All callers have been updated to provide their own getLocalUrl() calls as
appropriate, so deprecate calling appendQueryValue() and appendQueryArray()
with $onlyquery = false.
appendQuery() is now unused and deprecated as it always assumed $onlyquery = false
Change-Id: I142195c39f278165118a52143031008d9c68e01a
When $_SERVER['HTTP_X_FORWARDED_PROTO'] is set, keep the detected
protocol default port rather than using the local server port when
creating a canonical URL.
Bug: 70021
Change-Id: I2b37da5872929e1c461ff20cccf3dfe11f182a2f
WebRequest is no longer required to be a singleton for $wgRequest,
thanks to https://gerrit.wikimedia.org/r/144996
Change-Id: Ica629fd28d96f8ee77ee548b0a284abf24b1e780
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
This "feature" of PHP has been disabled by default for quite some
time, deprecated in 5.3 and removed entirely in 5.4.
See <http://www.php.net/manual/en/security.magicquotes.php> for
information on why this practice is bad and how to disable it.
For MediaWiki, the removed todo comment says it all. Doing this
messes with all of the super globals and makes embedding MediaWiki
inside another application problematic. It also increases our
memory footprint for every single request even when the data might
not be used.
Finally, it makes it possible to instantiate new WebRequest objects
pretty much whenever you want, so there's no reason for $wgRequest
to exist anymore.
Bug: 11558
Change-Id: I4bc0392276f454ceb966547c7fbd7c8190ebbc7c
This function was deprecated in 1.20 and slated for removal in 1.22;
there were supposed to be warnings given in 1.21 but there does
not seem to be any use of this function otherwise in core.
Change-Id: If70a4e2c1509bf3527d5f8960c14115ce4ab713e
* Throw an error if there is no immediate server IP, otherwise the
XFF logic is wonky.
* Refactored the loop to be a bit easier to read.
* Better handle "unknown" entries in the XFF chain.
Change-Id: I9541afa408d895c3fd337a883ecfe4ce0ba57090
This adds a new generic library class IPSet, which precomputes
a reasonably-efficient data structure from the input list of
addresses and CIDR net/mask specs for fast runtime matching,
and then uses it to check trusted XFF-setters.
See also: 32b4f19f173fc5cff1029eedee63a39a2d72dd3a
Bug: 57021
Change-Id: Ia3b12fb90c3e7e492374a128943b014481cc2730
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Change-Id: I4ca5231119f33039d91da3b57a41cd40719a576b
* 5000 search results in a single page is too many to be useful and
just results in a slow page load. If you need that many results use
the API.
* Adds new parameter to WebRequest::getLimitOffset() to allow making
the 5000 limit configurable by callers
Change-Id: I7c12e4b0526db6453aaba5d589ee1c01a54b72d4
The Line continuation Coding conventions prefers the closing parenthesis
on the same line than the beginning curly braces. This is done for ifs
and functions.
Also move some boolean operator from the end of a line to the beginning
and changed some indentation to make the condition hopefully better
readable.
Change-Id: Id0437b06bde86eb5a75bc59eefa19e7edb624426
The use of static server detection outside of its intended use case
(i.e. at the start of DefaultSettings.php), for example in r93258, was
an architectural error. Every other bit of information about the web
request in non-setup code comes from non-static methods of WebRequest,
which allows the request object to be meaningfully replaced or
subclassed. The situation became increasingly ridiculous as more
callers of WebRequest::detectProtocol() were introduced. Two of the
callers were calling it non-statically! I suppose they had the right
idea, in a way.
Using a non-static call allows caching, which is a nice additional
benefit.
WebRequest::detectProtocolAndStdPort() was introduced in r93258 as part of
the introduction of WebRequest::detectProtocol(). It was basically
useless. Grep indicates there was only one caller in core and WMF
deployed extensions, and it is patched here.
Change-Id: Ia0a61e98fbff7a46ceaeebcb02236e5eac3df0e1
PHP documentation says this can theoretically return false on failure.
HHVM actually returns null when running from the command line, so
this does protect against that.
Change-Id: I0d75b8ed209128a9667ce1e7189597ae9ebc8af6
Make it possible to get the raw parameters given to the request, with
no escaping. This is needed for features like OAuth, where a signature
is calculated over the parameters to verify their integrity and source.
FauxRequest is extended so the original request doesn't pollute the
fake one. This could be extended so "raw" values could be set and used,
but there isn't a use case for that yet, so it's not done here.
Change-Id: I8710844f21d21cbbf28517b0cc25b0713b506bee
HTTP headers are case insensitive per spec, and WebRequest
treats them like that, so FauxRequest should too.
Change-Id: I4257af7a8de2792ac556c670dcc7f28e4af4cb44
* Always treat the first XFF IP from cache proxies as sane
even if it is a private IP (useful for things like labs wmf).
* Make sure IP::canonicalize() gets called if the IP is selected
from the XFF chain (this matches getRawIP()).
* Altered and expanded unit tests.
bug: 48919
Change-Id: I350aca72c7a96ba3ec727324800612fc84e0e7a4
Venema's taint feature was apparently never publicised beyond the
php-dev mailing list, and now there is a PECL taint extension which is
incompatible with the interface assumed here.
Grep confirms that wfArrayMap() is not used in any extensions.
Change-Id: I17d8d302947443262474c608829c7c7504bef589
* Only match consecutive slashes at the beginning of the URL, where
they are actually a problem.
* Fix bug 46607 in cases where the server provides an absolute URL.
Change-Id: Ibe00a6b8722786170d09b846c1c4054b73da3d9e
Multiple slashes at the start of the request url will look like a
protocol-relative url, so strip the extra slashes.
Bug: 46607
Change-Id: I34c3fc9d8f9467e83cd201cb099c2d26f3a39b36
* Removed spaces around array index
* Removed double spaces or added spaces to begin or end of function
calls, method signature, conditions or foreachs
* Added braces to one-line ifs
* Changed multi line conditions to one line conditions
* Realigned some arrays
Change-Id: Ia04d2a99d663b07101013c2d53b3b2e872fd9cc3
* Renamed WebRequest::exportUserSession -> RequestContext::exportSession.
Updated the only callers of this new function.
* Init the user with User::newFromId() instead of relying on the session
(which breaks when things like CentralAuth are enabled).
* Made RequestContext::exportSession() include the user ID.
* Removed now-redundant user ID checks in upload jobs.
* Added unit tests for the session import function.
Change-Id: I543e6766f7a8a828ea5d270328c3bc7738c6fe94
* Ran spell-checker over code comments in /includes/
* A few spellchecking fixes for wfDebug() calls
Found one very strange (NOOP?) line in Linker.php - see "TODO: BUG?"
Change-Id: Ibb86b51073b980eda9ecce2cf0b8dd33f058adbf
Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
* (bug 44080) Also carry-over the IP and HTTP header info.
* This adds a RequestContext::importScopedSession() function.
Change-Id: Ie9c0a4d78fb719569c8149b9cc8a5430f0ac5673
Added/removed spaces after opening/before closing parentheses
Added a space after a comma
Removed unneeded parentheses in condition
Change-Id: I306091347ccaaf11dee0cdfda3019cb0c12be51b
Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.
Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.
Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83
From the docs:
On seriously malformed URLs, parse_url may return false and emit a E_WARNING
We're already checking for false, but we can get spammed with E_WARNING..
Change-Id: I44a9ef2b163e64113bd2a30b081c1256ffeada1e
When inserting XML elements inline <such as this one>, doxygen chokes
about it not being known. Simply enclosing the tag in double quotes
prevents doxygen from emitting a warning.
Also enclosed a few invalid functions calls such as \. and double quoted
the HTML entities such as &foobar;
Change-Id: I4019637145e683c2bec3d17b2fd98b0c50a932f1
Now in Accept-Language handling (in the language converter),
languages appearing earlier in the list are treated as more
preferred languages (variants).
Change-Id: Ic50d01f52dce1ae1f4f4e747d5f8b8399ca03b0b
It is an ugly piece of UI-related code in an infrastructure class.
Its only user, MobileFrontend, is currently in process of getting rid of it.
Patchset 2: Fixed commit message
Change-Id: I62f9f707532a95be01c1ecdcb1fbfbd0c4117be6
- $wgUsePathInfo is now only used on servers not passing REQUEST_URI to determine if PATH_INFO should be used
- WebRequest now extracts information from REQUEST_URI even when $wgUsePathInfo is false
- HTMLForm bases it's decision on whether or not to include a hidden 'title' input on whether $wgArticlePath uses a query instead of assuming that $wgUsePathInfo was used to set the article path
Change-Id: I1b461fef88b26d045f4edd7553b59255c5e595d8
- Update our woefully out of date doc comment for WebRequest::getPathInfo (we haven't simply been extracting a PATH_INFO for ages)
- Make PathRouter::makeWeight protected
- Add more comments to the PathRouter code
- Add two more edge case tests to the PathRouter tests.
Also update img_auth.php so it's abuse of $wg variables is done in a way that doesn't let "/*" action paths clobber it's handling.
This should theoretically fix bug 32486.
- Allow extensions to hook into WebRequest::getPathInfo and add to or alter the way titles are extracted from paths
- Add a $variant argument to the GetLocalURL hook; It's always had $query, but never had $variant. As a result extensions using GetLocalURL never new if getLocalURL and have the possibility of trying to change the url in cases where they shouldn't and as a result breaking links on wiki with language variants.
- Add GetLocalURL::Internal hook for non-interwiki links. These kinds of links internally use a ugly hack for action=render and an extension using GetLocalURL can be buggy in render mode if they don't re-implement the same ugly hack that MW does. This ::Internal hook runs before the hack does so extension authors don't need to be exposed to our ugly hacky code.
- Add GetLocalURL::Article hook specifically for url tweaks to pretty urls (ie: Only when we would apply $wgArticlePath); This hook avoids the need for extensions that only want to tweak pretty url output. This hook avoids the need to make a bunch of tests for things like !$title->isExternal(), $query == '', and $variant === false which getLocalURL does and could potentially change in the future making wider GetLocalURL hooks change in function requiring extension updates.
* Fix a bug in rNNNNN where URLs like '/wiki/Foo' weren't expanded completely if $wgServer was protocol-relative. This caused bug NNNNN.
* Add an optional second parameter to wfExpandUrl(), which takes one the PROT_* constants. This allows the caller to determine which protocol should be used if the given URL is protocol-relative, or the given URL is domain-relative but $wgServer is protocol-relative. The options are PROT_HTTP (use http), PROT_HTTPS (use https), PROT_RELATIVE (keep the URL as protocol-relative), and PROT_CURRENT (use http if the current request is http, or https if the current request is https; this is the default).
* Factor the protocol/port detection part of WebRequest::detectServer() out into detectProtocolAndStdPort(), and add detectProtocol() as a wrapper. The latter is used by wfExpandUrl() in PROT_CURRENT mode.
* Rewrite the test suite to test all possible combinations of $wgServer, $defaultProto, $url and HTTP/HTTPS mode. This means the test suite now has 120 test cases rather than 4.
* Actually removed $wgProto.
* Per Aryeh's suggestions on the future of $wgServer: made $wgServer detection in DefaultSettings.php more permanent by merging it with the new code from r90105. This means that bug 14977 is properly fixed now.
* Require entry points to set up the autoloader before including DefaultSettings.php. Comments on bug 14977 indicate that at some point in the past, this may have broken something. Anything that breaks now should just be fixed, we need the autoloader. Tested the most common entry points.
* Since the detection code has moved from Installer to WebRequest, I also moved the relevant test file and updated the test. The function under test is now public static, so r90154 is superseded.
* Moved most of the bug 28235 code out to a separate library class, since I was running out of distinct function names.
* Merged the QUERY_STRING and PATH_INFO security checks, since they are dealing with the exact same problem. Removed WebRequest::isQueryStringBad().
* Deal with img_auth.php by having it specify what extension it expects to be streaming out. This extension can then be compared with the extension that IE might detect.
* Fixed a logic error in WebRequest::isPathInfoBad() from r88883, which caused dangerous PATH_INFO strings to be allowed as long as QUERY_STRING was set.
* Refactored the query string checks in WebRequest and img_auth.php into a single new function: isQueryStringBad().
* Modified WebRequest::findIE6Extension() to fix the performance issue and the hash parsing issue I noted on CR
* In FindIE6ExtensionTest, fixed all the assertEquals() calls, I had the expected and actual around the wrong way
* Added a couple of extra tests for cases that seemed important during the rewrite.
* Replace the overly paranoid regex with a function that simulates IE6's behavior
* Remove the UA check in isPathInfoBad(), was causing more problems than it was worth
* Revert r87711, going back to using dots for dots in ResourceLoader URLs, instead of exclamation marks
* Append &* to ResourceLoader URLs. * is an illegal character in extensions, and putting it at the end of the URL ensures that both IE6 and our detection function will deem the URL to have no extension (unless something like .html? appears in the query string, but in that case we're screwed no matter what)
Added option request parameter to User::editToken() and User::matchEditToken() and use them where possible from the api.
Also removed $_SESSION usage since it's no longer needed
* Made appendQuery() use appendQueryArray() by using wfCgiToArray()
* Introduced getQueryValues() to get values passed in the query string; FauxRequest will return an empty array when faking a POST request
PHP Notice: Undefined variable: matches in /home/ci/cruisecontrol-bin-2.8.3/projects/mw/source/includes/WebRequest.php on line 109
Explicitally define $matches at top of function, allowing it to always be defined for all paths
