summaryrefslogtreecommitdiff
path: root/includes/HttpFunctions.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/HttpFunctions.php')
-rw-r--r--includes/HttpFunctions.php23
1 files changed, 19 insertions, 4 deletions
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index fa54487a..3dff9711 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -257,7 +257,7 @@ class MWHttpRequest {
$this->parsedUrl = wfParseUrl( $this->url );
if ( !$this->parsedUrl || !Http::isValidURI( $this->url ) ) {
- $this->status = Status::newFatal( 'http-invalid-url' );
+ $this->status = Status::newFatal( 'http-invalid-url', $url );
} else {
$this->status = Status::newGood( 100 ); // continue
}
@@ -779,7 +779,22 @@ class CurlHttpRequest extends MWHttpRequest {
$this->curlOptions[CURLOPT_HEADER] = true;
} elseif ( $this->method == 'POST' ) {
$this->curlOptions[CURLOPT_POST] = true;
- $this->curlOptions[CURLOPT_POSTFIELDS] = $this->postData;
+ $postData = $this->postData;
+ // Don't interpret POST parameters starting with '@' as file uploads, because this
+ // makes it impossible to POST plain values starting with '@' (and causes security
+ // issues potentially exposing the contents of local files).
+ // The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+ // but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+ if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+ $this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
+ } else if ( is_array( $postData ) ) {
+ // In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+ // is an array, but not if it's a string. So convert $req['body'] to a string
+ // for safety.
+ $postData = wfArrayToCgi( $postData );
+ }
+ $this->curlOptions[CURLOPT_POSTFIELDS] = $postData;
+
// Suppress 'Expect: 100-continue' header, as some servers
// will reject it with a 417 and Curl won't auto retry
// with HTTP 1.0 fallback
@@ -797,14 +812,14 @@ class CurlHttpRequest extends MWHttpRequest {
}
if ( $this->followRedirects && $this->canFollowRedirects() ) {
- wfSuppressWarnings();
+ MediaWiki\suppressWarnings();
if ( !curl_setopt( $curlHandle, CURLOPT_FOLLOWLOCATION, true ) ) {
wfDebug( __METHOD__ . ": Couldn't set CURLOPT_FOLLOWLOCATION. " .
"Probably safe_mode or open_basedir is set.\n" );
// Continue the processing. If it were in curl_setopt_array,
// processing would have halted on its entry
}
- wfRestoreWarnings();
+ MediaWiki\restoreWarnings();
}
if ( $this->profiler ) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-04-25 01:58:21 +0000