65 protected $headers = [];
111 protected $sessionId = null;
114 protected $markedAsSafe =
false;
120 $this->requestTime = $_SERVER[
'REQUEST_TIME_FLOAT'];
124 $this->data = $_POST + $_GET;
126 $this->queryAndPathParams = $this->queryParams = $_GET;
149 if ( isset( $_SERVER[
'REQUEST_URI'] ) ) {
151 $url = $_SERVER[
'REQUEST_URI'];
152 if ( !preg_match(
'!^https?://!', $url ) ) {
153 $url =
'http://unused' . $url;
155 AtEase::suppressWarnings();
156 $a = parse_url( $url );
157 AtEase::restoreWarnings();
161 $path = $a[
'path'] ??
'';
164 if (
$path == $wgScript && $want !==
'all' ) {
173 $router->
add(
"$wgScript/$1" );
175 if ( isset( $_SERVER[
'SCRIPT_NAME'] )
176 && strpos( $_SERVER[
'SCRIPT_NAME'],
'.php' ) !==
false 181 $router->add( $_SERVER[
'SCRIPT_NAME'] .
"/$1" );
185 if ( $wgArticlePath ) {
186 $router->validateRoute( $wgArticlePath,
'wgArticlePath' );
187 $router->add( $wgArticlePath );
192 if ( $articlePaths ) {
193 $router->add( $articlePaths, [
'action' =>
'$key' ] );
197 if ( $wgVariantArticlePath ) {
198 $router->validateRoute( $wgVariantArticlePath,
'wgVariantArticlePath' );
199 $router->add( $wgVariantArticlePath,
200 [
'variant' =>
'$2' ],
201 [
'$2' => MediaWikiServices::getInstance()->getContentLanguage()->
206 Hooks::run(
'WebRequestPathInfoRouter', [ $router ] );
212 if ( $wgUsePathInfo ) {
213 if ( !empty( $_SERVER[
'ORIG_PATH_INFO'] ) ) {
217 $matches[
'title'] = substr( $_SERVER[
'ORIG_PATH_INFO'], 1 );
218 } elseif ( !empty( $_SERVER[
'PATH_INFO'] ) ) {
220 $matches[
'title'] = substr( $_SERVER[
'PATH_INFO'], 1 );
237 $proto = self::detectProtocol();
238 $stdPort = $proto ===
'https' ? 443 : 80;
240 $varNames = [
'HTTP_HOST',
'SERVER_NAME',
'HOSTNAME',
'SERVER_ADDR' ];
243 foreach ( $varNames as $varName ) {
244 if ( !isset( $_SERVER[$varName] ) ) {
255 if ( $wgAssumeProxiesUseDefaultProtocolPorts && isset( $_SERVER[
'HTTP_X_FORWARDED_PROTO'] ) ) {
260 } elseif ( $parts[1] ===
false ) {
261 if ( isset( $_SERVER[
'SERVER_PORT'] ) ) {
262 $port = $_SERVER[
'SERVER_PORT'];
281 if ( ( !empty( $_SERVER[
'HTTPS'] ) && $_SERVER[
'HTTPS'] !==
'off' ) ||
282 ( isset( $_SERVER[
'HTTP_X_FORWARDED_PROTO'] ) &&
283 $_SERVER[
'HTTP_X_FORWARDED_PROTO'] ===
'https' ) ) {
312 if ( self::$reqId ) {
319 if ( $wgAllowExternalReqID ) {
345 if ( $this->protocol === null ) {
346 $this->protocol = self::detectProtocol();
360 if ( defined(
'MW_API' ) ) {
364 $matches = self::getPathInfo(
'title' );
365 foreach (
$matches as $key => $val ) {
366 $this->data[$key] = $this->queryAndPathParams[$key] = $val;
381 foreach ( (array)$bases as $keyValue =>
$base ) {
384 $baseLen = strlen(
$base );
385 if ( substr(
$path, 0, $baseLen ) ==
$base ) {
386 $raw = substr(
$path, $baseLen );
388 $matches = [
'title' => rawurldecode( $raw ) ];
407 if ( is_array( $data ) ) {
408 foreach ( $data as $key => $val ) {
412 $contLang = MediaWikiServices::getInstance()->getContentLanguage();
413 $data = $contLang ? $contLang->normalize( $data ) :
414 UtfNormal\Validator::cleanUp( $data );
428 # PHP is so nice to not touch input data, except sometimes: 429 # https://www.php.net/variables.external#language.variables.external.dot-in-names 430 # Work around PHP *feature* to avoid *bugs* elsewhere. 431 $name = strtr( $name,
'.',
'_' );
433 if ( !isset( $arr[$name] ) ) {
438 # Optimisation: Skip UTF-8 normalization and legacy transcoding for simple ASCII strings. 439 $isAsciiStr = ( is_string( $data ) && preg_match(
'/[^\x20-\x7E]/', $data ) === 0 );
440 if ( !$isAsciiStr ) {
441 if ( isset( $_GET[$name] ) && is_string( $data ) ) {
442 # Check for alternate/legacy character encoding. 443 $data = MediaWikiServices::getInstance()
444 ->getContentLanguage()
445 ->checkTitleEncoding( $data );
466 $name = strtr( $name,
'.',
'_' );
467 if ( isset( $this->data[$name] ) && !is_array( $this->data[$name] ) ) {
468 $val = $this->data[$name];
472 if ( is_null( $val ) ) {
489 public function getVal( $name, $default = null ) {
490 $val = $this->
getGPCVal( $this->data, $name, $default );
491 if ( is_array( $val ) ) {
494 if ( is_null( $val ) ) {
509 $ret = $this->data[$key] ?? null;
510 $this->data[$key] = $value;
521 if ( !isset( $this->data[$key] ) ) {
524 $ret = $this->data[$key];
525 unset( $this->data[$key] );
539 public function getArray( $name, $default = null ) {
540 $val = $this->
getGPCVal( $this->data, $name, $default );
541 if ( is_null( $val ) ) {
559 $val = $this->
getArray( $name, $default );
560 if ( is_array( $val ) ) {
561 $val = array_map(
'intval', $val );
575 public function getInt( $name, $default = 0 ) {
576 return intval( $this->
getRawVal( $name, $default ) );
589 return is_numeric( $val )
604 public function getFloat( $name, $default = 0.0 ) {
605 return floatval( $this->
getRawVal( $name, $default ) );
617 public function getBool( $name, $default =
false ) {
618 return (
bool)$this->
getRawVal( $name, $default );
631 return $this->
getBool( $name, $default )
632 && strcasecmp( $this->
getRawVal( $name ),
'false' ) !== 0;
644 # Checkboxes and buttons are only present when clicked 645 # Presence connotes truth, absence false 646 return $this->
getRawVal( $name, null ) !== null;
659 public function getText( $name, $default =
'' ) {
660 $val = $this->
getVal( $name, $default );
661 return str_replace(
"\r\n",
"\n", $val );
672 $names = func_get_args();
673 if ( count( $names ) == 0 ) {
674 $names = array_keys( $this->data );
678 foreach ( $names as $name ) {
679 $value = $this->
getGPCVal( $this->data, $name, null );
680 if ( !is_null( $value ) ) {
681 $retVal[$name] = $value;
694 return array_diff( array_keys( $this->
getValues() ), $exclude );
741 return $_SERVER[
'QUERY_STRING'];
765 static $input = null;
766 if ( $input === null ) {
767 $input = file_get_contents(
'php://input' );
778 return $_SERVER[
'REQUEST_METHOD'] ??
'GET';
805 if ( $this->sessionId !== null ) {
806 $session = SessionManager::singleton()->getSessionById( (
string)$this->sessionId,
true, $this );
812 $session = SessionManager::singleton()->getSessionForRequest( $this );
813 $this->sessionId = $session->getSessionId();
845 public function getCookie( $key, $prefix = null, $default = null ) {
846 if ( $prefix === null ) {
850 return $this->
getGPCVal( $_COOKIE, $prefix . $key, $default );
863 if ( isset( $_SERVER[
'REQUEST_URI'] ) && strlen( $_SERVER[
'REQUEST_URI'] ) ) {
864 $base = $_SERVER[
'REQUEST_URI'];
865 } elseif ( isset( $_SERVER[
'HTTP_X_ORIGINAL_URL'] )
866 && strlen( $_SERVER[
'HTTP_X_ORIGINAL_URL'] )
869 $base = $_SERVER[
'HTTP_X_ORIGINAL_URL'];
870 } elseif ( isset( $_SERVER[
'SCRIPT_NAME'] ) ) {
871 $base = $_SERVER[
'SCRIPT_NAME'];
872 if ( isset( $_SERVER[
'QUERY_STRING'] ) && $_SERVER[
'QUERY_STRING'] !=
'' ) {
873 $base .=
'?' . $_SERVER[
'QUERY_STRING'];
877 throw new MWException(
"Web server doesn't provide either " .
878 "REQUEST_URI, HTTP_X_ORIGINAL_URL or SCRIPT_NAME. Report details " .
879 "of your web server configuration to https://phabricator.wikimedia.org/" );
885 $hash = strpos(
$base,
'#' );
886 if ( $hash !==
false ) {
890 if (
$base[0] ==
'/' ) {
892 return preg_replace(
'!^/+!',
'/',
$base );
895 return preg_replace(
'!^[^:]+://[^/]+/+!',
'/',
$base );
907 return self::getGlobalRequestURL();
948 unset( $newquery[
'title'] );
949 $newquery = array_merge( $newquery, $array );
966 $limit = $this->
getInt(
'limit', 0 );
970 if ( ( $limit == 0 ) && ( $optionname !=
'' ) ) {
971 $limit = $wgUser->getIntOption( $optionname );
976 if ( $limit > 5000 ) {
977 $limit = 5000; # We have *some* limits...
980 $offset = $this->
getInt(
'offset', 0 );
985 return [ $limit, $offset ];
996 return $file->getTempName();
1007 return $file->getError();
1023 return $file->getName();
1044 if ( !is_object( $this->
response ) ) {
1045 $class = ( $this instanceof
FauxRequest ) ? FauxResponse::class : WebResponse::class;
1055 if ( count( $this->headers ) ) {
1059 $apacheHeaders = function_exists(
'apache_request_headers' ) ? apache_request_headers() :
false;
1060 if ( $apacheHeaders ) {
1061 foreach ( $apacheHeaders as $tempName => $tempValue ) {
1062 $this->headers[strtoupper( $tempName )] = $tempValue;
1065 foreach ( $_SERVER as $name => $value ) {
1066 if ( substr( $name, 0, 5 ) ===
'HTTP_' ) {
1067 $name = str_replace(
'_',
'-', substr( $name, 5 ) );
1068 $this->headers[$name] = $value;
1069 } elseif ( $name ===
'CONTENT_LENGTH' ) {
1070 $this->headers[
'CONTENT-LENGTH'] = $value;
1100 $name = strtoupper( $name );
1101 if ( !isset( $this->headers[$name] ) ) {
1104 $value = $this->headers[$name];
1105 if ( $flags & self::GETHEADER_LIST ) {
1106 $value = array_map(
'trim', explode(
',', $value ) );
1144 $extWhitelist[] =
'php';
1149 if ( $newUrl !==
false ) {
1155 'Invalid file extension found in the path info or query string.' );
1168 header(
'Location: ' . $url );
1169 header(
'Content-Type: text/html' );
1170 $encUrl = htmlspecialchars( $url );
1175 <title>Security redirect</title>
1178 <h1>Security redirect</h1>
1180 We can
't serve non-HTML content from the URL you have requested, because 1181 Internet Explorer would interpret it as an incorrect and potentially dangerous 1183 <p>Instead, please use <a href="$encUrl">this URL</a>, which is the same as the 1184 URL you have requested, except that "&*" is appended. This prevents Internet 1185 Explorer from seeing a bogus file extension. 1203 public function getAcceptLang() { 1204 // Modified version of code found at 1205 // http://www.thefutureoftheweb.com/blog/use-accept-language-header 1206 $acceptLang = $this->getHeader( 'Accept-
Language' ); 1207 if ( !$acceptLang ) { 1211 // Return the language codes in lower case 1212 $acceptLang = strtolower( $acceptLang ); 1214 // Break up string into pieces (languages and q factors) 1217 '/([a-z]{1,8}(-[a-z]{1,8})*|\*)\s*(;\s*q\s*=\s*(1(\.0{0,3})?|0(\.[0-9]{0,3})?)?)?/
', 1222 if ( !count( $lang_parse[1] ) ) { 1226 $langcodes = $lang_parse[1]; 1227 $qvalues = $lang_parse[4]; 1228 $indices = range( 0, count( $lang_parse[1] ) - 1 ); 1230 // Set default q factor to 1 1231 foreach ( $indices as $index ) { 1232 if ( $qvalues[$index] === '' ) { 1233 $qvalues[$index] = 1; 1234 } elseif ( $qvalues[$index] == 0 ) { 1235 unset( $langcodes[$index], $qvalues[$index], $indices[$index] ); 1239 // Sort list. First by $qvalues, then by order. Reorder $langcodes the same way 1240 array_multisort( $qvalues, SORT_DESC, SORT_NUMERIC, $indices, $langcodes ); 1242 // Create a list like "en" => 0.8 1243 $langs = array_combine( $langcodes, $qvalues ); 1256 protected function getRawIP() { 1257 if ( !isset( $_SERVER['REMOTE_ADDR
'] ) ) { 1261 if ( is_array( $_SERVER['REMOTE_ADDR
'] ) || strpos( $_SERVER['REMOTE_ADDR
'], ',
' ) !== false ) { 1262 throw new MWException( __METHOD__ 1263 . " : Could not determine the remote IP address due to multiple values." ); 1265 $ipchain = $_SERVER['REMOTE_ADDR
']; 1268 return IP::canonicalize( $ipchain ); 1280 public function getIP() { 1281 global $wgUsePrivateIPs; 1283 # Return cached result 1284 if ( $this->ip !== null ) { 1288 # collect the originating ips 1289 $ip = $this->getRawIP(); 1291 throw new MWException( 'Unable to determine
IP.
' ); 1295 $forwardedFor = $this->getHeader( 'X-Forwarded-For
' ); 1296 if ( $forwardedFor !== false ) { 1297 $proxyLookup = MediaWikiServices::getInstance()->getProxyLookup(); 1298 $isConfigured = $proxyLookup->isConfiguredProxy( $ip ); 1299 $ipchain = array_map( 'trim
', explode( ',
', $forwardedFor ) ); 1300 $ipchain = array_reverse( $ipchain ); 1301 array_unshift( $ipchain, $ip ); 1303 # Step through XFF list and find the last address in the list which is a 1304 # trusted server. Set $ip to the IP address given by that trusted server, 1305 # unless the address is not sensible (e.g. private). However, prefer private 1306 # IP addresses over proxy servers controlled by this site (more sensible). 1307 # Note that some XFF values might be "unknown" with Squid/Varnish. 1308 foreach ( $ipchain as $i => $curIP ) { 1309 $curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) ); 1310 if ( !$curIP || !isset( $ipchain[$i + 1] ) || $ipchain[$i + 1] === 'unknown
' 1311 || !$proxyLookup->isTrustedProxy( $curIP ) 1313 break; // IP is not valid/trusted or does not point to anything 1316 IP::isPublic( $ipchain[$i + 1] ) || 1318 $proxyLookup->isConfiguredProxy( $curIP ) // T50919; treat IP as sane 1320 // Follow the next IP according to the proxy 1321 $nextIP = IP::canonicalize( $ipchain[$i + 1] ); 1322 if ( !$nextIP && $isConfigured ) { 1323 // We have not yet made it past CDN/proxy servers of this site, 1324 // so either they are misconfigured or there is some IP spoofing. 1325 throw new MWException( "Invalid IP given in XFF '$forwardedFor
'." ); 1328 // keep traversing the chain 1335 # Allow extensions to improve our guess 1336 Hooks::run( 'GetIP
', [ &$ip ] ); 1339 throw new MWException( "Unable to determine IP." ); 1342 wfDebug( "IP: $ip\n" ); 1352 public function setIP( $ip ) { 1368 public function hasSafeMethod() { 1369 if ( !isset( $_SERVER['REQUEST_METHOD
'] ) ) { 1370 return false; // CLI mode 1373 return in_array( $_SERVER['REQUEST_METHOD
'], [ 'GET
', 'HEAD
', 'OPTIONS
', 'TRACE
' ] ); 1394 public function isSafeRequest() { 1395 if ( $this->markedAsSafe && $this->wasPosted() ) { 1396 return true; // marked as a "safe" POST 1399 return $this->hasSafeMethod(); 1412 public function markAsSafeRequest() { 1413 $this->markedAsSafe = true; getRawVal( $name, $default=null)
Fetch a scalar from the input without normalization, or return $default if it's not set...
checkUrlExtension( $extWhitelist=[])
Check if Internet Explorer will detect an incorrect cache extension in PATH_INFO or QUERY_STRING...
if(PHP_SAPI !='cli-server') if(!isset( $_SERVER['SCRIPT_FILENAME'])) $file
Item class for a filearchive table row.
getPostValues()
Get the values passed via POST.
float $requestTime
The timestamp of the start of the request, with microsecond precision.
getInt( $name, $default=0)
Fetch an integer value from the input or return $default if not set.
getRawPostString()
Return the contents of the POST with no decoding.
$wgScript
The URL path to index.php.
static getRequestId()
Get the unique request ID.
getHeader( $name, $flags=0)
Get a request header, or false if it isn't set.
setSessionData( $key, $data)
Set session data.
getFullRequestURL()
Return the request URI with the canonical service and hostname, path, and query string.
getVal( $name, $default=null)
Fetch a scalar from the input or return $default if it's not set.
$wgCookiePrefix
Cookies generated by MediaWiki have names starting with this prefix.
setVal( $key, $value)
Set an arbitrary value into our get/post data.
response()
Return a handle to WebResponse style object, for setting cookies, headers and other stuff...
unsetVal( $key)
Unset an arbitrary value from our get/post data.
string $protocol
Cached URL protocol.
static combineHostAndPort( $host, $port, $defaultPort=false)
Given a host name and a port, combine them into host/port string like you might find in a URL...
$wgAllowExternalReqID
Whether to respect/honour the request ID provided by the incoming request via the X-Request-Id header...
getFileName( $key)
Return the original filename of the uploaded file, as reported by the submitting user agent...
const GETHEADER_LIST
Flag to make WebRequest::getHeader return an array of values.
getSession()
Return the session for this request.
getFloat( $name, $default=0.0)
Fetch a floating point value from the input or return $default if not set.
wfGetServerUrl( $proto)
Get the wiki's "server", i.e.
initHeaders()
Initialise the header list.
string $ip
Cached client IP address.
normalizeUnicode( $data)
Recursively normalizes UTF-8 strings in the given array.
getBool( $name, $default=false)
Fetch a boolean value from the input or return $default if not set.
getCheck( $name)
Return true if the named value is set in the input, whatever that value is (even "0").
wfArrayToCgi( $array1, $array2=null, $prefix='')
This function takes one or two arrays as input, and returns a CGI-style string, e.g.
Show an error that looks like an HTTP server error.
getAllHeaders()
Get an array containing all request headers.
static extractTitle( $path, $bases, $key=false)
URL rewriting function; tries to extract page title and, optionally, one other fixed parameter value ...
static detectServer()
Work out an appropriate URL prefix containing scheme and host, based on information detected from $_S...
getLimitOffset( $deflimit=50, $optionname='rclimit')
Check for limit and offset parameters on the input, and return sensible defaults if not given...
static getMain()
Get the RequestContext object associated with the main request.
getSessionData( $key)
Get data from the session.
getProtocol()
Get the current URL protocol (http or https)
wfRandomString( $length=32)
Get a random string containing a number of pseudo-random hex characters.
wasPosted()
Returns true if the present request was reached by a POST operation, false otherwise (GET...
getRequestURL()
Return the path and query string portion of the request URI.
getQueryValues()
Get the values passed in the query string and the path router parameters.
static getActionPaths(array $actionPaths, $articlePath)
array $queryAndPathParams
The parameters from $_GET.
appendQueryArray( $array)
Appends or replaces value of query variables.
array $headers
Lazy-initialized request headers indexed by upper-case header name.
static areServerVarsBad( $vars, $extWhitelist=[])
Check a subset of $_SERVER (or the whole of $_SERVER if you like) to see if it indicates that the req...
$wgUsePathInfo
Whether to support URLs like index.php/Page_title These often break when PHP is set up in CGI mode...
bool $wgAssumeProxiesUseDefaultProtocolPorts
When the wiki is running behind a proxy and this is set to true, assumes that the proxy exposes the w...
static splitHostAndPort( $both)
Given a host/port string, like one might find in the host part of a URL per RFC 2732, split the hostname part and the port part and return an array with an element for each.
getFuzzyBool( $name, $default=false)
Fetch a boolean value from the input or return $default if not set.
doSecurityRedirect( $url)
Attempt to redirect to a URL with a QUERY_STRING that's not dangerous in IE 6.
static detectProtocol()
Detect the protocol from $_SERVER.
getGPCVal( $arr, $name, $default)
Fetch a value from the given array or return $default if it's not set.
getSessionId()
Get the session id for this request, if any.
getUpload( $key)
Return a WebRequestUpload object corresponding to the key.
getValues()
Extracts the given named values into an array.
setSessionId(SessionId $sessionId)
Set the session for this request.
WebResponse $response
Lazy-init response object.
static fixUrlForIE6( $url, $extWhitelist=[])
Returns a variant of $url which will pass isUrlExtensionBad() but has the same GET parameters...
SessionId null $sessionId
Session ID to use for this request.
static getGlobalRequestURL()
Return the path and query string portion of the main request URI.
array $data
The parameters from $_GET, $_POST and the path router.
getText( $name, $default='')
Fetch a text string from the given array or return $default if it's not set.
getValueNames( $exclude=[])
Returns the names of all input values excluding those in $exclude.
getMethod()
Get the HTTP method used for this request.
static overrideRequestId( $id)
Override the unique request ID.
$queryParams
The parameters from $_GET only.
getRawInput()
Return the raw request body, with no processing.
interpolateTitle()
Check for title, action, and/or variant data in the URL and interpolate it into the GET variables...
getArray( $name, $default=null)
Fetch an array from the input or return $default if it's not set.
getQueryValuesOnly()
Get the values passed in the query string only, not including the path router parameters.
getIntOrNull( $name)
Fetch an integer value from the input or return null if empty.
getCookie( $key, $prefix=null, $default=null)
Get a cookie from the $_COOKIE jar.
static string $reqId
The unique request ID.
getUploadError( $key)
Return the upload error or 0.
static getPathInfo( $want='all')
Extract relevant query arguments from the http request uri's path to be merged with the normal php pr...
getIntArray( $name, $default=null)
Fetch an array of integers, or return $default if it's not set.
getElapsedTime()
Get the number of seconds to have elapsed since request start, in fractional seconds, with microsecond resolution.
add( $path, $params=[], $options=[])
Add a new path pattern to the path router.
$wgVariantArticlePath
Like $wgArticlePath, but on multi-variant wikis, this provides a path format that describes which par...
Object to access the $_FILES array.
static run( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
getRawQueryString()
Return the contents of the Query with no decoding.
getFileTempname( $key)
Return the path to the temporary file where PHP has stored the upload.
appendQueryValue( $key, $value)
1.8.13