MediaWiki  master
UploadFromUrl.php
Go to the documentation of this file.
1 <?php
26 
34 class UploadFromUrl extends UploadBase {
35  protected $mUrl;
36 
37  protected $mTempPath, $mTmpHandle;
38 
39  protected static $allowedUrls = [];
40 
50  public static function isAllowed( Authority $performer ) {
51  if ( !$performer->isAllowed( 'upload_by_url' )
52  ) {
53  return 'upload_by_url';
54  }
55 
56  return parent::isAllowed( $performer );
57  }
58 
63  public static function isEnabled() {
64  $allowCopyUploads = MediaWikiServices::getInstance()->getMainConfig()->get( 'AllowCopyUploads' );
65 
66  return $allowCopyUploads && parent::isEnabled();
67  }
68 
77  public static function isAllowedHost( $url ) {
78  $copyUploadsDomains = MediaWikiServices::getInstance()->getMainConfig()->get( 'CopyUploadsDomains' );
79  if ( !count( $copyUploadsDomains ) ) {
80  return true;
81  }
82  $parsedUrl = wfParseUrl( $url );
83  if ( !$parsedUrl ) {
84  return false;
85  }
86  $valid = false;
87  foreach ( $copyUploadsDomains as $domain ) {
88  // See if the domain for the upload matches this allowed domain
89  $domainPieces = explode( '.', $domain );
90  $uploadDomainPieces = explode( '.', $parsedUrl['host'] );
91  if ( count( $domainPieces ) === count( $uploadDomainPieces ) ) {
92  $valid = true;
93  // See if all the pieces match or not (excluding wildcards)
94  foreach ( $domainPieces as $index => $piece ) {
95  if ( $piece !== '*' && $piece !== $uploadDomainPieces[$index] ) {
96  $valid = false;
97  }
98  }
99  if ( $valid ) {
100  // We found a match, so quit comparing against the list
101  break;
102  }
103  }
104  /* Non-wildcard test
105  if ( $parsedUrl['host'] === $domain ) {
106  $valid = true;
107  break;
108  }
109  */
110  }
111 
112  return $valid;
113  }
114 
121  public static function isAllowedUrl( $url ) {
122  if ( !isset( self::$allowedUrls[$url] ) ) {
123  $allowed = true;
124  Hooks::runner()->onIsUploadAllowedFromUrl( $url, $allowed );
125  self::$allowedUrls[$url] = $allowed;
126  }
127 
128  return self::$allowedUrls[$url];
129  }
130 
138  public function initialize( $name, $url ) {
139  $this->mUrl = $url;
140 
141  $tempPath = $this->makeTemporaryFile();
142  # File size and removeTempFile will be filled in later
143  $this->initializePathInfo( $name, $tempPath, 0, false );
144  }
145 
150  public function initializeFromRequest( &$request ) {
151  $desiredDestName = $request->getText( 'wpDestFile' );
152  if ( !$desiredDestName ) {
153  $desiredDestName = $request->getText( 'wpUploadFileURL' );
154  }
155  $this->initialize(
156  $desiredDestName,
157  trim( $request->getVal( 'wpUploadFileURL' ) )
158  );
159  }
160 
165  public static function isValidRequest( $request ) {
166  $user = RequestContext::getMain()->getUser();
167 
168  $url = $request->getVal( 'wpUploadFileURL' );
169 
170  return !empty( $url )
171  && MediaWikiServices::getInstance()
172  ->getPermissionManager()
173  ->userHasRight( $user, 'upload_by_url' );
174  }
175 
179  public function getSourceType() {
180  return 'url';
181  }
182 
190  public function fetchFile( $httpOptions = [] ) {
191  if ( !MWHttpRequest::isValidURI( $this->mUrl ) ) {
192  return Status::newFatal( 'http-invalid-url', $this->mUrl );
193  }
194 
195  if ( !self::isAllowedHost( $this->mUrl ) ) {
196  return Status::newFatal( 'upload-copy-upload-invalid-domain' );
197  }
198  if ( !self::isAllowedUrl( $this->mUrl ) ) {
199  return Status::newFatal( 'upload-copy-upload-invalid-url' );
200  }
201  return $this->reallyFetchFile( $httpOptions );
202  }
203 
209  protected function makeTemporaryFile() {
210  $tmpFile = MediaWikiServices::getInstance()->getTempFSFileFactory()
211  ->newTempFSFile( 'URL', 'urlupload_' );
212  $tmpFile->bind( $this );
213 
214  return $tmpFile->getPath();
215  }
216 
224  public function saveTempFileChunk( $req, $buffer ) {
225  wfDebugLog( 'fileupload', 'Received chunk of ' . strlen( $buffer ) . ' bytes' );
226  $nbytes = fwrite( $this->mTmpHandle, $buffer );
227 
228  if ( $nbytes == strlen( $buffer ) ) {
229  $this->mFileSize += $nbytes;
230  } else {
231  // Well... that's not good!
232  wfDebugLog(
233  'fileupload',
234  'Short write ' . $nbytes . '/' . strlen( $buffer ) .
235  ' bytes, aborting with ' . $this->mFileSize . ' uploaded so far'
236  );
237  fclose( $this->mTmpHandle );
238  $this->mTmpHandle = false;
239  }
240 
241  return $nbytes;
242  }
243 
251  protected function reallyFetchFile( $httpOptions = [] ) {
252  $copyUploadProxy = MediaWikiServices::getInstance()->getMainConfig()->get( 'CopyUploadProxy' );
253  $copyUploadTimeout = MediaWikiServices::getInstance()->getMainConfig()->get( 'CopyUploadTimeout' );
254  if ( $this->mTempPath === false ) {
255  return Status::newFatal( 'tmp-create-error' );
256  }
257 
258  // Note the temporary file should already be created by makeTemporaryFile()
259  $this->mTmpHandle = fopen( $this->mTempPath, 'wb' );
260  if ( !$this->mTmpHandle ) {
261  return Status::newFatal( 'tmp-create-error' );
262  }
263  wfDebugLog( 'fileupload', 'Temporary file created "' . $this->mTempPath . '"' );
264 
265  $this->mRemoveTempFile = true;
266  $this->mFileSize = 0;
267 
268  $options = $httpOptions + [ 'followRedirects' => false ];
269 
270  if ( $copyUploadProxy !== false ) {
271  $options['proxy'] = $copyUploadProxy;
272  }
273 
274  if ( $copyUploadTimeout && !isset( $options['timeout'] ) ) {
275  $options['timeout'] = $copyUploadTimeout;
276  }
277  wfDebugLog(
278  'fileupload',
279  'Starting download from "' . $this->mUrl . '" ' .
280  '<' . implode( ',', array_keys( array_filter( $options ) ) ) . '>'
281  );
282 
283  // Manually follow any redirects up to the limit and reset the output file before each new request to prevent
284  // capturing the redirect response as part of the file.
285  $attemptsLeft = $options['maxRedirects'] ?? 5;
286  $targetUrl = $this->mUrl;
287  $requestFactory = MediaWikiServices::getInstance()->getHttpRequestFactory();
288  while ( $attemptsLeft > 0 ) {
289  $req = $requestFactory->create( $targetUrl, $options, __METHOD__ );
290  $req->setCallback( [ $this, 'saveTempFileChunk' ] );
291  $status = $req->execute();
292  if ( !$req->isRedirect() ) {
293  break;
294  }
295  $targetUrl = $req->getFinalUrl();
296  // Remove redirect response content from file.
297  ftruncate( $this->mTmpHandle, 0 );
298  rewind( $this->mTmpHandle );
299  $attemptsLeft--;
300  }
301 
302  if ( $attemptsLeft == 0 ) {
303  return Status::newFatal( 'upload-too-many-redirects' );
304  }
305 
306  if ( $this->mTmpHandle ) {
307  // File got written ok...
308  fclose( $this->mTmpHandle );
309  $this->mTmpHandle = null;
310  } else {
311  // We encountered a write error during the download...
312  return Status::newFatal( 'tmp-write-error' );
313  }
314 
315  wfDebugLog( 'fileupload', $status );
316  if ( $status->isOK() ) {
317  wfDebugLog( 'fileupload', 'Download by URL completed successfully.' );
318  } else {
319  wfDebugLog(
320  'fileupload',
321  'Download by URL completed with HTTP status ' . $req->getStatus()
322  );
323  }
324 
325  return $status;
326  }
327 }
UploadBase
UploadBase and subclasses are the backend of MediaWiki's file uploads.
Definition: UploadBase.php:47
StatusValue\newFatal
static newFatal( $message,... $parameters)
Factory function for fatal errors.
Definition: StatusValue.php:70
UploadFromUrl\$mUrl
$mUrl
Definition: UploadFromUrl.php:35
MediaWiki\MediaWikiServices
MediaWikiServices is the service locator for the application scope of MediaWiki.
Definition: MediaWikiServices.php:203
UploadFromUrl\$mTmpHandle
$mTmpHandle
Definition: UploadFromUrl.php:37
wfDebugLog
wfDebugLog( $logGroup, $text, $dest='all', array $context=[])
Send a line to a supplementary debug log file, if configured, or main debug log if not.
Definition: GlobalFunctions.php:958
UploadFromUrl\saveTempFileChunk
saveTempFileChunk( $req, $buffer)
Callback: save a chunk of the result of a HTTP request to the temporary file.
Definition: UploadFromUrl.php:224
UploadFromUrl\initialize
initialize( $name, $url)
Entry point for API upload.
Definition: UploadFromUrl.php:138
wfParseUrl
wfParseUrl( $url)
parse_url() work-alike, but non-broken.
Definition: GlobalFunctions.php:776
UploadFromUrl
Implements uploading from a HTTP resource.
Definition: UploadFromUrl.php:34
UploadFromUrl\$mTempPath
$mTempPath
Definition: UploadFromUrl.php:37
UploadFromUrl\makeTemporaryFile
makeTemporaryFile()
Create a new temporary file in the URL subdirectory of wfTempDir().
Definition: UploadFromUrl.php:209
UploadFromUrl\isEnabled
static isEnabled()
Checks if the upload from URL feature is enabled.
Definition: UploadFromUrl.php:63
UploadFromUrl\isValidRequest
static isValidRequest( $request)
Definition: UploadFromUrl.php:165
UploadFromUrl\getSourceType
getSourceType()
Definition: UploadFromUrl.php:179
UploadFromUrl\$allowedUrls
static $allowedUrls
Definition: UploadFromUrl.php:39
UploadFromUrl\isAllowed
static isAllowed(Authority $performer)
Checks if the user is allowed to use the upload-by-URL feature.
Definition: UploadFromUrl.php:50
MediaWiki\Permissions\Authority
This interface represents the authority associated the current execution context, such as a web reque...
Definition: Authority.php:37
UploadFromUrl\isAllowedUrl
static isAllowedUrl( $url)
Checks whether the URL is not allowed.
Definition: UploadFromUrl.php:121
Hooks\runner
static runner()
Get a HookRunner instance for calling hooks using the new interfaces.
Definition: Hooks.php:173
UploadFromUrl\isAllowedHost
static isAllowedHost( $url)
Checks whether the URL is for an allowed host The domains in the allowlist can include wildcard chara...
Definition: UploadFromUrl.php:77
RequestContext\getMain
static getMain()
Get the RequestContext object associated with the main request.
Definition: RequestContext.php:484
UploadBase\initializePathInfo
initializePathInfo( $name, $tempPath, $fileSize, $removeTempFile=false)
Definition: UploadBase.php:260
MediaWiki\Permissions\Authority\isAllowed
isAllowed(string $permission)
Checks whether this authority has the given permission in general.
UploadFromUrl\fetchFile
fetchFile( $httpOptions=[])
Download the file.
Definition: UploadFromUrl.php:190
MWHttpRequest\isValidURI
static isValidURI( $uri)
Check that the given URI is a valid one.
Definition: MWHttpRequest.php:732
UploadFromUrl\reallyFetchFile
reallyFetchFile( $httpOptions=[])
Download the file, save it to the temporary file and update the file size and set $mRemoveTempFile to...
Definition: UploadFromUrl.php:251
UploadFromUrl\initializeFromRequest
initializeFromRequest(&$request)
Entry point for SpecialUpload.
Definition: UploadFromUrl.php:150