-type": "{{doc-apierror}}",
        "apiwarn-deprecation-purge-get": "{{doc-apierror}}",
        "apiwarn-deprecation-withreplacement": "{{doc-apierror}}\n\nParameters:\n* $1 - Query string fragment that is deprecated, e.g. \"action=tokens\".\n* $2 - Query string fragment to use instead, e.g. \"action=tokens\".",
        "apiwarn-difftohidden": "{{doc-apierror}}\n\nParameters:\n* $1 - Revision ID number.\n\n\"r\" is short for \"revision\". You may translate it.",