WebRequest.php

Go to the documentation of this file.

<?php
use MediaWiki\MediaWikiServices;
use MediaWiki\Session\Session;
use MediaWiki\Session\SessionId;
use MediaWiki\Session\SessionManager;
use Wikimedia\IPUtils;
 
// The point of this class is to be a wrapper around super globals
// phpcs:disable MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals
 
class WebRequest {
    protected $data;
 
    protected $queryAndPathParams;
 
    protected $queryParams;
 
    protected $headers = [];
 
    public const GETHEADER_LIST = 1;
 
    private static $reqId;
 
    private $response;
 
    private $ip;
 
    protected $requestTime;
 
    protected $protocol;
 
    protected $sessionId = null;
 
    protected $markedAsSafe = false;
 
    public function __construct() {
        $this->requestTime = $_SERVER['REQUEST_TIME_FLOAT'];
 
        // POST overrides GET data
        // We don't use $_REQUEST here to avoid interference from cookies...
        $this->data = $_POST + $_GET;
 
        $this->queryAndPathParams = $this->queryParams = $_GET;
    }
 
    protected static function getPathInfo( $want = 'all' ) {
        // PATH_INFO is mangled due to https://bugs.php.net/bug.php?id=31892
        // And also by Apache 2.x, double slashes are converted to single slashes.
        // So we will use REQUEST_URI if possible.
        if ( isset( $_SERVER['REQUEST_URI'] ) ) {
            // Slurp out the path portion to examine...
            $url = $_SERVER['REQUEST_URI'];
            if ( !preg_match( '!^https?://!', $url ) ) {
                $url = 'http://unused' . $url;
            }
            $a = parse_url( $url );
            if ( !$a ) {
                return [];
            }
            $path = $a['path'] ?? '';
 
            global $wgScript;
            if ( $path == $wgScript && $want !== 'all' ) {
                // Script inside a rewrite path?
                // Abort to keep from breaking...
                return [];
            }
 
            $router = new PathRouter;
 
            // Raw PATH_INFO style
            $router->add( "$wgScript/$1" );
 
            global $wgArticlePath;
            if ( $wgArticlePath ) {
                $router->validateRoute( $wgArticlePath, 'wgArticlePath' );
                $router->add( $wgArticlePath );
            }
 
            global $wgActionPaths;
            $articlePaths = PathRouter::getActionPaths( $wgActionPaths, $wgArticlePath );
            if ( $articlePaths ) {
                $router->add( $articlePaths, [ 'action' => '$key' ] );
            }
 
            global $wgVariantArticlePath;
            if ( $wgVariantArticlePath ) {
                $router->validateRoute( $wgVariantArticlePath, 'wgVariantArticlePath' );
                $router->add( $wgVariantArticlePath,
                    [ 'variant' => '$2' ],
                    [ '$2' => MediaWikiServices::getInstance()->getContentLanguage()->
                    getVariants() ]
                );
            }
 
            Hooks::runner()->onWebRequestPathInfoRouter( $router );
 
            $matches = $router->parse( $path );
        } else {
            global $wgUsePathInfo;
            $matches = [];
            if ( $wgUsePathInfo ) {
                if ( !empty( $_SERVER['ORIG_PATH_INFO'] ) ) {
                    // Mangled PATH_INFO
                    // https://bugs.php.net/bug.php?id=31892
                    // Also reported when ini_get('cgi.fix_pathinfo')==false
                    $matches['title'] = substr( $_SERVER['ORIG_PATH_INFO'], 1 );
                } elseif ( !empty( $_SERVER['PATH_INFO'] ) ) {
                    // Regular old PATH_INFO yay
                    $matches['title'] = substr( $_SERVER['PATH_INFO'], 1 );
                }
            }
        }
 
        return $matches;
    }
 
    public static function getRequestPathSuffix( $basePath ) {
        $basePath = rtrim( $basePath, '/' ) . '/';
        $requestUrl = self::getGlobalRequestURL();
        $qpos = strpos( $requestUrl, '?' );
        if ( $qpos !== false ) {
            $requestPath = substr( $requestUrl, 0, $qpos );
        } else {
            $requestPath = $requestUrl;
        }
        if ( substr( $requestPath, 0, strlen( $basePath ) ) !== $basePath ) {
            return false;
        }
        return rawurldecode( substr( $requestPath, strlen( $basePath ) ) );
    }
 
    public static function detectServer() {
        global $wgAssumeProxiesUseDefaultProtocolPorts;
 
        $proto = self::detectProtocol();
        $stdPort = $proto === 'https' ? 443 : 80;
 
        $varNames = [ 'HTTP_HOST', 'SERVER_NAME', 'HOSTNAME', 'SERVER_ADDR' ];
        $host = 'localhost';
        $port = $stdPort;
        foreach ( $varNames as $varName ) {
            if ( !isset( $_SERVER[$varName] ) ) {
                continue;
            }
 
            $parts = IPUtils::splitHostAndPort( $_SERVER[$varName] );
            if ( !$parts ) {
                // Invalid, do not use
                continue;
            }
 
            $host = $parts[0];
            if ( $wgAssumeProxiesUseDefaultProtocolPorts && isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {
                // T72021: Assume that upstream proxy is running on the default
                // port based on the protocol. We have no reliable way to determine
                // the actual port in use upstream.
                $port = $stdPort;
            } elseif ( $parts[1] === false ) {
                if ( isset( $_SERVER['SERVER_PORT'] ) ) {
                    $port = $_SERVER['SERVER_PORT'];
                } // else leave it as $stdPort
            } else {
                $port = $parts[1];
            }
            break;
        }
 
        return $proto . '://' . IPUtils::combineHostAndPort( $host, $port, $stdPort );
    }
 
    public static function detectProtocol() {
        if ( ( !empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) ||
            ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
            $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) ) {
            return 'https';
        } else {
            return 'http';
        }
    }
 
    public function getElapsedTime() {
        return microtime( true ) - $this->requestTime;
    }
 
    public static function getRequestId() {
        // This method is called from various error handlers and MUST be kept simple and stateless.
        if ( !self::$reqId ) {
            global $wgAllowExternalReqID;
            if ( $wgAllowExternalReqID ) {
                $id = $_SERVER['HTTP_X_REQUEST_ID'] ?? $_SERVER['UNIQUE_ID'] ?? wfRandomString( 24 );
            } else {
                $id = $_SERVER['UNIQUE_ID'] ?? wfRandomString( 24 );
            }
            self::$reqId = $id;
        }
 
        return self::$reqId;
    }
 
    public static function overrideRequestId( $id ) {
        self::$reqId = $id;
    }
 
    public function getProtocol() {
        if ( $this->protocol === null ) {
            $this->protocol = self::detectProtocol();
        }
        return $this->protocol;
    }
 
    public function interpolateTitle() {
        $matches = self::getPathInfo( 'title' );
        foreach ( $matches as $key => $val ) {
            $this->data[$key] = $this->queryAndPathParams[$key] = $val;
        }
    }
 
    public static function extractTitle( $path, $bases, $key = false ) {
        foreach ( (array)$bases as $keyValue => $base ) {
            // Find the part after $wgArticlePath
            $base = str_replace( '$1', '', $base );
            $baseLen = strlen( $base );
            if ( substr( $path, 0, $baseLen ) == $base ) {
                $raw = substr( $path, $baseLen );
                if ( $raw !== '' ) {
                    $matches = [ 'title' => rawurldecode( $raw ) ];
                    if ( $key ) {
                        $matches[$key] = $keyValue;
                    }
                    return $matches;
                }
            }
        }
        return [];
    }
 
    public function normalizeUnicode( $data ) {
        if ( is_array( $data ) ) {
            foreach ( $data as $key => $val ) {
                $data[$key] = $this->normalizeUnicode( $val );
            }
        } else {
            $contLang = MediaWikiServices::getInstance()->getContentLanguage();
            $data = $contLang->normalize( $data );
        }
        return $data;
    }
 
    private function getGPCVal( $arr, $name, $default ) {
        # PHP is so nice to not touch input data, except sometimes:
        # https://www.php.net/variables.external#language.variables.external.dot-in-names
        # Work around PHP *feature* to avoid *bugs* elsewhere.
        $name = strtr( $name, '.', '_' );
 
        if ( !isset( $arr[$name] ) ) {
            return $default;
        }
 
        $data = $arr[$name];
        # Optimisation: Skip UTF-8 normalization and legacy transcoding for simple ASCII strings.
        $isAsciiStr = ( is_string( $data ) && preg_match( '/[^\x20-\x7E]/', $data ) === 0 );
        if ( !$isAsciiStr ) {
            if ( isset( $_GET[$name] ) && is_string( $data ) ) {
                # Check for alternate/legacy character encoding.
                $data = MediaWikiServices::getInstance()
                    ->getContentLanguage()
                    ->checkTitleEncoding( $data );
            }
            $data = $this->normalizeUnicode( $data );
        }
 
        return $data;
    }
 
    public function getRawVal( $name, $default = null ) {
        $name = strtr( $name, '.', '_' ); // See comment in self::getGPCVal()
        if ( isset( $this->data[$name] ) && !is_array( $this->data[$name] ) ) {
            $val = $this->data[$name];
        } else {
            $val = $default;
        }
        if ( $val === null ) {
            return $val;
        } else {
            return (string)$val;
        }
    }
 
    public function getVal( $name, $default = null ) {
        $val = $this->getGPCVal( $this->data, $name, $default );
        if ( is_array( $val ) ) {
            $val = $default;
        }
        if ( $val === null ) {
            return $val;
        } else {
            return (string)$val;
        }
    }
 
    public function setVal( $key, $value ) {
        $ret = $this->data[$key] ?? null;
        $this->data[$key] = $value;
        return $ret;
    }
 
    public function unsetVal( $key ) {
        if ( !isset( $this->data[$key] ) ) {
            $ret = null;
        } else {
            $ret = $this->data[$key];
            unset( $this->data[$key] );
        }
        return $ret;
    }
 
    public function getArray( $name, $default = null ) {
        $val = $this->getGPCVal( $this->data, $name, $default );
        if ( $val === null ) {
            return null;
        } else {
            return (array)$val;
        }
    }
 
    public function getIntArray( $name, $default = null ) {
        $val = $this->getArray( $name, $default );
        if ( is_array( $val ) ) {
            $val = array_map( 'intval', $val );
        }
        return $val;
    }
 
    public function getInt( $name, $default = 0 ) {
        return intval( $this->getRawVal( $name, $default ) );
    }
 
    public function getIntOrNull( $name ) {
        $val = $this->getRawVal( $name );
        return is_numeric( $val )
            ? intval( $val )
            : null;
    }
 
    public function getFloat( $name, $default = 0.0 ) {
        return floatval( $this->getRawVal( $name, $default ) );
    }
 
    public function getBool( $name, $default = false ) {
        return (bool)$this->getRawVal( $name, $default );
    }
 
    public function getFuzzyBool( $name, $default = false ) {
        return $this->getBool( $name, $default )
            && strcasecmp( $this->getRawVal( $name ), 'false' ) !== 0;
    }
 
    public function getCheck( $name ) {
        # Checkboxes and buttons are only present when clicked
        # Presence connotes truth, absence false
        return $this->getRawVal( $name, null ) !== null;
    }
 
    public function getText( $name, $default = '' ) {
        $val = $this->getVal( $name, $default );
        return str_replace( "\r\n", "\n", $val );
    }
 
    public function getValues( ...$names ) {
        if ( $names === [] ) {
            $names = array_keys( $this->data );
        }
 
        $retVal = [];
        foreach ( $names as $name ) {
            $value = $this->getGPCVal( $this->data, $name, null );
            if ( $value !== null ) {
                $retVal[$name] = $value;
            }
        }
        return $retVal;
    }
 
    public function getValueNames( $exclude = [] ) {
        return array_diff( array_keys( $this->getValues() ), $exclude );
    }
 
    public function getQueryValues() {
        return $this->queryAndPathParams;
    }
 
    public function getQueryValuesOnly() {
        return $this->queryParams;
    }
 
    public function getPostValues() {
        return $_POST;
    }
 
    public function getRawQueryString() {
        return $_SERVER['QUERY_STRING'];
    }
 
    public function getRawPostString() {
        if ( !$this->wasPosted() ) {
            return '';
        }
        return $this->getRawInput();
    }
 
    public function getRawInput() {
        static $input = null;
        if ( $input === null ) {
            $input = file_get_contents( 'php://input' );
        }
        return $input;
    }
 
    public function getMethod() {
        return $_SERVER['REQUEST_METHOD'] ?? 'GET';
    }
 
    public function wasPosted() {
        return $this->getMethod() == 'POST';
    }
 
    public function getSession() {
        if ( $this->sessionId !== null ) {
            $session = SessionManager::singleton()->getSessionById( (string)$this->sessionId, true, $this );
            if ( $session ) {
                return $session;
            }
        }
 
        $session = SessionManager::singleton()->getSessionForRequest( $this );
        $this->sessionId = $session->getSessionId();
        return $session;
    }
 
    public function setSessionId( SessionId $sessionId ) {
        $this->sessionId = $sessionId;
    }
 
    public function getSessionId() {
        return $this->sessionId;
    }
 
    public function getCookie( $key, $prefix = null, $default = null ) {
        if ( $prefix === null ) {
            global $wgCookiePrefix;
            $prefix = $wgCookiePrefix;
        }
        $name = $prefix . $key;
        // Work around mangling of $_COOKIE
        $name = strtr( $name, '.', '_' );
        if ( isset( $_COOKIE[$name] ) ) {
            return $_COOKIE[$name];
        } else {
            return $default;
        }
    }
 
    public function getCrossSiteCookie( $key, $prefix = '', $default = null ) {
        global $wgUseSameSiteLegacyCookies;
        $name = $prefix . $key;
        // Work around mangling of $_COOKIE
        $name = strtr( $name, '.', '_' );
        if ( isset( $_COOKIE[$name] ) ) {
            return $_COOKIE[$name];
        }
        if ( $wgUseSameSiteLegacyCookies ) {
            $legacyName = $prefix . "ss0-" . $key;
            $legacyName = strtr( $legacyName, '.', '_' );
            if ( isset( $_COOKIE[$legacyName] ) ) {
                return $_COOKIE[$legacyName];
            }
        }
        return $default;
    }
 
    public static function getGlobalRequestURL() {
        // This method is called on fatal errors; it should not depend on anything complex.
 
        if ( isset( $_SERVER['REQUEST_URI'] ) && strlen( $_SERVER['REQUEST_URI'] ) ) {
            $base = $_SERVER['REQUEST_URI'];
        } elseif ( isset( $_SERVER['HTTP_X_ORIGINAL_URL'] )
            && strlen( $_SERVER['HTTP_X_ORIGINAL_URL'] )
        ) {
            // Probably IIS; doesn't set REQUEST_URI
            $base = $_SERVER['HTTP_X_ORIGINAL_URL'];
        } elseif ( isset( $_SERVER['SCRIPT_NAME'] ) ) {
            $base = $_SERVER['SCRIPT_NAME'];
            if ( isset( $_SERVER['QUERY_STRING'] ) && $_SERVER['QUERY_STRING'] != '' ) {
                $base .= '?' . $_SERVER['QUERY_STRING'];
            }
        } else {
            // This shouldn't happen!
            throw new MWException( "Web server doesn't provide either " .
                "REQUEST_URI, HTTP_X_ORIGINAL_URL or SCRIPT_NAME. Report details " .
                "of your web server configuration to https://phabricator.wikimedia.org/" );
        }
        // User-agents should not send a fragment with the URI, but
        // if they do, and the web server passes it on to us, we
        // need to strip it or we get false-positive redirect loops
        // or weird output URLs
        $hash = strpos( $base, '#' );
        if ( $hash !== false ) {
            $base = substr( $base, 0, $hash );
        }
 
        if ( $base[0] == '/' ) {
            // More than one slash will look like it is protocol relative
            return preg_replace( '!^/+!', '/', $base );
        } else {
            // We may get paths with a host prepended; strip it.
            return preg_replace( '!^[^:]+://[^/]+/+!', '/', $base );
        }
    }
 
    public function getRequestURL() {
        return self::getGlobalRequestURL();
    }
 
    public function getFullRequestURL() {
        // Pass an explicit PROTO constant instead of PROTO_CURRENT so that we
        // do not rely on state from the global $wgRequest object (which it would,
        // via wfGetServerUrl/wfExpandUrl/$wgRequest->protocol).
        if ( $this->getProtocol() === 'http' ) {
            return wfGetServerUrl( PROTO_HTTP ) . $this->getRequestURL();
        } else {
            return wfGetServerUrl( PROTO_HTTPS ) . $this->getRequestURL();
        }
    }
 
    public function appendQueryValue( $key, $value ) {
        return $this->appendQueryArray( [ $key => $value ] );
    }
 
    public function appendQueryArray( $array ) {
        $newquery = $this->getQueryValues();
        unset( $newquery['title'] );
        $newquery = array_merge( $newquery, $array );
 
        return wfArrayToCgi( $newquery );
    }
 
    public function getLimitOffsetForUser( User $user, $deflimit = 50, $optionname = 'rclimit' ) {
        $limit = $this->getInt( 'limit', 0 );
        if ( $limit < 0 ) {
            $limit = 0;
        }
        if ( ( $limit == 0 ) && ( $optionname != '' ) ) {
            $limit = $user->getIntOption( $optionname );
        }
        if ( $limit <= 0 ) {
            $limit = $deflimit;
        }
        if ( $limit > 5000 ) {
            $limit = 5000; # We have *some* limits...
        }
 
        $offset = $this->getInt( 'offset', 0 );
        if ( $offset < 0 ) {
            $offset = 0;
        }
 
        return [ $limit, $offset ];
    }
 
    public function getFileTempname( $key ) {
        return $this->getUpload( $key )->getTempName();
    }
 
    public function getUploadError( $key ) {
        return $this->getUpload( $key )->getError();
    }
 
    public function getFileName( $key ) {
        return $this->getUpload( $key )->getName();
    }
 
    public function getUpload( $key ) {
        return new WebRequestUpload( $this, $key );
    }
 
    public function response() {
        /* Lazy initialization of response object for this request */
        if ( !is_object( $this->response ) ) {
            $class = ( $this instanceof FauxRequest ) ? FauxResponse::class : WebResponse::class;
            $this->response = new $class();
        }
        return $this->response;
    }
 
    protected function initHeaders() {
        if ( count( $this->headers ) ) {
            return;
        }
 
        $this->headers = array_change_key_case( getallheaders(), CASE_UPPER );
    }
 
    public function getAllHeaders() {
        $this->initHeaders();
        return $this->headers;
    }
 
    public function getHeader( $name, $flags = 0 ) {
        $this->initHeaders();
        $name = strtoupper( $name );
        if ( !isset( $this->headers[$name] ) ) {
            return false;
        }
        $value = $this->headers[$name];
        if ( $flags & self::GETHEADER_LIST ) {
            $value = array_map( 'trim', explode( ',', $value ) );
        }
        return $value;
    }
 
    public function getSessionData( $key ) {
        return $this->getSession()->get( $key );
    }
 
    public function setSessionData( $key, $data ) {
        $this->getSession()->set( $key, $data );
    }
 
    public function checkUrlExtension( $extList = [] ) {
        wfDeprecated( __METHOD__, '1.35' );
        return true;
    }
 
    public function getAcceptLang() {
        // Modified version of code found at
        // http://www.thefutureoftheweb.com/blog/use-accept-language-header
        $acceptLang = $this->getHeader( 'Accept-Language' );
        if ( !$acceptLang ) {
            return [];
        }
 
        // Return the language codes in lower case
        $acceptLang = strtolower( $acceptLang );
 
        // Break up string into pieces (languages and q factors)
        if ( !preg_match_all(
            '/
                # a language code or a star is required
                ([a-z]{1,8}(?:-[a-z]{1,8})*|\*)
                # from here everything is optional
                \s*
                (?:
                    # this accepts only numbers in the range ;q=0.000 to ;q=1.000
                    ;\s*q\s*=\s*
                    (1(?:\.0{0,3})?|0(?:\.\d{0,3})?)?
                )?
            /x',
            $acceptLang,
            $matches,
            PREG_SET_ORDER
        ) ) {
            return [];
        }
 
        // Create a list like "en" => 0.8
        $langs = [];
        foreach ( $matches as $match ) {
            $languageCode = $match[1];
            // When not present, the default value is 1
            $qValue = (float)( $match[2] ?? 1.0 );
            if ( $qValue ) {
                $langs[$languageCode] = $qValue;
            }
        }
 
        // Sort list by qValue
        arsort( $langs, SORT_NUMERIC );
        return $langs;
    }
 
    protected function getRawIP() {
        if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
            return null;
        }
 
        if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
            throw new MWException( __METHOD__
                . " : Could not determine the remote IP address due to multiple values." );
        } else {
            $ipchain = $_SERVER['REMOTE_ADDR'];
        }
 
        return IPUtils::canonicalize( $ipchain );
    }
 
    public function getIP() {
        global $wgUsePrivateIPs;
 
        # Return cached result
        if ( $this->ip !== null ) {
            return $this->ip;
        }
 
        # collect the originating ips
        $ip = $this->getRawIP();
        if ( !$ip ) {
            throw new MWException( 'Unable to determine IP.' );
        }
 
        # Append XFF
        $forwardedFor = $this->getHeader( 'X-Forwarded-For' );
        if ( $forwardedFor !== false ) {
            $proxyLookup = MediaWikiServices::getInstance()->getProxyLookup();
            $isConfigured = $proxyLookup->isConfiguredProxy( $ip );
            $ipchain = array_map( 'trim', explode( ',', $forwardedFor ) );
            $ipchain = array_reverse( $ipchain );
            array_unshift( $ipchain, $ip );
 
            # Step through XFF list and find the last address in the list which is a
            # trusted server. Set $ip to the IP address given by that trusted server,
            # unless the address is not sensible (e.g. private). However, prefer private
            # IP addresses over proxy servers controlled by this site (more sensible).
            # Note that some XFF values might be "unknown" with Squid/Varnish.
            foreach ( $ipchain as $i => $curIP ) {
                $curIP = IPUtils::sanitizeIP(
                    IPUtils::canonicalize(
                        self::canonicalizeIPv6LoopbackAddress( $curIP )
                    )
                );
                if ( !$curIP || !isset( $ipchain[$i + 1] ) || $ipchain[$i + 1] === 'unknown'
                    || !$proxyLookup->isTrustedProxy( $curIP )
                ) {
                    break; // IP is not valid/trusted or does not point to anything
                }
                if (
                    IPUtils::isPublic( $ipchain[$i + 1] ) ||
                    $wgUsePrivateIPs ||
                    $proxyLookup->isConfiguredProxy( $curIP ) // T50919; treat IP as sane
                ) {
                    $nextIP = $ipchain[$i + 1];
 
                    // Follow the next IP according to the proxy
                    $nextIP = IPUtils::canonicalize(
                        self::canonicalizeIPv6LoopbackAddress( $nextIP )
                    );
                    if ( !$nextIP && $isConfigured ) {
                        // We have not yet made it past CDN/proxy servers of this site,
                        // so either they are misconfigured or there is some IP spoofing.
                        throw new MWException( "Invalid IP given in XFF '$forwardedFor'." );
                    }
                    $ip = $nextIP;
 
                    // keep traversing the chain
                    continue;
                }
                break;
            }
        }
 
        # Allow extensions to improve our guess
        Hooks::runner()->onGetIP( $ip );
 
        if ( !$ip ) {
            throw new MWException( "Unable to determine IP." );
        }
 
        $this->ip = $ip;
        return $ip;
    }
 
    public static function canonicalizeIPv6LoopbackAddress( $ip ) {
        // Code moved from IPUtils library. See T248237#6614927
        $m = [];
        if ( preg_match( '/^0*' . IPUtils::RE_IPV6_GAP . '1$/', $ip, $m ) ) {
            return '127.0.0.1';
        }
        return $ip;
    }
 
    public function setIP( $ip ) {
        $this->ip = $ip;
    }
 
    public function hasSafeMethod() {
        if ( !isset( $_SERVER['REQUEST_METHOD'] ) ) {
            return false; // CLI mode
        }
 
        return in_array( $_SERVER['REQUEST_METHOD'], [ 'GET', 'HEAD', 'OPTIONS', 'TRACE' ] );
    }
 
    public function isSafeRequest() {
        if ( $this->markedAsSafe && $this->wasPosted() ) {
            return true; // marked as a "safe" POST
        }
 
        return $this->hasSafeMethod();
    }
 
    public function markAsSafeRequest() {
        $this->markedAsSafe = true;
    }
}