56 protected $mTitle =
false;
58 protected $mTitleError = 0;
115 self::EMPTY_FILE =>
'empty-file',
116 self::FILE_TOO_LARGE =>
'file-too-large',
117 self::FILETYPE_MISSING =>
'filetype-missing',
118 self::FILETYPE_BADTYPE =>
'filetype-banned',
119 self::MIN_LENGTH_PARTNAME =>
'filename-tooshort',
120 self::ILLEGAL_FILENAME =>
'illegal-filename',
121 self::OVERWRITE_EXISTING_FILE =>
'overwrite',
122 self::VERIFICATION_ERROR =>
'verification-error',
123 self::HOOK_ABORTED =>
'hookaborted',
124 self::WINDOWS_NONASCII_FILENAME =>
'windows-nonascii-filename',
125 self::FILENAME_TOO_LONG =>
'filename-toolong',
127 return $code_to_status[$error] ??
'unknown-error';
138 return $wgEnableUploads &&
wfIniGetBool(
'file_uploads' );
150 $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
151 foreach ( [
'upload',
'edit' ] as $permission ) {
152 if ( !$permissionManager->userHasRight( $user, $permission ) ) {
167 return $user->pingLimiter(
'upload' );
181 $type =
$type ?: $request->getVal(
'wpSourceType',
'File' );
193 if ( is_null( $className ) ) {
194 $className =
'UploadFrom' .
$type;
195 wfDebug( __METHOD__ .
": class name: $className\n" );
196 if ( !in_array(
$type, self::$uploadHandlers ) ) {
202 if ( !call_user_func( [ $className,
'isEnabled' ] ) ) {
207 if ( !call_user_func( [ $className,
'isValidRequest' ], $request ) ) {
212 $handler =
new $className;
214 $handler->initializeFromRequest( $request );
250 $this->mDesiredDestName = $name;
252 throw new MWException( __METHOD__ .
" given storage path `$tempPath`." );
256 $this->mRemoveTempFile = $removeTempFile;
271 $this->mTempPath = $tempPath;
272 $this->mFileSize = $fileSize ?: null;
273 if ( strlen( $this->mTempPath ) && file_exists( $this->mTempPath ) ) {
274 $this->tempFileObj =
new TempFSFile( $this->mTempPath );
276 $this->mFileSize = filesize( $this->mTempPath );
279 $this->tempFileObj = null;
296 return empty( $this->mFileSize );
325 $tmpFile = $repo->getLocalCopy( $srcPath );
327 $tmpFile->bind( $this );
329 $path = $tmpFile ? $tmpFile->getPath() :
false;
346 return [
'status' => self::EMPTY_FILE ];
353 if ( $this->mFileSize > $maxSize ) {
355 'status' => self::FILE_TOO_LARGE,
366 if ( $verification !==
true ) {
368 'status' => self::VERIFICATION_ERROR,
369 'details' => $verification
377 if ( $result !==
true ) {
381 return [
'status' => self::OK ];
392 if ( is_null( $nt ) ) {
394 if ( $this->mTitleError == self::ILLEGAL_FILENAME ) {
397 if ( $this->mTitleError == self::FILETYPE_BADTYPE ) {
399 if ( count( $this->mBlackListedExtensions ) ) {
422 if ( $wgVerifyMimeType ) {
423 wfDebug(
"mime: <$mime> extension: <{$this->mFinalExtension}>\n" );
426 return [
'filetype-badmime', $mime ];
429 if ( $wgVerifyMimeTypeIE ) {
430 # Check what Internet Explorer would detect 431 $fp = fopen( $this->mTempPath,
'rb' );
432 $chunk = fread( $fp, 256 );
436 $extMime = $magic->guessTypesForExtension( $this->mFinalExtension );
437 $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime );
438 foreach ( $ieTypes as $ieType ) {
440 return [
'filetype-bad-ie-mime', $ieType ];
458 if ( $status !==
true ) {
463 $this->mFileProps = $mwProps->getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
464 $mime = $this->mFileProps[
'mime'];
466 if ( $wgVerifyMimeType ) {
467 # XXX: Missing extension will be caught by validateName() via getTitle() 468 if ( $this->mFinalExtension !=
'' && !$this->
verifyExtension( $mime, $this->mFinalExtension ) ) {
473 # check for htmlish code and javascript 474 if ( !$wgDisableUploadScriptChecks ) {
475 if ( $this->mFinalExtension ==
'svg' || $mime ==
'image/svg+xml' ) {
477 if ( $svgStatus !==
false ) {
485 $handlerStatus = $handler->verifyUpload( $this->mTempPath );
486 if ( !$handlerStatus->isOK() ) {
487 $errors = $handlerStatus->getErrorsArray();
489 return reset( $errors );
494 Hooks::run(
'UploadVerifyFile', [ $this, $mime, &$error ] );
495 if ( $error !==
true ) {
496 if ( !is_array( $error ) ) {
502 wfDebug( __METHOD__ .
": all clear; passing.\n" );
518 # getTitle() sets some internal parameters like $this->mFinalExtension 522 $this->mFileProps = $mwProps->getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
524 # check MIME type, if desired 525 $mime = $this->mFileProps[
'file-mime'];
527 if ( $status !==
true ) {
531 # check for htmlish code and javascript 532 if ( !$wgDisableUploadScriptChecks ) {
533 if ( self::detectScript( $this->mTempPath, $mime, $this->mFinalExtension ) ) {
534 return [
'uploadscripted' ];
536 if ( $this->mFinalExtension ==
'svg' || $mime ==
'image/svg+xml' ) {
538 if ( $svgStatus !==
false ) {
544 # Check for Java applets, which if uploaded can bypass cross-site 546 if ( !$wgAllowJavaUploads ) {
547 $this->mJavaDetected =
false;
549 [ $this,
'zipEntryCallback' ] );
550 if ( !$zipStatus->isOK() ) {
551 $errors = $zipStatus->getErrorsArray();
552 $error = reset( $errors );
553 if ( $error[0] !==
'zip-wrong-format' ) {
557 if ( $this->mJavaDetected ) {
558 return [
'uploadjava' ];
562 # Scan the uploaded file for viruses 565 return [
'uploadvirus', $virus ];
577 $names = [ $entry[
'name'] ];
584 $nullPos = strpos( $entry[
'name'],
"\000" );
585 if ( $nullPos !==
false ) {
586 $names[] = substr( $entry[
'name'], 0, $nullPos );
591 if ( preg_grep(
'!\.class/?$!', $names ) ) {
592 $this->mJavaDetected =
true;
626 if ( is_null( $nt ) ) {
629 $permErrors = $nt->getUserPermissionsErrors(
'edit', $user );
630 $permErrorsUpload = $nt->getUserPermissionsErrors(
'upload', $user );
631 if ( !$nt->exists() ) {
632 $permErrorsCreate = $nt->getUserPermissionsErrors(
'create', $user );
634 $permErrorsCreate = [];
636 if ( $permErrors || $permErrorsUpload || $permErrorsCreate ) {
637 $permErrors = array_merge( $permErrors,
wfArrayDiff2( $permErrorsUpload, $permErrors ) );
638 $permErrors = array_merge( $permErrors,
wfArrayDiff2( $permErrorsCreate, $permErrors ) );
644 if ( $overwriteError !==
true ) {
645 return [ $overwriteError ];
662 $localFile->load( File::READ_LATEST );
663 $filename = $localFile->getName();
666 $badFileName = $this->
checkBadFileName( $filename, $this->mDesiredDestName );
667 if ( $badFileName !== null ) {
668 $warnings[
'badfilename'] = $badFileName;
672 if ( $unwantedFileExtensionDetails !== null ) {
673 $warnings[
'filetype-unwanted-type'] = $unwantedFileExtensionDetails;
676 $fileSizeWarnings = $this->
checkFileSize( $this->mFileSize );
677 if ( $fileSizeWarnings ) {
678 $warnings = array_merge( $warnings, $fileSizeWarnings );
682 if ( $localFileExistsWarnings ) {
683 $warnings = array_merge( $warnings, $localFileExistsWarnings );
687 $warnings[
'was-deleted'] = $filename;
692 $ignoreLocalDupes = isset( $warnings[
'exists '] );
695 $warnings[
'duplicate'] = $dupes;
699 if ( $archivedDupes !== null ) {
700 $warnings[
'duplicate-archive'] = $archivedDupes;
718 array_walk_recursive( $warnings,
function ( &$param, $key ) {
719 if ( $param instanceof
File ) {
721 'fileName' => $param->getName(),
722 'timestamp' => $param->getTimestamp()
724 } elseif ( is_object( $param ) ) {
726 'UploadBase::makeWarningsSerializable: ' .
727 'Unexpected object of class ' . get_class( $param ) );
743 $comparableName = str_replace(
' ',
'_', $desiredFileName );
746 if ( $desiredFileName != $filename && $comparableName != $filename ) {
764 if ( $wgCheckFileExtensions ) {
765 $extensions = array_unique( $wgFileExtensions );
769 $wgLang->commaList( $extensions ),
788 if ( $wgUploadSizeWarning && ( $fileSize > $wgUploadSizeWarning ) ) {
792 if ( $fileSize == 0 ) {
793 $warnings[
'empty-file'] =
true;
808 $exists = self::getExistsWarning( $localFile );
809 if ( $exists !==
false ) {
810 $warnings[
'exists'] = $exists;
813 if ( $hash === $localFile->
getSha1() ) {
814 $warnings[
'no-change'] = $localFile;
819 foreach ( $history as $oldFile ) {
820 if ( $hash === $oldFile->getSha1() ) {
821 $warnings[
'duplicate-version'][] = $oldFile;
842 foreach ( $dupes as $key => $dupe ) {
846 $title->equals( $dupe->getTitle() )
848 unset( $dupes[$key] );
863 if ( $archivedFile->getID() > 0 ) {
865 return $archivedFile->getName();
887 public function performUpload( $comment, $pageText, $watch, $user, $tags = [] ) {
892 Hooks::run(
'UploadVerifyUpload', [ $this, $user, $props, $comment, $pageText, &$error ] );
894 if ( !is_array( $error ) ) {
911 if ( $status->isGood() ) {
921 Hooks::run(
'UploadComplete', [ &$uploadBase ] );
944 if ( $this->mTitle !==
false ) {
947 if ( !is_string( $this->mDesiredDestName ) ) {
948 $this->mTitleError = self::ILLEGAL_FILENAME;
949 $this->mTitle = null;
958 $this->mFilteredName =
$title->getDBkey();
963 # oi_archive_name is max 255 bytes, which include a timestamp and an 964 # exclamation mark, so restrict file name to 240 bytes. 965 if ( strlen( $this->mFilteredName ) > 240 ) {
966 $this->mTitleError = self::FILENAME_TOO_LONG;
967 $this->mTitle = null;
980 if ( is_null( $nt ) ) {
981 $this->mTitleError = self::ILLEGAL_FILENAME;
982 $this->mTitle = null;
986 $this->mFilteredName = $nt->
getDBkey();
995 $this->mFinalExtension = trim( end(
$ext ) );
997 $this->mFinalExtension =
'';
999 # No extension, try guessing one 1001 $mime = $magic->guessMimeType( $this->mTempPath );
1002 if ( $mime !==
'unknown/unknown' ) {
1003 # Get a space separated list of extensions 1004 $extList = $magic->getExtensionsForType( $mime );
1006 # Set the extension to the canonical extension 1007 $this->mFinalExtension = strtok( $extList,
' ' );
1009 # Fix up the other variables 1010 $this->mFilteredName .=
".{$this->mFinalExtension}";
1023 if ( $this->mFinalExtension ==
'' ) {
1024 $this->mTitleError = self::FILETYPE_MISSING;
1025 $this->mTitle = null;
1028 } elseif ( $blackListedExtensions ||
1029 ( $wgCheckFileExtensions && $wgStrictFileExtensions &&
1032 $this->mBlackListedExtensions = $blackListedExtensions;
1033 $this->mTitleError = self::FILETYPE_BADTYPE;
1034 $this->mTitle = null;
1040 if ( !preg_match(
'/^[\x0-\x7f]*$/', $nt->getText() )
1043 $this->mTitleError = self::WINDOWS_NONASCII_FILENAME;
1044 $this->mTitle = null;
1049 # If there was more than one "extension", reassemble the base 1050 # filename to prevent bogus complaints about length 1051 if ( count(
$ext ) > 1 ) {
1052 $iterations = count(
$ext ) - 1;
1053 for ( $i = 0; $i < $iterations; $i++ ) {
1054 $partname .=
'.' .
$ext[$i];
1058 if ( strlen( $partname ) < 1 ) {
1059 $this->mTitleError = self::MIN_LENGTH_PARTNAME;
1060 $this->mTitle = null;
1065 $this->mTitle = $nt;
1076 if ( is_null( $this->mLocalFile ) ) {
1078 $this->mLocalFile = is_null( $nt ) ? null :
wfLocalFile( $nt );
1103 if ( !$isPartial ) {
1113 return Status::newFatal(
'uploadstash-exception', get_class( $e ), $e->getMessage() );
1124 Hooks::run(
'UploadStashFile', [ $this, $user, $props, &$error ] );
1125 if ( $error && !is_array( $error ) ) {
1126 $error = [ $error ];
1165 $this->mStashFile =
$file;
1175 if ( $this->mRemoveTempFile && $this->tempFileObj ) {
1177 wfDebug( __METHOD__ .
": Marked temporary file '{$this->mTempPath}' for removal\n" );
1178 $this->tempFileObj->autocollect();
1196 $bits = explode(
'.', $filename );
1197 $basename = array_shift( $bits );
1199 return [ $basename, $bits ];
1211 return in_array( strtolower(
$ext ), $list );
1223 return array_intersect( array_map(
'strtolower',
$ext ), $list );
1236 if ( !$mime || $mime ==
'unknown' || $mime ==
'unknown/unknown' ) {
1237 if ( !$magic->isRecognizableExtension( $extension ) ) {
1238 wfDebug( __METHOD__ .
": passing file with unknown detected mime type; " .
1239 "unrecognized extension '$extension', can't verify\n" );
1243 wfDebug( __METHOD__ .
": rejecting file with unknown detected mime type; " .
1244 "recognized extension '$extension', so probably invalid file\n" );
1250 $match = $magic->isMatchingExtension( $extension, $mime );
1252 if ( $match === null ) {
1253 if ( $magic->getTypesForExtension( $extension ) !== null ) {
1254 wfDebug( __METHOD__ .
": No extension known for $mime, but we know a mime for $extension\n" );
1258 wfDebug( __METHOD__ .
": no file extension known for mime type $mime, passing file\n" );
1262 } elseif ( $match ===
true ) {
1263 wfDebug( __METHOD__ .
": mime type $mime matches extension $extension, passing file\n" );
1269 .
": mime type $mime mismatches file extension $extension, rejecting file\n" );
1287 # ugly hack: for text files, always look at the entire file. 1288 # For binary field, just check the first K. 1290 $isText = strpos( $mime,
'text/' ) === 0;
1292 $chunk = file_get_contents(
$file );
1294 $fp = fopen(
$file,
'rb' );
1295 $chunk = fread( $fp, 1024 );
1299 $chunk = strtolower( $chunk );
1305 # decode from UTF-16 if needed (could be used for obfuscation). 1306 if ( substr( $chunk, 0, 2 ) ==
"\xfe\xff" ) {
1308 } elseif ( substr( $chunk, 0, 2 ) ==
"\xff\xfe" ) {
1314 if ( $enc !== null ) {
1315 $chunk = iconv( $enc,
"ASCII//IGNORE", $chunk );
1318 $chunk = trim( $chunk );
1321 wfDebug( __METHOD__ .
": checking for embedded scripts and HTML stuff\n" );
1323 # check for HTML doctype 1324 if ( preg_match(
"/<!DOCTYPE *X?HTML/i", $chunk ) ) {
1330 if ( $extension ==
'svg' || strpos( $mime,
'image/svg' ) === 0 ) {
1331 if ( self::checkXMLEncodingMissmatch(
$file ) ) {
1345 '<html', # also in safari
1346 '<script', # also in safari
1349 foreach ( $tags as $tag ) {
1350 if ( strpos( $chunk, $tag ) !==
false ) {
1351 wfDebug( __METHOD__ .
": found something that may make it be mistaken for html: $tag\n" );
1361 # resolve entity-refs to look at attributes. may be harsh on big files... cache result? 1364 # look for script-types 1365 if ( preg_match(
'!type\s*=\s*[\'"]?\s*(?:\w*/)?(?:ecma|java)!sim', $chunk ) ) {
1366 wfDebug( __METHOD__ .
": found script types\n" );
1371 # look for html-style script-urls 1372 if ( preg_match(
'!(?:href|src|data)\s*=\s*[\'"]?\s*(?:ecma|java)script:!sim', $chunk ) ) {
1373 wfDebug( __METHOD__ .
": found html-style script urls\n" );
1378 # look for css-style script-urls 1379 if ( preg_match(
'!url\s*\(\s*[\'"]?\s*(?:ecma|java)script:!sim', $chunk ) ) {
1380 wfDebug( __METHOD__ .
": found css-style script urls\n" );
1385 wfDebug( __METHOD__ .
": no scripts found\n" );
1399 $contents = file_get_contents(
$file,
false, null, 0, $wgSVGMetadataCutoff );
1400 $encodingRegex =
'!encoding[ \t\n\r]*=[ \t\n\r]*[\'"](.*?)[\'"]!si';
1402 if ( preg_match(
"!<\?xml\b(.*?)\?>!si", $contents,
$matches ) ) {
1403 if ( preg_match( $encodingRegex,
$matches[1], $encMatch )
1404 && !in_array( strtoupper( $encMatch[1] ), self::$safeXmlEncodings )
1406 wfDebug( __METHOD__ .
": Found unsafe XML encoding '{$encMatch[1]}'\n" );
1410 } elseif ( preg_match(
"!<\?xml\b!si", $contents ) ) {
1413 wfDebug( __METHOD__ .
": Unmatched XML declaration start\n" );
1416 } elseif ( substr( $contents, 0, 4 ) ==
"\x4C\x6F\xA7\x94" ) {
1418 wfDebug( __METHOD__ .
": EBCDIC Encoded XML\n" );
1425 $attemptEncodings = [
'UTF-16',
'UTF-16BE',
'UTF-32',
'UTF-32BE' ];
1426 foreach ( $attemptEncodings as $encoding ) {
1427 Wikimedia\suppressWarnings();
1428 $str = iconv( $encoding,
'UTF-8', $contents );
1429 Wikimedia\restoreWarnings();
1430 if ( $str !=
'' && preg_match(
"!<\?xml\b(.*?)\?>!si", $str,
$matches ) ) {
1431 if ( preg_match( $encodingRegex,
$matches[1], $encMatch )
1432 && !in_array( strtoupper( $encMatch[1] ), self::$safeXmlEncodings )
1434 wfDebug( __METHOD__ .
": Found unsafe XML encoding '{$encMatch[1]}'\n" );
1438 } elseif ( $str !=
'' && preg_match(
"!<\?xml\b!si", $str ) ) {
1441 wfDebug( __METHOD__ .
": Unmatched XML declaration start\n" );
1456 $this->mSVGNSError =
false;
1459 [ $this,
'checkSvgScriptCallback' ],
1462 'processing_instruction_handler' =>
'UploadBase::checkSvgPICallback',
1463 'external_dtd_handler' =>
'UploadBase::checkSvgExternalDTD',
1466 if ( $check->wellFormed !==
true ) {
1469 return $partial ? false : [
'uploadinvalidxml' ];
1470 } elseif ( $check->filterMatch ) {
1471 if ( $this->mSVGNSError ) {
1475 return $check->filterMatchType;
1489 if ( preg_match(
'/xml-stylesheet/i', $target ) ) {
1490 return [
'upload-scripted-pi-callback' ];
1511 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd',
1512 'http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd',
1513 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd',
1514 'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-tiny.dtd',
1516 'http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd',
1518 if (
$type !==
'PUBLIC' 1519 || !in_array( $systemId, $allowedDTDs )
1520 || strpos( $publicId,
"-//W3C//" ) !== 0
1522 return [
'upload-scripted-dtd' ];
1539 static $validNamespaces = [
1542 'http://creativecommons.org/ns#',
1543 'http://inkscape.sourceforge.net/dtd/sodipodi-0.dtd',
1544 'http://ns.adobe.com/adobeillustrator/10.0/',
1545 'http://ns.adobe.com/adobesvgviewerextensions/3.0/',
1546 'http://ns.adobe.com/extensibility/1.0/',
1547 'http://ns.adobe.com/flows/1.0/',
1548 'http://ns.adobe.com/illustrator/1.0/',
1549 'http://ns.adobe.com/imagereplacement/1.0/',
1550 'http://ns.adobe.com/pdf/1.3/',
1551 'http://ns.adobe.com/photoshop/1.0/',
1552 'http://ns.adobe.com/saveforweb/1.0/',
1553 'http://ns.adobe.com/variables/1.0/',
1554 'http://ns.adobe.com/xap/1.0/',
1555 'http://ns.adobe.com/xap/1.0/g/',
1556 'http://ns.adobe.com/xap/1.0/g/img/',
1557 'http://ns.adobe.com/xap/1.0/mm/',
1558 'http://ns.adobe.com/xap/1.0/rights/',
1559 'http://ns.adobe.com/xap/1.0/stype/dimensions#',
1560 'http://ns.adobe.com/xap/1.0/stype/font#',
1561 'http://ns.adobe.com/xap/1.0/stype/manifestitem#',
1562 'http://ns.adobe.com/xap/1.0/stype/resourceevent#',
1563 'http://ns.adobe.com/xap/1.0/stype/resourceref#',
1564 'http://ns.adobe.com/xap/1.0/t/pg/',
1565 'http://purl.org/dc/elements/1.1/',
1566 'http://purl.org/dc/elements/1.1',
1567 'http://schemas.microsoft.com/visio/2003/svgextensions/',
1568 'http://sodipodi.sourceforge.net/dtd/sodipodi-0.dtd',
1569 'http://taptrix.com/inkpad/svg_extensions',
1570 'http://web.resource.org/cc/',
1571 'http://www.freesoftware.fsf.org/bkchem/cdml',
1572 'http://www.inkscape.org/namespaces/inkscape',
1573 'http://www.opengis.net/gml',
1574 'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
1575 'http://www.w3.org/2000/svg',
1576 'http://www.w3.org/tr/rec-rdf-syntax/',
1577 'http://www.w3.org/2000/01/rdf-schema#',
1582 $isBuggyInkscape = preg_match(
'/^&(#38;)*ns_[a-z_]+;$/', $namespace );
1584 if ( !( $isBuggyInkscape || in_array( $namespace, $validNamespaces ) ) ) {
1585 wfDebug( __METHOD__ .
": Non-svg namespace '$namespace' in uploaded file.\n" );
1587 $this->mSVGNSError = $namespace;
1595 if ( $strippedElement ==
'script' ) {
1596 wfDebug( __METHOD__ .
": Found script element '$element' in uploaded file.\n" );
1598 return [
'uploaded-script-svg', $strippedElement ];
1601 # e.g., <svg xmlns="http://www.w3.org/2000/svg"> 1602 # <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg> 1603 if ( $strippedElement ==
'handler' ) {
1604 wfDebug( __METHOD__ .
": Found scriptable element '$element' in uploaded file.\n" );
1606 return [
'uploaded-script-svg', $strippedElement ];
1609 # SVG reported in Feb '12 that used xml:stylesheet to generate javascript block 1610 if ( $strippedElement ==
'stylesheet' ) {
1611 wfDebug( __METHOD__ .
": Found scriptable element '$element' in uploaded file.\n" );
1613 return [
'uploaded-script-svg', $strippedElement ];
1616 # Block iframes, in case they pass the namespace check 1617 if ( $strippedElement ==
'iframe' ) {
1618 wfDebug( __METHOD__ .
": iframe in uploaded file.\n" );
1620 return [
'uploaded-script-svg', $strippedElement ];
1624 if ( $strippedElement ==
'style' 1627 wfDebug( __METHOD__ .
": hostile css in style element.\n" );
1628 return [
'uploaded-hostile-svg' ];
1631 foreach ( $attribs as $attrib => $value ) {
1633 $value = strtolower( $value );
1635 if ( substr( $stripped, 0, 2 ) ==
'on' ) {
1637 .
": Found event-handler attribute '$attrib'='$value' in uploaded file.\n" );
1639 return [
'uploaded-event-handler-on-svg', $attrib, $value ];
1642 # Do not allow relative links, or unsafe url schemas. 1643 # For <a> tags, only data:, http: and https: and same-document 1644 # fragment links are allowed. For all other tags, only data: 1645 # and fragment are allowed. 1646 if ( $stripped ==
'href' 1648 && strpos( $value,
'data:' ) !== 0
1649 && strpos( $value,
'#' ) !== 0
1651 if ( !( $strippedElement ===
'a' 1652 && preg_match(
'!^https?://!i', $value ) )
1654 wfDebug( __METHOD__ .
": Found href attribute <$strippedElement " 1655 .
"'$attrib'='$value' in uploaded file.\n" );
1657 return [
'uploaded-href-attribute-svg', $strippedElement, $attrib, $value ];
1661 # only allow data: targets that should be safe. This prevents vectors like, 1662 # image/svg, text/xml, application/xml, and text/html, which can contain scripts 1663 if ( $stripped ==
'href' && strncasecmp(
'data:', $value, 5 ) === 0 ) {
1666 $parameters =
'(?>;[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+=(?>[a-zA-Z0-9\!#$&\'*+.^_`{|}~-]+|"(?>[\0-\x0c\x0e-\x21\x23-\x5b\x5d-\x7f]+|\\\\[\0-\x7f])*"))*(?:;base64)?';
1668 if ( !preg_match(
"!^data:\s*image/(gif|jpeg|jpg|png)$parameters,!i", $value ) ) {
1669 wfDebug( __METHOD__ .
": Found href to unwhitelisted data: uri " 1670 .
"\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
1671 return [
'uploaded-href-unsafe-target-svg', $strippedElement, $attrib, $value ];
1675 # Change href with animate from (http://html5sec.org/#137). 1676 if ( $stripped ===
'attributename' 1677 && $strippedElement ===
'animate' 1680 wfDebug( __METHOD__ .
": Found animate that might be changing href using from " 1681 .
"\"<$strippedElement '$attrib'='$value'...\" in uploaded file.\n" );
1683 return [
'uploaded-animate-svg', $strippedElement, $attrib, $value ];
1686 # use set/animate to add event-handler attribute to parent 1687 if ( ( $strippedElement ==
'set' || $strippedElement ==
'animate' )
1688 && $stripped ==
'attributename' 1689 && substr( $value, 0, 2 ) ==
'on' 1691 wfDebug( __METHOD__ .
": Found svg setting event-handler attribute with " 1692 .
"\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );
1694 return [
'uploaded-setting-event-handler-svg', $strippedElement, $stripped, $value ];
1697 # use set to add href attribute to parent element 1698 if ( $strippedElement ==
'set' 1699 && $stripped ==
'attributename' 1700 && strpos( $value,
'href' ) !==
false 1702 wfDebug( __METHOD__ .
": Found svg setting href attribute '$value' in uploaded file.\n" );
1704 return [
'uploaded-setting-href-svg' ];
1707 # use set to add a remote / data / script target to an element 1708 if ( $strippedElement ==
'set' 1709 && $stripped ==
'to' 1710 && preg_match(
'!(http|https|data|script):!sim', $value )
1712 wfDebug( __METHOD__ .
": Found svg setting attribute to '$value' in uploaded file.\n" );
1714 return [
'uploaded-wrong-setting-svg', $value ];
1717 # use handler attribute with remote / data / script 1718 if ( $stripped ==
'handler' && preg_match(
'!(http|https|data|script):!sim', $value ) ) {
1719 wfDebug( __METHOD__ .
": Found svg setting handler with remote/data/script " 1720 .
"'$attrib'='$value' in uploaded file.\n" );
1722 return [
'uploaded-setting-handler-svg', $attrib, $value ];
1725 # use CSS styles to bring in remote code 1726 if ( $stripped ==
'style' 1729 wfDebug( __METHOD__ .
": Found svg setting a style with " 1730 .
"remote url '$attrib'='$value' in uploaded file.\n" );
1731 return [
'uploaded-remote-url-svg', $attrib, $value ];
1734 # Several attributes can include css, css character escaping isn't allowed 1735 $cssAttrs = [
'font',
'clip-path',
'fill',
'filter',
'marker',
1736 'marker-end',
'marker-mid',
'marker-start',
'mask',
'stroke' ];
1737 if ( in_array( $stripped, $cssAttrs )
1738 && self::checkCssFragment( $value )
1740 wfDebug( __METHOD__ .
": Found svg setting a style with " 1741 .
"remote url '$attrib'='$value' in uploaded file.\n" );
1742 return [
'uploaded-remote-url-svg', $attrib, $value ];
1745 # image filters can pull in url, which could be svg that executes scripts 1746 # Only allow url( "#foo" ). Do not allow url( http://example.com ) 1747 if ( $strippedElement ==
'image' 1748 && $stripped ==
'filter' 1749 && preg_match(
'!url\s*\(\s*["\']?[^#]!sim', $value )
1751 wfDebug( __METHOD__ .
": Found image filter with url: " 1752 .
"\"<$strippedElement $stripped='$value'...\" in uploaded file.\n" );
1754 return [
'uploaded-image-filter-svg', $strippedElement, $stripped, $value ];
1768 # Forbid external stylesheets, for both reliability and to protect viewer's privacy 1769 if ( stripos( $value,
'@import' ) !==
false ) {
1773 # We allow @font-face to embed fonts with data: urls, so we snip the string 1774 # 'url' out so this case won't match when we check for urls below 1775 $pattern =
'!(@font-face\s*{[^}]*src:)url(\("data:;base64,)!im';
1776 $value = preg_replace( $pattern,
'$1$2', $value );
1778 # Check for remote and executable CSS. Unlike in Sanitizer::checkCss, the CSS 1779 # properties filter and accelerator don't seem to be useful for xss in SVG files. 1780 # Expression and -o-link don't seem to work either, but filtering them here in case. 1781 # Additionally, we catch remote urls like url("http:..., url('http:..., url(http:..., 1782 # but not local ones such as url("#..., url('#..., url(#.... 1783 if ( preg_match(
'!expression 1785 | -o-link-source\s*: 1786 | -o-replace\s*:!imx', $value ) ) {
1790 if ( preg_match_all(
1791 "!(\s*(url|image|image-set)\s*\(\s*[\"']?\s*[^#]+.*?\))!sim",
1796 # TODO: redo this in one regex. Until then, url("#whatever") matches the first 1797 foreach (
$matches[1] as $match ) {
1798 if ( !preg_match(
"!\s*(url|image|image-set)\s*\(\s*(#|'#|\"#)!im", $match ) ) {
1804 if ( preg_match(
'/[\000-\010\013\016-\037\177]/', $value ) ) {
1818 $parts = explode(
':', strtolower( $element ) );
1819 $name = array_pop( $parts );
1820 $ns = implode(
':', $parts );
1822 return [ $ns, $name ];
1831 $parts = explode(
':', strtolower( $name ) );
1833 return array_pop( $parts );
1849 if ( !$wgAntivirus ) {
1850 wfDebug( __METHOD__ .
": virus scanner disabled\n" );
1855 if ( !$wgAntivirusSetup[$wgAntivirus] ) {
1856 wfDebug( __METHOD__ .
": unknown virus scanner: $wgAntivirus\n" );
1857 $wgOut->wrapWikiMsg(
"<div class=\"error\">\n$1\n</div>",
1858 [
'virus-badscanner', $wgAntivirus ] );
1860 return wfMessage(
'virus-unknownscanner' )->text() .
" $wgAntivirus";
1863 # look up scanner configuration 1865 $exitCodeMap = $wgAntivirusSetup[
$wgAntivirus][
'codemap'];
1866 $msgPattern = $wgAntivirusSetup[
$wgAntivirus][
'messagepattern'] ?? null;
1868 if ( strpos(
$command,
"%f" ) ===
false ) {
1869 # simple pattern: append file to scan 1872 # complex pattern: replace "%f" with file to scan 1876 wfDebug( __METHOD__ .
": running virus scan: $command \n" );
1878 # execute virus scanner 1881 # NOTE: there's a 50 line workaround to make stderr redirection work on windows, too. 1882 # that does not seem to be worth the pain. 1883 # Ask me (Duesentrieb) about it if it's ever needed. 1886 # map exit code to AV_xxx constants. 1887 $mappedCode = $exitCode;
1888 if ( $exitCodeMap ) {
1889 if ( isset( $exitCodeMap[$exitCode] ) ) {
1890 $mappedCode = $exitCodeMap[$exitCode];
1891 } elseif ( isset( $exitCodeMap[
"*"] ) ) {
1892 $mappedCode = $exitCodeMap[
"*"];
1900 # scan failed (code was mapped to false by $exitCodeMap) 1901 wfDebug( __METHOD__ .
": failed to scan $file (code $exitCode).\n" );
1903 $output = $wgAntivirusRequired
1904 ?
wfMessage(
'virus-scanfailed', [ $exitCode ] )->text()
1907 # scan failed because filetype is unknown (probably imune) 1908 wfDebug( __METHOD__ .
": unsupported file type $file (code $exitCode).\n" );
1912 wfDebug( __METHOD__ .
": file passed virus scan.\n" );
1915 $output = trim( $output );
1918 $output =
true; #
if there
's no output, return true 1919 } elseif ( $msgPattern ) { 1921 if ( preg_match( $msgPattern, $output, $groups ) && $groups[1] ) { 1922 $output = $groups[1]; 1926 wfDebug( __METHOD__ . ": FOUND VIRUS! scanner feedback: $output \n" ); 1940 private function checkOverwrite( $user ) { 1941 // First check whether the local file can be overwritten 1942 $file = $this->getLocalFile(); 1943 $file->load( File::READ_LATEST ); 1944 if ( $file->exists() ) { 1945 if ( !self::userCanReUpload( $user, $file ) ) { 1946 return [ 'fileexists-forbidden
', $file->getName() ]; 1952 /* Check shared conflicts: if the local file does not exist, but 1953 * wfFindFile finds a file, it exists in a shared repository. 1955 $file = wfFindFile( $this->getTitle(), [ 'latest
' => true ] ); 1956 if ( $file && !MediaWikiServices::getInstance() 1957 ->getPermissionManager() 1958 ->userHasRight( $user, 'reupload-shared
' ) 1960 return [ 'fileexists-shared-forbidden
', $file->getName() ]; 1973 public static function userCanReUpload( User $user, File $img ) { 1974 $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); 1975 if ( $permissionManager->userHasRight( $user, 'reupload
' ) ) { 1976 return true; // non-conditional 1977 } elseif ( !$permissionManager->userHasRight( $user, 'reupload-own
' ) ) { 1981 if ( !( $img instanceof LocalFile ) ) { 1987 return $user->getId() == $img->getUser( 'id' ); 2001 public static function getExistsWarning( $file ) { 2002 if ( $file->exists() ) { 2003 return [ 'warning
' => 'exists
', 'file
' => $file ]; 2006 if ( $file->getTitle()->getArticleID() ) { 2007 return [ 'warning
' => 'page-exists
', 'file
' => $file ]; 2010 if ( strpos( $file->getName(), '.
' ) == false ) { 2011 $partname = $file->getName(); 2014 $n = strrpos( $file->getName(), '.
' ); 2015 $extension = substr( $file->getName(), $n + 1 ); 2016 $partname = substr( $file->getName(), 0, $n ); 2018 $normalizedExtension = File::normalizeExtension( $extension ); 2020 if ( $normalizedExtension != $extension ) { 2021 // We're not
using the normalized form of the extension.
2029 if ( $file_lc->exists() ) {
2031 'warning' =>
'exists-normalized',
2033 'normalizedFile' => $file_lc
2040 "{$partname}.", 1 );
2041 if ( count( $similarFiles ) ) {
2043 'warning' =>
'exists-normalized',
2045 'normalizedFile' => $similarFiles[0],
2049 if ( self::isThumbName(
$file->getName() ) ) {
2050 # Check for filenames like 50px- or 180px-, these are mostly thumbnails 2052 substr( $partname, strpos( $partname,
'-' ) + 1 ) .
'.' . $extension,
2056 if ( $file_thb->exists() ) {
2058 'warning' =>
'thumb',
2060 'thumbFile' => $file_thb
2065 'warning' =>
'thumb-name',
2067 'thumbFile' => $file_thb
2072 foreach ( self::getFilenamePrefixBlacklist() as $prefix ) {
2073 if ( substr( $partname, 0, strlen( $prefix ) ) == $prefix ) {
2075 'warning' =>
'bad-prefix',
2091 $n = strrpos( $filename,
'.' );
2092 $partname = $n ? substr( $filename, 0, $n ) : $filename;
2095 substr( $partname, 3, 3 ) ==
'px-' ||
2096 substr( $partname, 2, 3 ) ==
'px-' 2098 preg_match(
"/[0-9]{2}/", substr( $partname, 0, 2 ) );
2108 $message =
wfMessage(
'filename-prefix-blacklist' )->inContentLanguage();
2109 if ( !$message->isDisabled() ) {
2110 $lines = explode(
"\n", $message->plain() );
2113 $comment = substr( trim( $line ), 0, 1 );
2114 if ( $comment ==
'#' || $comment ==
'' ) {
2118 $comment = strpos( $line,
'#' );
2119 if ( $comment > 0 ) {
2120 $line = substr( $line, 0, $comment - 1 );
2122 $blacklist[] = trim( $line );
2161 $code = $error[
'status'];
2162 unset( $code[
'status'] );
2177 if ( is_array( $wgMaxUploadSize ) ) {
2178 if ( !is_null( $forType ) && isset( $wgMaxUploadSize[$forType] ) ) {
2179 return $wgMaxUploadSize[$forType];
2181 return $wgMaxUploadSize[
'*'];
2184 return intval( $wgMaxUploadSize );
2197 ini_get(
'upload_max_filesize' ),
2201 ini_get(
'post_max_size' ),
2204 return min( $phpMaxFileSize, $phpMaxPostSize );
2217 $store = self::getUploadSessionStore();
2218 $key = self::getUploadSessionKey( $store, $user, $statusKey );
2220 return $store->get( $key );
2236 $store = self::getUploadSessionStore();
2237 $key = self::getUploadSessionKey( $store, $user, $statusKey );
2239 if ( $value ===
false ) {
2240 $store->delete( $key );
2242 $store->set( $key, $value, $store::TTL_DAY );
$wgStrictFileExtensions
If this is turned off, users may override the warning for files not covered by $wgFileExtensions.
checkOverwrite( $user)
Check if there's an overwrite conflict and, if so, if restrictions forbid this user from performing t...
static newFatal( $message,... $parameters)
Factory function for fatal errors.
detectScriptInSvg( $filename, $partial)
if(PHP_SAPI !='cli-server') if(!isset( $_SERVER['SCRIPT_FILENAME'])) $file
Item class for a filearchive table row.
exists()
canRender inherited
static getUploadSessionKey(BagOStuff $store, User $user, $statusKey)
$wgSVGMetadataCutoff
Don't read SVG metadata beyond this point.
$wgDisableUploadScriptChecks
Setting this to true will disable the upload system's checks for HTML/JavaScript. ...
static splitXmlNamespace( $element)
Divide the element name passed by the xml parser to the callback into URI and prifix.
static getPropertyNames( $filter=[])
Returns all possible parameters to iiprop.
tryStashFile(User $user, $isPartial=false)
Like stashFile(), but respects extensions' wishes to prevent the stashing.
static createFromRequest(&$request, $type=null)
Create a form of UploadBase depending on wpSourceType and initializes it.
convertVerifyErrorToStatus( $error)
static getSessionStatus(User $user, $statusKey)
Get the current status of a chunked upload (used for polling)
const OVERWRITE_EXISTING_FILE
initializePathInfo( $name, $tempPath, $fileSize, $removeTempFile=false)
Initialize the path information.
static getUploadSessionStore()
makeKey( $class,... $components)
Make a cache key, scoped to this instance's keyspace.
static normalizeCss( $value)
Normalize CSS into a format we can easily search for hostile input.
wfStripIllegalFilenameChars( $name)
Replace all invalid characters with '-'.
static getInstance( $id)
Get a cached instance of the specified type of cache object.
checkLocalFileExists(LocalFile $localFile, $hash)
static splitExtensions( $filename)
Split a file into a base name and all dot-delimited 'extensions' on the end.
static detectScript( $file, $mime, $extension)
Heuristic for detecting files that could contain JavaScript instructions or things that may look like...
checkUnwantedFileExtensions( $fileExtension)
isEmptyFile()
Return true if the file is empty.
string $mTempPath
Local file system path to the file to upload (or a local copy)
static getMaxUploadSize( $forType=null)
Get the MediaWiki maximum uploaded file size for given type of upload, based on $wgMaxUploadSize.
static isStoragePath( $path)
Check if a given path is a "mwstore://" path.
wfLocalFile( $title)
Get an object referring to a locally registered file.
$wgAllowJavaUploads
Allow Java archive uploads.
getName()
Get the user name, or the IP of an anonymous user.
checkAgainstArchiveDupes( $hash)
verifyPartialFile()
A verification routine suitable for partial files.
$wgCheckFileExtensions
This is a flag to determine whether or not to check file extensions on upload.
The User object encapsulates all of the user-specific settings (user_id, name, rights, email address, options, last login time).
$wgEnableUploads
Allow users to upload files.
static checkCssFragment( $value)
Check a block of CSS or CSS fragment for anything that looks like it is bringing in remote code...
Class representing a row of the 'filearchive' table.
getHistory( $limit=null, $start=null, $end=null, $inc=true)
purgeDescription inherited
wasDeleted()
Was this file ever deleted from the wiki?
$wgAntivirusRequired
Determines if a failed virus scan (AV_SCAN_FAILED) will cause the file to be rejected.
static getPropertyNames( $filter=null)
Returns all possible parameters to siiprop.
getTempFileSha1Base36()
Get the base 36 SHA1 of the file.
static isAllowed(UserIdentity $user)
Returns true if the user can use this upload module or else a string identifying the missing permissi...
UploadBase and subclasses are the backend of MediaWiki's file uploads.
static getInfo( $file, $prop, $result, $thumbParams=null, $opts=false)
Get result information for an image revision.
getDBkey()
Get the main part with underscores.
static checkSvgPICallback( $target, $data)
Callback to filter SVG Processing Instructions.
fetchFile()
Fetch the file.
static newGood( $value=null)
Factory function for good results.
wfDebug( $text, $dest='all', array $context=[])
Sends a line to the debug log if enabled or, optionally, to a comment in output.
string null $mRemoveTempFile
postProcessUpload()
Perform extra steps after a successful upload.
static isVirtualUrl( $url)
Determine if a string is an mwrepo:// URL.
static doWatch(Title $title, User $user, $checkRights=User::CHECK_USER_RIGHTS)
Watch a page.
getTitle()
Returns the title of the file to be uploaded.
static makeWarningsSerializable( $warnings)
Convert the warnings array returned by checkWarnings() to something that can be serialized.
cleanupTempFile()
If we've modified the upload file we need to manually remove it on exit to clean up.
getSourceType()
Returns the upload type.
static checkSvgExternalDTD( $type, $publicId, $systemId)
Verify that DTD urls referenced are only the standard dtds.
checkBadFileName( $filename, $desiredFileName)
Check whether the resulting filename is different from the desired one, but ignore things like ucfirs...
string null $mFinalExtension
checkWarnings()
Check for non fatal problems with the file.
initializeFromRequest(&$request)
Initialize from a WebRequest.
verifyUpload()
Verify whether the upload is sane.
const MIN_LENGTH_PARTNAME
getFileSize()
Return the file size.
$wgVerifyMimeTypeIE
Determines whether extra checks for IE type detection should be applied.
static getSha1Base36FromPath( $path)
Get a SHA-1 hash of a file in the local filesystem, in base-36 lower case encoding, zero padded to 31 digits.
string null $mDesiredDestName
static isEnabled()
Returns true if uploads are enabled.
doStashFile(User $user=null)
Implementation for stashFile() and tryStashFile().
validateName()
Verify that the name is valid and, if necessary, that we can overwrite.
static isThrottled( $user)
Returns true if the user has surpassed the upload rate limit, false otherwise.
static checkXMLEncodingMissmatch( $file)
Check a whitelist of xml encodings that are known not to be interpreted differently by the server's x...
$wgMaxUploadSize
Max size for uploads, in bytes.
getLocalFile()
Return the local file and initializes if necessary.
$wgAntivirusSetup
Configuration for different virus scanners.
static makeTitleSafe( $ns, $title, $fragment='', $interwiki='')
Create a new Title from a namespace index and a DB key.
static makeTitle( $ns, $title, $fragment='', $interwiki='')
Create a new Title from a namespace index and a DB key.
verifyPermissions( $user)
Alias for verifyTitlePermissions.
$wgFileExtensions
This is the list of preferred extensions for uploading files.
verifyTitlePermissions( $user)
Check whether the user can edit, upload and create the image.
static getFilenamePrefixBlacklist()
Get a list of blacklisted filename prefixes from [[MediaWiki:Filename-prefix-blacklist]].
$wgUploadSizeWarning
Warn if uploaded files are larger than this (in bytes), or false to disable.
string [] $mBlackListedExtensions
stashFile(User $user=null)
If the user does not supply all necessary information in the first upload form submission (either by ...
getId()
Get the user's ID.
static isThumbName( $filename)
Helper function that checks whether the filename looks like a thumbnail.
static capitalize( $text, $ns=NS_MAIN)
Capitalize a text string for a title if it belongs to a namespace that capitalizes.
performUpload( $comment, $pageText, $watch, $user, $tags=[])
Really perform the upload.
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Throws a warning that $function is deprecated.
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string...
wfShellExecWithStderr( $cmd, &$retval=null, $environ=[], $limits=[])
Execute a shell command, returning both stdout and stderr.
checkFileSize( $fileSize)
const WINDOWS_NONASCII_FILENAME
if(!is_readable( $file)) $ext
checkAgainstExistingDupes( $hash, $ignoreLocalDupes)
Class to represent a local file in the wiki's own database.
MimeMagic helper wrapper.
string null $mFilteredName
stripXmlNamespace( $name)
static checkFileExtensionList( $ext, $list)
Perform case-insensitive match against a list of file extensions.
static getMaxPhpUploadSize()
Get the PHP maximum uploaded file size, based on ini settings.
static detectVirus( $file)
Generic wrapper function for a virus scanner program.
static verifyExtension( $mime, $extension)
Checks if the MIME type of the uploaded file matches the file extension.
static setSessionStatus(User $user, $statusKey, $value)
Set the current status of a chunked upload (used for polling)
wfArrayDiff2( $a, $b)
Like array_diff( $a, $b ) except that it works with two-dimensional arrays.
setTempFile( $tempPath, $fileSize=null)
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
verifyMimeType( $mime)
Verify the MIME type.
TempFSFile null $tempFileObj
Wrapper to handle deleting the temp file.
$wgMimeTypeBlacklist
Files with these MIME types will never be allowed as uploads if $wgVerifyMimeType is enabled...
wfIniGetBool( $setting)
Safety wrapper around ini_get() for boolean settings.
getVerificationErrorCode( $error)
getImageInfo( $result)
Gets image info about the file just uploaded.
verifyFile()
Verifies that it's ok to include the uploaded file.
Implements some public methods and some protected utility functions which are required by multiple ch...
$wgVerifyMimeType
Determines if the MIME type of uploaded files should be checked.
static checkFileExtension( $ext, $list)
Perform case-insensitive match against a list of file extensions.
$wgFileBlacklist
Files with these extensions will never be allowed as uploads.
static read( $fileName, $callback, $options=[])
Read a ZIP file and call a function for each file discovered in it.
static isValidRequest( $request)
Check whether a request if valid for this handler.
zipEntryCallback( $entry)
Callback for ZipDirectoryReader to detect Java class files.
wfShorthandToInteger( $string='', $default=-1)
Converts shorthand byte notation to integer form.
UploadStashFile $mStashFile
checkLocalFileWasDeleted(LocalFile $localFile)
static run( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
$wgAntivirus
Internal name of virus scanner.
runUploadStashFileHook(User $user)
checkSvgScriptCallback( $element, $attribs, $data=null)
static newFromText( $text, $defaultNamespace=NS_MAIN)
Create a new Title from text, such as what one would find in a link.
1.8.13