Actually override initHeaders to avoid init of the header, if no header
was set.
The tests was taken from I4c06369968e.
Follows-up 578a0c082f.
Change-Id: I86b2a9bae2f5938374fd9e5e46997c3fdfe87e39
For testing, it can be useful for a FauxRequest to actually contain
cookies. And for convenience, it's useful to allow setting headers by
passing an array rather than by making multiple calls to ->setHeader().
Change-Id: I3b84246e954aae594490927d2b0a57336af2e3a5
See https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
Ignoring SVN stuff because svn.wikimedia.org's SSL certificate has expired, and
ignoring wgSharedUploadPath because T25122 wants to get rid of it.
Also a couple of BZ -> phab changes
Change-Id: I02fd23ac6c30a4a4c718e57d4dedbc693dd653c0
wfSuppressWarnings() and wfRestoreWarnings() were split out into a
separate library. All usages in core were replaced with the new
functions, and the wf* global functions are marked as deprecated.
Additionally, some uses of @ were replaced due to composer's autoloader
being loaded even earlier.
Ie1234f8c12693408de9b94bf6f84480a90bd4f8e adds the library to
mediawiki/vendor.
Bug: T100923
Change-Id: I5c35079a0a656180852be0ae6b1262d40f6534c4
* Add a stub FauxRequest::initHeaders method. This allows FauxRequest to
use WebRequest's getHeader implemention, leading to less code duplication.
* Add an optional $flags parameter to WebRequest::getHeader. When the flag
WebRequest::GETHEADER_LIST is set, treat the header as a comma-separated
list of values (per RFC 2616 § 4.2) and return an array.
(Initial use-case: Ibb292d241's treatment of If-None-Match header.)
* Add test.
See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html>.
Change-Id: I2760f57adfa7b886c84044a6e9348a47ac307229
* Deprecate $wgRequestTime in favor of $_SERVER['REQUEST_TIME_FLOAT'], which is
more accurate. Because $_SERVER['REQUEST_TIME_FLOAT'] is only set for PHP
5.4+, set it to microtime( true ) in WebStart.php for back-compatibility.
* Add a 'requestTime' property to WebRequest objects, set to
$_SERVER['REQUEST_TIME_FLOAT'] for WebRequest or the instance creation time
for FauxRequest instances.
* Use that to provide WebRequest::getElapsedTime(), which gets the time since
the request was initiated.
* In wfLogProfilingData(), get the user and request objects from the context
object rather than from global scope.
Opportunistic clean-up: move the magic quotes check to WebStart.php and make
the error message more helpful.
Change-Id: I7e07e22eaf16b5141b80ad9f843285c542a127b7
This drops support for the custom utf8 normal PHP extension in favor
of the intl extension.
Bug: T90825
Change-Id: Ifbaeb2ef684217cf6187ccc4fb4d303f89608300
According to PHP documentation:
http://www.php.net/manual/en/reserved.variables.server.php
The $_SERVER['HTTPS'] is set to a non-empty value if the script was queried
through the HTTPS protocol. There is also note that for ISAPI with IIS, the
value is set to 'off' if the request was not made through the HTTPS protocol.
To follow the PHP documentation the $_SERVER['HTTPS'] == 'on' doesn't seem
to be the correct way how to detect the HTTPS protocol (there maybe e.g. '1'
instead of 'on').
Bug: 46511
Change-Id: I5675fed9b7d54711b96b25702181112ef3692f3c
All callers have been updated to provide their own getLocalUrl() calls as
appropriate, so deprecate calling appendQueryValue() and appendQueryArray()
with $onlyquery = false.
appendQuery() is now unused and deprecated as it always assumed $onlyquery = false
Change-Id: I142195c39f278165118a52143031008d9c68e01a
When $_SERVER['HTTP_X_FORWARDED_PROTO'] is set, keep the detected
protocol default port rather than using the local server port when
creating a canonical URL.
Bug: 70021
Change-Id: I2b37da5872929e1c461ff20cccf3dfe11f182a2f
WebRequest is no longer required to be a singleton for $wgRequest,
thanks to https://gerrit.wikimedia.org/r/144996
Change-Id: Ica629fd28d96f8ee77ee548b0a284abf24b1e780
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
This "feature" of PHP has been disabled by default for quite some
time, deprecated in 5.3 and removed entirely in 5.4.
See <http://www.php.net/manual/en/security.magicquotes.php> for
information on why this practice is bad and how to disable it.
For MediaWiki, the removed todo comment says it all. Doing this
messes with all of the super globals and makes embedding MediaWiki
inside another application problematic. It also increases our
memory footprint for every single request even when the data might
not be used.
Finally, it makes it possible to instantiate new WebRequest objects
pretty much whenever you want, so there's no reason for $wgRequest
to exist anymore.
Bug: 11558
Change-Id: I4bc0392276f454ceb966547c7fbd7c8190ebbc7c
This function was deprecated in 1.20 and slated for removal in 1.22;
there were supposed to be warnings given in 1.21 but there does
not seem to be any use of this function otherwise in core.
Change-Id: If70a4e2c1509bf3527d5f8960c14115ce4ab713e
* Throw an error if there is no immediate server IP, otherwise the
XFF logic is wonky.
* Refactored the loop to be a bit easier to read.
* Better handle "unknown" entries in the XFF chain.
Change-Id: I9541afa408d895c3fd337a883ecfe4ce0ba57090
This adds a new generic library class IPSet, which precomputes
a reasonably-efficient data structure from the input list of
addresses and CIDR net/mask specs for fast runtime matching,
and then uses it to check trusted XFF-setters.
See also: 32b4f19f173fc5cff1029eedee63a39a2d72dd3a
Bug: 57021
Change-Id: Ia3b12fb90c3e7e492374a128943b014481cc2730
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: I4ca5231119f33039d91da3b57a41cd40719a576b
* 5000 search results in a single page is too many to be useful and
just results in a slow page load. If you need that many results use
the API.
* Adds new parameter to WebRequest::getLimitOffset() to allow making
the 5000 limit configurable by callers
Change-Id: I7c12e4b0526db6453aaba5d589ee1c01a54b72d4
The Line continuation Coding conventions prefers the closing parenthesis
on the same line than the beginning curly braces. This is done for ifs
and functions.
Also move some boolean operator from the end of a line to the beginning
and changed some indentation to make the condition hopefully better
readable.
Change-Id: Id0437b06bde86eb5a75bc59eefa19e7edb624426
The use of static server detection outside of its intended use case
(i.e. at the start of DefaultSettings.php), for example in r93258, was
an architectural error. Every other bit of information about the web
request in non-setup code comes from non-static methods of WebRequest,
which allows the request object to be meaningfully replaced or
subclassed. The situation became increasingly ridiculous as more
callers of WebRequest::detectProtocol() were introduced. Two of the
callers were calling it non-statically! I suppose they had the right
idea, in a way.
Using a non-static call allows caching, which is a nice additional
benefit.
WebRequest::detectProtocolAndStdPort() was introduced in r93258 as part of
the introduction of WebRequest::detectProtocol(). It was basically
useless. Grep indicates there was only one caller in core and WMF
deployed extensions, and it is patched here.
Change-Id: Ia0a61e98fbff7a46ceaeebcb02236e5eac3df0e1
PHP documentation says this can theoretically return false on failure.
HHVM actually returns null when running from the command line, so
this does protect against that.
Change-Id: I0d75b8ed209128a9667ce1e7189597ae9ebc8af6
Make it possible to get the raw parameters given to the request, with
no escaping. This is needed for features like OAuth, where a signature
is calculated over the parameters to verify their integrity and source.
FauxRequest is extended so the original request doesn't pollute the
fake one. This could be extended so "raw" values could be set and used,
but there isn't a use case for that yet, so it's not done here.
Change-Id: I8710844f21d21cbbf28517b0cc25b0713b506bee
HTTP headers are case insensitive per spec, and WebRequest
treats them like that, so FauxRequest should too.
Change-Id: I4257af7a8de2792ac556c670dcc7f28e4af4cb44
* Always treat the first XFF IP from cache proxies as sane
even if it is a private IP (useful for things like labs wmf).
* Make sure IP::canonicalize() gets called if the IP is selected
from the XFF chain (this matches getRawIP()).
* Altered and expanded unit tests.
bug: 48919
Change-Id: I350aca72c7a96ba3ec727324800612fc84e0e7a4
Venema's taint feature was apparently never publicised beyond the
php-dev mailing list, and now there is a PECL taint extension which is
incompatible with the interface assumed here.
Grep confirms that wfArrayMap() is not used in any extensions.
Change-Id: I17d8d302947443262474c608829c7c7504bef589
* Only match consecutive slashes at the beginning of the URL, where
they are actually a problem.
* Fix bug 46607 in cases where the server provides an absolute URL.
Change-Id: Ibe00a6b8722786170d09b846c1c4054b73da3d9e
Multiple slashes at the start of the request url will look like a
protocol-relative url, so strip the extra slashes.
Bug: 46607
Change-Id: I34c3fc9d8f9467e83cd201cb099c2d26f3a39b36
* Removed spaces around array index
* Removed double spaces or added spaces to begin or end of function
calls, method signature, conditions or foreachs
* Added braces to one-line ifs
* Changed multi line conditions to one line conditions
* Realigned some arrays
Change-Id: Ia04d2a99d663b07101013c2d53b3b2e872fd9cc3
* Renamed WebRequest::exportUserSession -> RequestContext::exportSession.
Updated the only callers of this new function.
* Init the user with User::newFromId() instead of relying on the session
(which breaks when things like CentralAuth are enabled).
* Made RequestContext::exportSession() include the user ID.
* Removed now-redundant user ID checks in upload jobs.
* Added unit tests for the session import function.
Change-Id: I543e6766f7a8a828ea5d270328c3bc7738c6fe94
* Ran spell-checker over code comments in /includes/
* A few spellchecking fixes for wfDebug() calls
Found one very strange (NOOP?) line in Linker.php - see "TODO: BUG?"
Change-Id: Ibb86b51073b980eda9ecce2cf0b8dd33f058adbf
Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
* (bug 44080) Also carry-over the IP and HTTP header info.
* This adds a RequestContext::importScopedSession() function.
Change-Id: Ie9c0a4d78fb719569c8149b9cc8a5430f0ac5673
Added/removed spaces after opening/before closing parentheses
Added a space after a comma
Removed unneeded parentheses in condition
Change-Id: I306091347ccaaf11dee0cdfda3019cb0c12be51b
Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.
Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.
Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83
From the docs:
On seriously malformed URLs, parse_url may return false and emit a E_WARNING
We're already checking for false, but we can get spammed with E_WARNING..
Change-Id: I44a9ef2b163e64113bd2a30b081c1256ffeada1e
When inserting XML elements inline <such as this one>, doxygen chokes
about it not being known. Simply enclosing the tag in double quotes
prevents doxygen from emitting a warning.
Also enclosed a few invalid functions calls such as \. and double quoted
the HTML entities such as &foobar;
Change-Id: I4019637145e683c2bec3d17b2fd98b0c50a932f1
Now in Accept-Language handling (in the language converter),
languages appearing earlier in the list are treated as more
preferred languages (variants).
Change-Id: Ic50d01f52dce1ae1f4f4e747d5f8b8399ca03b0b
It is an ugly piece of UI-related code in an infrastructure class.
Its only user, MobileFrontend, is currently in process of getting rid of it.
Patchset 2: Fixed commit message
Change-Id: I62f9f707532a95be01c1ecdcb1fbfbd0c4117be6
- $wgUsePathInfo is now only used on servers not passing REQUEST_URI to determine if PATH_INFO should be used
- WebRequest now extracts information from REQUEST_URI even when $wgUsePathInfo is false
- HTMLForm bases it's decision on whether or not to include a hidden 'title' input on whether $wgArticlePath uses a query instead of assuming that $wgUsePathInfo was used to set the article path
Change-Id: I1b461fef88b26d045f4edd7553b59255c5e595d8
- Update our woefully out of date doc comment for WebRequest::getPathInfo (we haven't simply been extracting a PATH_INFO for ages)
- Make PathRouter::makeWeight protected
- Add more comments to the PathRouter code
- Add two more edge case tests to the PathRouter tests.
