MediaWiki master
Public Member Functions | Public Attributes | List of all members
MediaWiki\Upload\UploadVerification Class Reference
Upload related

Service to verify file uploads are safe. More...

Public Member Functions

 __construct (ServiceOptions $config, MimeAnalyzer $mimeAnalyzer, SVGCSSChecker $SVGCSSChecker)
 
 detectScript ( $file, $mime, $extension)
 Heuristic for detecting files that could contain JavaScript instructions or things that may look like HTML to a browser and are thus potentially harmful.
 
 detectVirus ( $file)
 Generic wrapper function for a virus scanner program.
 
 verifyExtension ( $mime, $extension)
 Checks if the MIME type of the uploaded file matches the file extension.
 
 verifyFile (string $path, string $ext, array $fileProps)
 Verifies that the upload file is safe.
 
 verifyPartialFile (string $path, string $ext, array $fileProps)
 A verification routine suitable for partial files.
 

Public Attributes

const CONSTRUCTOR_OPTIONS
 

Detailed Description

Service to verify file uploads are safe.

This is responsible for checks on the file contents themselves. It is not responsible for on wiki checks like if the user has permission or if the upload target is protected.

Author
Brian Wolff
Since
1.45

Definition at line 34 of file UploadVerification.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Upload\UploadVerification::__construct ( ServiceOptions $config,
MimeAnalyzer $mimeAnalyzer,
SVGCSSChecker $SVGCSSChecker )
Parameters
ServiceOptions$config
MimeAnalyzer$mimeAnalyzer

Definition at line 71 of file UploadVerification.php.

References MediaWiki\Config\ServiceOptions\assertRequiredOptions().

Member Function Documentation

◆ detectScript()

MediaWiki\Upload\UploadVerification::detectScript ( $file,
$mime,
$extension )

Heuristic for detecting files that could contain JavaScript instructions or things that may look like HTML to a browser and are thus potentially harmful.

The present implementation will produce false positives in some situations.

Access: internal
This is public for back-compat. Some extensions call this, however this is probably not the method they want. Instead they should call verifyFile(). Calling this outside this class should be considered deprecated and the method may become private in the future.
Parameters
string | null$filePathname to the temporary upload file
string$mimeThe MIME type of the file
string | null$extensionThe extension of the file
Returns
bool True if the file contains something looking like embedded scripts

Definition at line 281 of file UploadVerification.php.

References wfDebug().

Referenced by MediaWiki\Upload\UploadVerification\verifyPartialFile().

◆ detectVirus()

MediaWiki\Upload\UploadVerification::detectVirus ( $file)

Generic wrapper function for a virus scanner program.

This relies on the $wgAntivirus and $wgAntivirusSetup variables. $wgAntivirusRequired may be used to deny upload if the scan fails.

Note
In most cases, external callers would call verifyFile() to run all tests, instead of just doing a virus scan.
Parameters
string$filePathname to the temporary upload file
Returns
bool|null|string False if not virus is found, null if the scan fails or is disabled, or a string containing feedback from the virus scanner if a virus was found. If textual feedback is missing but a virus was found, this function returns true.

Definition at line 890 of file UploadVerification.php.

References MediaWiki\MainConfigNames\Antivirus, MediaWiki\MainConfigNames\AntivirusRequired, MediaWiki\MainConfigNames\AntivirusSetup, AV_NO_VIRUS, AV_SCAN_ABORTED, AV_SCAN_FAILED, wfDebug(), wfMessage(), and wfShellExecWithStderr().

Referenced by MediaWiki\Upload\UploadBase\detectVirus(), and MediaWiki\Upload\UploadVerification\verifyPartialFile().

◆ verifyExtension()

MediaWiki\Upload\UploadVerification::verifyExtension ( $mime,
$extension )

Checks if the MIME type of the uploaded file matches the file extension.

Access: internal
Will become private once UploadBase::verifyExtension is removed
Parameters
string$mimeThe MIME type of the uploaded file
string$extensionThe filename extension that the file is to be served with
Returns
bool

Definition at line 224 of file UploadVerification.php.

References wfDebug().

Referenced by MediaWiki\Upload\UploadVerification\verifyFile().

◆ verifyFile()

MediaWiki\Upload\UploadVerification::verifyFile ( string $path,
string $ext,
array $fileProps )

Verifies that the upload file is safe.

Note
This verifies the contents of the file. It is not responsible for verifying if the file has a valid name, is too big, meets on wiki permission checks, etc. If you are implementing your own upload support, see UploadBase::verifyUpload for other neccessary checks.
Parameters
string$pathPath to the (temporary) file to check
string$extFinal extension of file (UploadBase->mFinalExtension)
array$filePropsResult of $mwProps->getPropsFromPath. FIXME final ext can sometimes be null, but should we require casting to string?
Returns
array|true True of the file is verified, array otherwise.

Definition at line 119 of file UploadVerification.php.

References $path, MediaWiki\MainConfigNames\DisableUploadScriptChecks, MediaWiki\Config\ServiceOptions\get(), MediaWiki\Upload\UploadVerification\verifyExtension(), MediaWiki\MainConfigNames\VerifyMimeType, MediaWiki\Upload\UploadVerification\verifyPartialFile(), and wfDebug().

◆ verifyPartialFile()

MediaWiki\Upload\UploadVerification::verifyPartialFile ( string $path,
string $ext,
array $fileProps )

A verification routine suitable for partial files.

Runs the deny list checks, but not any checks that may assume the entire file is present.

fileProps can be very expensive to calculate, so the calling class is responsible for caching it.

Parameters
string$pathPath to the (temporary) file to check
string$extFinal extension of file (UploadBase->mFinalExtension)
array$filePropsResult of $mwProps->getPropsFromPath
Returns
array|true True, if the file is valid, else an array with error message key.

Definition at line 183 of file UploadVerification.php.

References $path, MediaWiki\Upload\UploadVerification\detectScript(), MediaWiki\Upload\UploadVerification\detectVirus(), MediaWiki\MainConfigNames\DisableUploadScriptChecks, and MediaWiki\Config\ServiceOptions\get().

Referenced by MediaWiki\Upload\UploadVerification\verifyFile().

Member Data Documentation

◆ CONSTRUCTOR_OPTIONS

const MediaWiki\Upload\UploadVerification::CONSTRUCTOR_OPTIONS
Initial value:
= [
MainConfigNames::VerifyMimeType,
MainConfigNames::MimeTypeExclusions,
MainConfigNames::DisableUploadScriptChecks,
MainConfigNames::Antivirus,
MainConfigNames::AntivirusSetup,
MainConfigNames::AntivirusRequired
]
MediaWiki\MainConfigNames\MimeTypeExclusions
const MimeTypeExclusions
Name constant for the MimeTypeExclusions setting, for use with Config::get()
Definition MainConfigNames.php:492
MediaWiki\MainConfigNames\AntivirusSetup
const AntivirusSetup
Name constant for the AntivirusSetup setting, for use with Config::get()
Definition MainConfigNames.php:732
MediaWiki\MainConfigNames\VerifyMimeType
const VerifyMimeType
Name constant for the VerifyMimeType setting, for use with Config::get()
Definition MainConfigNames.php:744
MediaWiki\MainConfigNames\DisableUploadScriptChecks
const DisableUploadScriptChecks
Name constant for the DisableUploadScriptChecks setting, for use with Config::get()
Definition MainConfigNames.php:510
MediaWiki\MainConfigNames\Antivirus
const Antivirus
Name constant for the Antivirus setting, for use with Config::get()
Definition MainConfigNames.php:726
MediaWiki\MainConfigNames\AntivirusRequired
const AntivirusRequired
Name constant for the AntivirusRequired setting, for use with Config::get()
Definition MainConfigNames.php:738

Definition at line 54 of file UploadVerification.php.

The documentation for this class was generated from the following file: