StreamFile.php

Go to the documentation of this file.

<?php
 
namespace MediaWiki\Output;
 
use InvalidArgumentException;
use MediaWiki\Context\RequestContext;
use MediaWiki\MainConfigNames;
use MediaWiki\MediaWikiServices;
use MediaWiki\Upload\UploadBase;
use Wikimedia\FileBackend\FileBackend;
use Wikimedia\FileBackend\HTTPFileStreamer;
 
class StreamFile {
 
    private const UNKNOWN_CONTENT_TYPE = 'unknown/unknown';
 
    public static function stream(
        $fname,
        $headers = [],
        $sendErrors = true,
        $optHeaders = [],
        $flags = 0
    ) {
        if ( FileBackend::isStoragePath( $fname ) ) {
            throw new InvalidArgumentException( __FUNCTION__ . " given storage path '$fname'." );
        }
 
        $streamer = new HTTPFileStreamer(
            $fname,
            [
                'obResetFunc' => wfResetOutputBuffers( ... ),
                'streamMimeFunc' => self::contentTypeFromPath( ... ),
                'headerFunc' => static function ( string $header ): void {
                    RequestContext::getMain()->getRequest()->response()->header( $header );
                },
            ]
        );
 
        return $streamer->stream( $headers, $sendErrors, $optHeaders, $flags );
    }
 
    public static function contentTypeFromPath( $filename, $safe = true ) {
        $services = MediaWikiServices::getInstance();
        // NOTE: TrivialMimeDetection is forced by ThumbnailEntryPoint. When this
        // code is moved to a non-static method in a service object, we can no
        // longer rely on that.
        $trivialMimeDetection = $services->getMainConfig()
            ->get( MainConfigNames::TrivialMimeDetection );
 
        $ext = strtolower( pathinfo( $filename, PATHINFO_EXTENSION ) );
 
        # trivial detection by file extension,
        # used for thumbnails (thumb.php)
        if ( $trivialMimeDetection ) {
            return match ( $ext ) {
                'gif' => 'image/gif',
                'png' => 'image/png',
                'jpg',
                'jpeg' => 'image/jpeg',
                'webp' => 'image/webp',
                default => self::UNKNOWN_CONTENT_TYPE,
            };
        }
 
        // Use the extension only, rather than magic numbers, to avoid opening
        // up vulnerabilities due to uploads of files with allowed extensions
        // but disallowed types.
        $type = $services->getMimeAnalyzer()->getMimeTypeFromExtensionOrNull( $ext );
 
        if ( $safe ) {
            $mainConfig = $services->getMainConfig();
            $prohibitedFileExtensions = $mainConfig->get( MainConfigNames::ProhibitedFileExtensions );
            $checkFileExtensions = $mainConfig->get( MainConfigNames::CheckFileExtensions );
            $strictFileExtensions = $mainConfig->get( MainConfigNames::StrictFileExtensions );
            $fileExtensions = $mainConfig->get( MainConfigNames::FileExtensions );
            $verifyMimeType = $mainConfig->get( MainConfigNames::VerifyMimeType );
            $mimeTypeExclusions = $mainConfig->get( MainConfigNames::MimeTypeExclusions );
            [ , $extList ] = UploadBase::splitExtensions( $filename );
            if ( UploadBase::checkFileExtensionList( $extList, $prohibitedFileExtensions ) ) {
                return self::UNKNOWN_CONTENT_TYPE;
            }
            if (
                $checkFileExtensions &&
                $strictFileExtensions &&
                !UploadBase::checkFileExtensionList( $extList, $fileExtensions )
            ) {
                return self::UNKNOWN_CONTENT_TYPE;
            }
            if ( $verifyMimeType && $type !== null && in_array( strtolower( $type ), $mimeTypeExclusions ) ) {
                return self::UNKNOWN_CONTENT_TYPE;
            }
        }
        return $type;
    }
}
 
class_alias( StreamFile::class, 'StreamFile' );