From 06ca92eb8cfa8d24f74a8ab04b94a2178bb1c346 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Sat, 19 May 2018 14:41:41 -0700 Subject: [PATCH] Re-enable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals sniff Disable it in specific files and places where there are legitimate uses to access $_GET and $_POST directly. For EditPage, which wants to output $_POST for debugging information, introduce WebRequest::getPostValues() as a wrapper, matching the existing ::getQueryValues(). Change-Id: I2cb0a7012fb7ed29dcd720056b42f56508ddc5fa --- .phpcs.xml | 1 - includes/AjaxDispatcher.php | 3 +++ includes/EditPage.php | 2 +- includes/GlobalFunctions.php | 3 ++- includes/WebRequest.php | 15 +++++++++++++++ includes/libs/rdbms/lbfactory/LBFactory.php | 1 + tests/qunit/data/load.mock.php | 4 ++++ tests/qunit/data/styleTest.css.php | 4 ++++ thumb.php | 2 +- 9 files changed, 31 insertions(+), 4 deletions(-) diff --git a/.phpcs.xml b/.phpcs.xml index b0fb6f5107..2175ca7f7a 100644 --- a/.phpcs.xml +++ b/.phpcs.xml @@ -17,7 +17,6 @@ - diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 75fcff3654..35b556df7b 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -23,6 +23,9 @@ use MediaWiki\MediaWikiServices; +// Use superglobals, but since it's deprecated, it's not worth fixing +// phpcs:disable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals + /** * @defgroup Ajax Ajax */ diff --git a/includes/EditPage.php b/includes/EditPage.php index 6d39e3a03d..67ce1f3c11 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -938,7 +938,7 @@ class EditPage { if ( $this->incompleteForm ) { # If the form is incomplete, force to preview. wfDebug( __METHOD__ . ": Form data appears to be incomplete\n" ); - wfDebug( "POST DATA: " . var_export( $_POST, true ) . "\n" ); + wfDebug( "POST DATA: " . var_export( $request->getPostValues(), true ) . "\n" ); $this->preview = true; } else { $this->preview = $request->getCheck( 'wpPreview' ); diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index c11a9bd4a9..659ac9d268 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -1089,7 +1089,8 @@ function wfIsDebugRawPage() { if ( $cache !== null ) { return $cache; } - # Check for raw action using $_GET not $wgRequest, since the latter might not be initialised yet + // Check for raw action using $_GET not $wgRequest, since the latter might not be initialised yet + // phpcs:ignore MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals if ( ( isset( $_GET['action'] ) && $_GET['action'] == 'raw' ) || ( isset( $_SERVER['SCRIPT_NAME'] ) diff --git a/includes/WebRequest.php b/includes/WebRequest.php index c6ddf81697..e0b8de7076 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -28,6 +28,9 @@ use MediaWiki\Session\Session; use MediaWiki\Session\SessionId; use MediaWiki\Session\SessionManager; +// The point of this class is to be a wrapper around super globals +// phpcs:disable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals + /** * The WebRequest class encapsulates getting at data passed in the * URL or via a POSTed form stripping illegal input characters and @@ -654,6 +657,18 @@ class WebRequest { return $_GET; } + /** + * Get the values passed via POST. + * No transformation is performed on the values. + * + * @since 1.32 + * @codeCoverageIgnore + * @return array + */ + public function getPostValues() { + return $_POST; + } + /** * Return the contents of the Query with no decoding. Use when you need to * know exactly what was sent, e.g. for an OAuth signature over the elements. diff --git a/includes/libs/rdbms/lbfactory/LBFactory.php b/includes/libs/rdbms/lbfactory/LBFactory.php index 7a1b061b98..7f5990d32b 100644 --- a/includes/libs/rdbms/lbfactory/LBFactory.php +++ b/includes/libs/rdbms/lbfactory/LBFactory.php @@ -139,6 +139,7 @@ abstract class LBFactory implements ILBFactory { 'IPAddress' => isset( $_SERVER[ 'REMOTE_ADDR' ] ) ? $_SERVER[ 'REMOTE_ADDR' ] : '', 'UserAgent' => isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : '', 'ChronologyProtection' => 'true', + // phpcs:ignore MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals -- library can't use $wgRequest 'ChronologyPositionIndex' => isset( $_GET['cpPosIndex'] ) ? $_GET['cpPosIndex'] : null ]; diff --git a/tests/qunit/data/load.mock.php b/tests/qunit/data/load.mock.php index 2300949860..3b710c4a50 100644 --- a/tests/qunit/data/load.mock.php +++ b/tests/qunit/data/load.mock.php @@ -22,6 +22,10 @@ * @author Lupo * @since 1.20 */ + +// This file doesn't run as part of MediaWiki +// phpcs:disable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals + header( 'Content-Type: text/javascript; charset=utf-8' ); $moduleImplementations = [ diff --git a/tests/qunit/data/styleTest.css.php b/tests/qunit/data/styleTest.css.php index 0e84581124..e37f67d49f 100644 --- a/tests/qunit/data/styleTest.css.php +++ b/tests/qunit/data/styleTest.css.php @@ -22,6 +22,10 @@ * @author Timo Tijhof * @since 1.20 */ + +// This file doesn't run as part of MediaWiki +// phpcs:disable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals + header( 'Content-Type: text/css; charset=utf-8' ); /** diff --git a/thumb.php b/thumb.php index 3b714135bc..a3c9d84452 100644 --- a/thumb.php +++ b/thumb.php @@ -35,7 +35,7 @@ if ( defined( 'THUMB_HANDLER' ) ) { wfThumbHandle404(); } else { // Called directly, use $_GET params - wfStreamThumb( $_GET ); + wfStreamThumb( $wgRequest->getQueryValues() ); } $mediawiki = new MediaWiki(); -- 2.20.1