1 files changed, 75 insertions, 46 deletions
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 96279fb2..98007ef8 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Deal with importing all those nasssty globals and things
+ * Deal with importing all those nasty globals and things
  *
  * Copyright © 2003 Brion Vibber <brion@pobox.com>
  * http://www.mediawiki.org/
@@ -70,13 +70,13 @@ class WebRequest {
 	 * If the REQUEST_URI is not provided we'll fall back on the PATH_INFO
 	 * provided by the server if any and use that to set a 'title' parameter.
 	 *
-	 * @param $want string: If this is not 'all', then the function
+	 * @param string $want If this is not 'all', then the function
 	 * will return an empty array if it determines that the URL is
 	 * inside a rewrite path.
 	 *
 	 * @return Array: Any query arguments found in path matches.
 	 */
-	static public function getPathInfo( $want = 'all' ) {
+	public static function getPathInfo( $want = 'all' ) {
 		global $wgUsePathInfo;
 		// PATH_INFO is mangled due to http://bugs.php.net/bug.php?id=31892
 		// And also by Apache 2.x, double slashes are converted to single slashes.
@@ -128,7 +128,7 @@ class WebRequest {
 				global $wgVariantArticlePath, $wgContLang;
 				if( $wgVariantArticlePath ) {
 					$router->add( $wgVariantArticlePath,
-						array( 'variant' => '$2'),
+						array( 'variant' => '$2' ),
 						array( '$2' => $wgContLang->getVariants() )
 					);
 				}
@@ -144,7 +144,7 @@ class WebRequest {
 				// Also reported when ini_get('cgi.fix_pathinfo')==false
 				$matches['title'] = substr( $_SERVER['ORIG_PATH_INFO'], 1 );
 
-			} elseif ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != '') ) {
+			} elseif ( isset( $_SERVER['PATH_INFO'] ) && $_SERVER['PATH_INFO'] != '' ) {
 				// Regular old PATH_INFO yay
 				$matches['title'] = substr( $_SERVER['PATH_INFO'], 1 );
 			}
@@ -192,14 +192,21 @@ class WebRequest {
 	 * @return array
 	 */
 	public static function detectProtocolAndStdPort() {
-		return ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'on' ) ? array( 'https', 443 ) : array( 'http', 80 );
+		if ( ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'on' ) ||
+			( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
+			$_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' ) ) {
+			$arr = array( 'https', 443 );
+		} else {
+			$arr = array( 'http', 80 );
+		}
+		return $arr;
 	}
 
 	/**
 	 * @return string
 	 */
 	public static function detectProtocol() {
-		list( $proto, $stdPort ) = self::detectProtocolAndStdPort();
+		list( $proto, ) = self::detectProtocolAndStdPort();
 		return $proto;
 	}
 
@@ -226,9 +233,9 @@ class WebRequest {
 	 * URL rewriting function; tries to extract page title and,
 	 * optionally, one other fixed parameter value from a URL path.
 	 *
-	 * @param $path string: the URL path given from the client
-	 * @param $bases array: one or more URLs, optionally with $1 at the end
-	 * @param $key string: if provided, the matching key in $bases will be
+	 * @param string $path the URL path given from the client
+	 * @param array $bases one or more URLs, optionally with $1 at the end
+	 * @param string $key if provided, the matching key in $bases will be
 	 *             passed on as the value of this URL parameter
 	 * @return array of URL variables to interpolate; empty if no match
 	 */
@@ -255,8 +262,8 @@ class WebRequest {
 	 * Recursively strips slashes from the given array;
 	 * used for undoing the evil that is magic_quotes_gpc.
 	 *
-	 * @param $arr array: will be modified
-	 * @param $topLevel bool Specifies if the array passed is from the top
+	 * @param array $arr will be modified
+	 * @param bool $topLevel Specifies if the array passed is from the top
 	 * level of the source. In PHP5 magic_quotes only escapes the first level
 	 * of keys that belong to an array.
 	 * @return array the original array
@@ -352,7 +359,7 @@ class WebRequest {
 	 * selected by a drop-down menu). For freeform input, see getText().
 	 *
 	 * @param $name String
-	 * @param $default String: optional default (or NULL)
+	 * @param string $default optional default (or NULL)
 	 * @return String
 	 */
 	public function getVal( $name, $default = null ) {
@@ -370,7 +377,7 @@ class WebRequest {
 	/**
 	 * Set an arbitrary value into our get/post data.
 	 *
-	 * @param $key String: key name to use
+	 * @param string $key key name to use
 	 * @param $value Mixed: value to set
 	 * @return Mixed: old value if one was present, null otherwise
 	 */
@@ -380,11 +387,10 @@ class WebRequest {
 		return $ret;
 	}
 
-	
 	/**
 	 * Unset an arbitrary value from our get/post data.
- 	 *
-	 * @param $key String: key name to use
+	 *
+	 * @param string $key key name to use
 	 * @return Mixed: old value if one was present, null otherwise
 	 */
 	public function unsetVal( $key ) {
@@ -403,7 +409,7 @@ class WebRequest {
 	 * If no source and no default, returns NULL.
 	 *
 	 * @param $name String
-	 * @param $default Array: optional default (or NULL)
+	 * @param array $default optional default (or NULL)
 	 * @return Array
 	 */
 	public function getArray( $name, $default = null ) {
@@ -422,7 +428,7 @@ class WebRequest {
 	 * If an array is returned, contents are guaranteed to be integers.
 	 *
 	 * @param $name String
-	 * @param $default Array: option default (or NULL)
+	 * @param array $default option default (or NULL)
 	 * @return Array of ints
 	 */
 	public function getIntArray( $name, $default = null ) {
@@ -497,7 +503,7 @@ class WebRequest {
 	 */
 	public function getCheck( $name ) {
 		# Checkboxes and buttons are only present when clicked
-		# Presence connotes truth, abscense false
+		# Presence connotes truth, absence false
 		return $this->getVal( $name, null ) !== null;
 	}
 
@@ -510,7 +516,7 @@ class WebRequest {
 	 * be required - e.g.  Esperanto x-coding).
 	 *
 	 * @param $name String
-	 * @param $default String: optional
+	 * @param string $default optional
 	 * @return String
 	 */
 	public function getText( $name, $default = '' ) {
@@ -559,9 +565,9 @@ class WebRequest {
 	 *
 	 * @return Array
 	 */
-	 public function getQueryValues() {
+	public function getQueryValues() {
 		return $_GET;
-	 }
+	}
 
 	/**
 	 * Get the HTTP method used for this request.
@@ -603,8 +609,8 @@ class WebRequest {
 	/**
 	 * Get a cookie from the $_COOKIE jar
 	 *
-	 * @param $key String: the name of the cookie
-	 * @param $prefix String: a prefix to use for the cookie name, if not $wgCookiePrefix
+	 * @param string $key the name of the cookie
+	 * @param string $prefix a prefix to use for the cookie name, if not $wgCookiePrefix
 	 * @param $default Mixed: what to return if the value isn't found
 	 * @return Mixed: cookie value or $default if the cookie not set
 	 */
@@ -613,13 +619,14 @@ class WebRequest {
 			global $wgCookiePrefix;
 			$prefix = $wgCookiePrefix;
 		}
-		return $this->getGPCVal( $_COOKIE, $prefix . $key , $default );
+		return $this->getGPCVal( $_COOKIE, $prefix . $key, $default );
 	}
 
 	/**
 	 * Return the path and query string portion of the request URI.
 	 * This will be suitable for use as a relative link in HTML output.
 	 *
+	 * @throws MWException
 	 * @return String
 	 */
 	public function getRequestURL() {
@@ -671,7 +678,7 @@ class WebRequest {
 
 	/**
 	 * Take an arbitrary query and rewrite the present URL to include it
-	 * @param $query String: query string fragment; do not include initial '?'
+	 * @param string $query query string fragment; do not include initial '?'
 	 *
 	 * @return String
 	 */
@@ -683,7 +690,7 @@ class WebRequest {
 	 * HTML-safe version of appendQuery().
 	 * @deprecated: Deprecated in 1.20, warnings in 1.21, remove in 1.22.
 	 *
-	 * @param $query String: query string fragment; do not include initial '?'
+	 * @param string $query query string fragment; do not include initial '?'
 	 * @return String
 	 */
 	public function escapeAppendQuery( $query ) {
@@ -703,8 +710,8 @@ class WebRequest {
 	/**
 	 * Appends or replaces value of query variables.
 	 *
-	 * @param $array Array of values to replace/add to query
-	 * @param $onlyquery Bool: whether to only return the query string and not
+	 * @param array $array of values to replace/add to query
+	 * @param bool $onlyquery whether to only return the query string and not
 	 *                   the complete URL
 	 * @return String
 	 */
@@ -713,7 +720,7 @@ class WebRequest {
 		$newquery = $this->getQueryValues();
 		unset( $newquery['title'] );
 		$newquery = array_merge( $newquery, $array );
-		$query = wfArrayToCGI( $newquery );
+		$query = wfArrayToCgi( $newquery );
 		return $onlyquery ? $query : $wgTitle->getLocalURL( $query );
 	}
 
@@ -723,7 +730,7 @@ class WebRequest {
 	 * Offset must be positive but is not capped.
 	 *
 	 * @param $deflimit Integer: limit to use if no input and the user hasn't set the option.
-	 * @param $optionname String: to specify an option other than rclimit to pull from.
+	 * @param string $optionname to specify an option other than rclimit to pull from.
 	 * @return array first element is limit, second is offset
 	 */
 	public function getLimitOffset( $deflimit = 50, $optionname = 'rclimit' ) {
@@ -734,7 +741,7 @@ class WebRequest {
 			$limit = 0;
 		}
 		if( ( $limit == 0 ) && ( $optionname != '' ) ) {
-			$limit = (int)$wgUser->getOption( $optionname );
+			$limit = $wgUser->getIntOption( $optionname );
 		}
 		if( $limit <= 0 ) {
 			$limit = $deflimit;
@@ -842,7 +849,7 @@ class WebRequest {
 		} else {
 			foreach ( $_SERVER as $name => $value ) {
 				if ( substr( $name, 0, 5 ) === 'HTTP_' ) {
-					$name = str_replace( '_', '-',  substr( $name, 5 ) );
+					$name = str_replace( '_', '-', substr( $name, 5 ) );
 					$this->headers[$name] = $value;
 				} elseif ( $name === 'CONTENT_LENGTH' ) {
 					$this->headers['CONTENT-LENGTH'] = $value;
@@ -863,7 +870,7 @@ class WebRequest {
 
 	/**
 	 * Get a request header, or false if it isn't set
-	 * @param $name String: case-insensitive header name
+	 * @param string $name case-insensitive header name
 	 *
 	 * @return string|bool False on failure
 	 */
@@ -880,7 +887,7 @@ class WebRequest {
 	/**
 	 * Get data from $_SESSION
 	 *
-	 * @param $key String: name of key in $_SESSION
+	 * @param string $key name of key in $_SESSION
 	 * @return Mixed
 	 */
 	public function getSessionData( $key ) {
@@ -893,7 +900,7 @@ class WebRequest {
 	/**
 	 * Set session data
 	 *
-	 * @param $key String: name of key in $_SESSION
+	 * @param string $key name of key in $_SESSION
 	 * @param $data Mixed
 	 */
 	public function setSessionData( $key, $data ) {
@@ -907,6 +914,7 @@ class WebRequest {
 	 * false if an error message has been shown and the request should be aborted.
 	 *
 	 * @param $extWhitelist array
+	 * @throws HttpError
 	 * @return bool
 	 */
 	public function checkUrlExtension( $extWhitelist = array() ) {
@@ -1043,22 +1051,30 @@ HTML;
 	 *
 	 * @since 1.19
 	 *
+	 * @throws MWException
 	 * @return String
 	 */
 	protected function getRawIP() {
-		if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
-			return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
-		} else {
+		if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
 			return null;
 		}
+
+		if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
+			throw new MWException( __METHOD__ . " : Could not determine the remote IP address due to multiple values." );
+		} else {
+			$ipchain = $_SERVER['REMOTE_ADDR'];
+		}
+
+		return IP::canonicalize( $ipchain );
 	}
 
 	/**
 	 * Work out the IP address based on various globals
 	 * For trusted proxies, use the XFF client IP (first of the chain)
-	 * 
+	 *
 	 * @since 1.19
 	 *
+	 * @throws MWException
 	 * @return string
 	 */
 	public function getIP() {
@@ -1108,6 +1124,15 @@ HTML;
 		$this->ip = $ip;
 		return $ip;
 	}
+
+	/**
+	 * @param string $ip
+	 * @return void
+	 * @since 1.21
+	 */
+	public function setIP( $ip ) {
+		$this->ip = $ip;
+	}
 }
 
 /**
@@ -1122,7 +1147,7 @@ class WebRequestUpload {
 	 * Constructor. Should only be called by WebRequest
 	 *
 	 * @param $request WebRequest The associated request
-	 * @param $key string Key in $_FILES array (name of form field)
+	 * @param string $key Key in $_FILES array (name of form field)
 	 */
 	public function __construct( $request, $key ) {
 		$this->request = $request;
@@ -1234,10 +1259,11 @@ class FauxRequest extends WebRequest {
 	private $session = array();
 
 	/**
-	 * @param $data Array of *non*-urlencoded key => value pairs, the
+	 * @param array $data of *non*-urlencoded key => value pairs, the
 	 *   fake GET/POST values
-	 * @param $wasPosted Bool: whether to treat the data as POST
+	 * @param bool $wasPosted whether to treat the data as POST
 	 * @param $session Mixed: session array or null
+	 * @throws MWException
 	 */
 	public function __construct( $data = array(), $wasPosted = false, $session = null ) {
 		if( is_array( $data ) ) {
@@ -1246,8 +1272,9 @@ class FauxRequest extends WebRequest {
 			throw new MWException( "FauxRequest() got bogus data" );
 		}
 		$this->wasPosted = $wasPosted;
-		if( $session )
+		if( $session ) {
 			$this->session = $session;
+		}
 	}
 
 	/**
@@ -1330,8 +1357,10 @@ class FauxRequest extends WebRequest {
 	 * @return mixed
 	 */
 	public function getSessionData( $key ) {
-		if( isset( $this->session[$key] ) )
+		if( isset( $this->session[$key] ) ) {
 			return $this->session[$key];
+		}
+		return null;
 	}
 
 	/**