Really, I'm not sure about the usefulness of exploding with a MWException anytime we can't do an external request, but at least we can stop the installer from exploding :)
Tested fix with PHPUnit Tests that aren't currently executed by
CruiseControl b/c they're marked “broken” till someone comes up with
some reasonable unit tests that will work for everyone.
r65152 switched upload-by-URL ($wgAllowCopyUploads) to use Http / MwHttpRequest class instead of CURL directly.
While this is mostly nice, it switched from saving large files directly to a temp file to buffering them in memory, causing large files to fail when they hit the PHP memory limit.
Fix uses MwHttpRequest's callback capability to override the read handler; now appending it to the temporary file as we go, and can confirm that largish files work again; was able to upload a 64mb .ogv that previously didn't work for me: http://prototype.wikimedia.org/tmh/images/b/b2/File-Arborophila_brunneopectus_pair_feeding_-_Kaeng_Krachan.ogv
Also expanded the documentation on MwHttpRequest::setCallback to clarify the function parameters and return value for the callback (which currently matches the low-level CURL handler's callback directly).
Note that the non-CURL implementation doesn't abort the read if the callback doesn't return the expected number of bytes, but this is an immediate fatal end of request on the Curl backend. May want further cleanup.
regex, but also accepts ftps because both cURL and php support it. It no longer accepts thing like 'foo http://bar bax'
which was my main concern
Note the previous regex kind of looks more restrictive, but is not since saying "anything not containing a space
optionally followed by anything not containing a bunch of characters including a space" is the same as saying anything
with no spaces. See also r83296. This obviously doesn't catch all cases, but I personally think its sufficient.
At the very least it is a very significant improvement over the previous version that caught almost nothing.
* Do not follow redirects by default. This breaks on safe_mode, and may potentially open security vulnerabilities in callers which blacklist domain names. Instead, send followRedirects=true option in the HttpTest caller that needs it.
* Added a check for the cURL security vulnerability CVE-2009-0037, which allowed redirects to file:/// and scp://. Refuse to follow redirects if a vulnerable client library is present.
* Factored out the redirect compatibility test into public function canFollowRedirects() so that callers can provide this information to users.
* In PhpHttpRequest, only follow redirects to HTTP URLs, do not fopen() arbitrary locations. This is not quite as bad as it sounds, since the lack of response headers prevents file:/// content from being returned to the caller.
* Fixed vertical alignment in Http::request(), per style guide.
* 304, 305 and 306 responses are not really redirects and cannot contain a Location header.
