All callers have been updated to provide their own getLocalUrl() calls as
appropriate, so deprecate calling appendQueryValue() and appendQueryArray()
with $onlyquery = false.
appendQuery() is now unused and deprecated as it always assumed $onlyquery = false
Change-Id: I142195c39f278165118a52143031008d9c68e01a
When $_SERVER['HTTP_X_FORWARDED_PROTO'] is set, keep the detected
protocol default port rather than using the local server port when
creating a canonical URL.
Bug: 70021
Change-Id: I2b37da5872929e1c461ff20cccf3dfe11f182a2f
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
This "feature" of PHP has been disabled by default for quite some
time, deprecated in 5.3 and removed entirely in 5.4.
See <http://www.php.net/manual/en/security.magicquotes.php> for
information on why this practice is bad and how to disable it.
For MediaWiki, the removed todo comment says it all. Doing this
messes with all of the super globals and makes embedding MediaWiki
inside another application problematic. It also increases our
memory footprint for every single request even when the data might
not be used.
Finally, it makes it possible to instantiate new WebRequest objects
pretty much whenever you want, so there's no reason for $wgRequest
to exist anymore.
Bug: 11558
Change-Id: I4bc0392276f454ceb966547c7fbd7c8190ebbc7c
This function was deprecated in 1.20 and slated for removal in 1.22;
there were supposed to be warnings given in 1.21 but there does
not seem to be any use of this function otherwise in core.
Change-Id: If70a4e2c1509bf3527d5f8960c14115ce4ab713e
* Throw an error if there is no immediate server IP, otherwise the
XFF logic is wonky.
* Refactored the loop to be a bit easier to read.
* Better handle "unknown" entries in the XFF chain.
Change-Id: I9541afa408d895c3fd337a883ecfe4ce0ba57090
This adds a new generic library class IPSet, which precomputes
a reasonably-efficient data structure from the input list of
addresses and CIDR net/mask specs for fast runtime matching,
and then uses it to check trusted XFF-setters.
See also: 32b4f19f173fc5cff1029eedee63a39a2d72dd3a
Bug: 57021
Change-Id: Ia3b12fb90c3e7e492374a128943b014481cc2730
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: I4ca5231119f33039d91da3b57a41cd40719a576b
* 5000 search results in a single page is too many to be useful and
just results in a slow page load. If you need that many results use
the API.
* Adds new parameter to WebRequest::getLimitOffset() to allow making
the 5000 limit configurable by callers
Change-Id: I7c12e4b0526db6453aaba5d589ee1c01a54b72d4
The Line continuation Coding conventions prefers the closing parenthesis
on the same line than the beginning curly braces. This is done for ifs
and functions.
Also move some boolean operator from the end of a line to the beginning
and changed some indentation to make the condition hopefully better
readable.
Change-Id: Id0437b06bde86eb5a75bc59eefa19e7edb624426
The use of static server detection outside of its intended use case
(i.e. at the start of DefaultSettings.php), for example in r93258, was
an architectural error. Every other bit of information about the web
request in non-setup code comes from non-static methods of WebRequest,
which allows the request object to be meaningfully replaced or
subclassed. The situation became increasingly ridiculous as more
callers of WebRequest::detectProtocol() were introduced. Two of the
callers were calling it non-statically! I suppose they had the right
idea, in a way.
Using a non-static call allows caching, which is a nice additional
benefit.
WebRequest::detectProtocolAndStdPort() was introduced in r93258 as part of
the introduction of WebRequest::detectProtocol(). It was basically
useless. Grep indicates there was only one caller in core and WMF
deployed extensions, and it is patched here.
Change-Id: Ia0a61e98fbff7a46ceaeebcb02236e5eac3df0e1
PHP documentation says this can theoretically return false on failure.
HHVM actually returns null when running from the command line, so
this does protect against that.
Change-Id: I0d75b8ed209128a9667ce1e7189597ae9ebc8af6
Make it possible to get the raw parameters given to the request, with
no escaping. This is needed for features like OAuth, where a signature
is calculated over the parameters to verify their integrity and source.
FauxRequest is extended so the original request doesn't pollute the
fake one. This could be extended so "raw" values could be set and used,
but there isn't a use case for that yet, so it's not done here.
Change-Id: I8710844f21d21cbbf28517b0cc25b0713b506bee
HTTP headers are case insensitive per spec, and WebRequest
treats them like that, so FauxRequest should too.
Change-Id: I4257af7a8de2792ac556c670dcc7f28e4af4cb44
* Always treat the first XFF IP from cache proxies as sane
even if it is a private IP (useful for things like labs wmf).
* Make sure IP::canonicalize() gets called if the IP is selected
from the XFF chain (this matches getRawIP()).
* Altered and expanded unit tests.
bug: 48919
Change-Id: I350aca72c7a96ba3ec727324800612fc84e0e7a4
Venema's taint feature was apparently never publicised beyond the
php-dev mailing list, and now there is a PECL taint extension which is
incompatible with the interface assumed here.
Grep confirms that wfArrayMap() is not used in any extensions.
Change-Id: I17d8d302947443262474c608829c7c7504bef589
* Only match consecutive slashes at the beginning of the URL, where
they are actually a problem.
* Fix bug 46607 in cases where the server provides an absolute URL.
Change-Id: Ibe00a6b8722786170d09b846c1c4054b73da3d9e
Multiple slashes at the start of the request url will look like a
protocol-relative url, so strip the extra slashes.
Bug: 46607
Change-Id: I34c3fc9d8f9467e83cd201cb099c2d26f3a39b36
* Removed spaces around array index
* Removed double spaces or added spaces to begin or end of function
calls, method signature, conditions or foreachs
* Added braces to one-line ifs
* Changed multi line conditions to one line conditions
* Realigned some arrays
Change-Id: Ia04d2a99d663b07101013c2d53b3b2e872fd9cc3
* Renamed WebRequest::exportUserSession -> RequestContext::exportSession.
Updated the only callers of this new function.
* Init the user with User::newFromId() instead of relying on the session
(which breaks when things like CentralAuth are enabled).
* Made RequestContext::exportSession() include the user ID.
* Removed now-redundant user ID checks in upload jobs.
* Added unit tests for the session import function.
Change-Id: I543e6766f7a8a828ea5d270328c3bc7738c6fe94
* Ran spell-checker over code comments in /includes/
* A few spellchecking fixes for wfDebug() calls
Found one very strange (NOOP?) line in Linker.php - see "TODO: BUG?"
Change-Id: Ibb86b51073b980eda9ecce2cf0b8dd33f058adbf
Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
* (bug 44080) Also carry-over the IP and HTTP header info.
* This adds a RequestContext::importScopedSession() function.
Change-Id: Ie9c0a4d78fb719569c8149b9cc8a5430f0ac5673
Added/removed spaces after opening/before closing parentheses
Added a space after a comma
Removed unneeded parentheses in condition
Change-Id: I306091347ccaaf11dee0cdfda3019cb0c12be51b
