1 files changed, 61 insertions, 10 deletions

diff --git a/includes/upload/UploadFromUrl.php b/includes/upload/UploadFromUrl.php
index 927c3cd9..0201d5f4 100644
--- a/includes/upload/UploadFromUrl.php
+++ b/includes/upload/UploadFromUrl.php
@@ -34,6 +34,8 @@ class UploadFromUrl extends UploadBase {
 
 	protected $mTempPath, $mTmpHandle;
 
+	protected static $allowedUrls = array();
+
 	/**
 	 * Checks if the user is allowed to use the upload-by-URL feature. If the
 	 * user is not allowed, return the name of the user right as a string. If
@@ -61,6 +63,8 @@ class UploadFromUrl extends UploadBase {
 
 	/**
 	 * Checks whether the URL is for an allowed host
+	 * The domains in the whitelist can include wildcard characters (*) in place
+	 * of any of the domain levels, e.g. '*.flickr.com' or 'upload.*.gov.uk'.
 	 *
 	 * @param $url string
 	 * @return bool
@@ -75,16 +79,49 @@ class UploadFromUrl extends UploadBase {
 			return false;
 		}
 		$valid = false;
-		foreach( $wgCopyUploadsDomains as $domain ) {
+		foreach ( $wgCopyUploadsDomains as $domain ) {
+			// See if the domain for the upload matches this whitelisted domain
+			$whitelistedDomainPieces = explode( '.', $domain );
+			$uploadDomainPieces = explode( '.', $parsedUrl['host'] );
+			if ( count( $whitelistedDomainPieces ) === count( $uploadDomainPieces ) ) {
+				$valid = true;
+				// See if all the pieces match or not (excluding wildcards)
+				foreach ( $whitelistedDomainPieces as $index => $piece ) {
+					if ( $piece !== '*' && $piece !== $uploadDomainPieces[$index] ) {
+						$valid = false;
+					}
+				}
+				if ( $valid ) {
+					// We found a match, so quit comparing against the list
+					break;
+				}
+			}
+			/* Non-wildcard test
 			if ( $parsedUrl['host'] === $domain ) {
 				$valid = true;
 				break;
 			}
+			*/
 		}
 		return $valid;
 	}
 
 	/**
+	 * Checks whether the URL is not allowed.
+	 *
+	 * @param $url string
+	 * @return bool
+	 */
+	public static function isAllowedUrl( $url ) {
+		if ( !isset( self::$allowedUrls[$url] ) ) {
+			$allowed = true;
+			wfRunHooks( 'IsUploadAllowedFromUrl', array( $url, &$allowed ) );
+			self::$allowedUrls[$url] = $allowed;
+		}
+		return self::$allowedUrls[$url];
+	}
+
+	/**
 	 * Entry point for API upload
 	 *
 	 * @param $name string
@@ -140,21 +177,30 @@ class UploadFromUrl extends UploadBase {
 	/**
 	 * @return string
 	 */
-	public function getSourceType() { return 'url'; }
+	public function getSourceType() {
+		return 'url';
+	}
 
 	/**
+	 * Download the file (if not async)
+	 *
+	 * @param Array $httpOptions Array of options for MWHttpRequest. Ignored if async.
+	 *   This could be used to override the timeout on the http request.
 	 * @return Status
 	 */
-	public function fetchFile() {
+	public function fetchFile( $httpOptions = array() ) {
 		if ( !Http::isValidURI( $this->mUrl ) ) {
 			return Status::newFatal( 'http-invalid-url' );
 		}
 
-		if( !self::isAllowedHost( $this->mUrl ) ) {
+		if ( !self::isAllowedHost( $this->mUrl ) ) {
 			return Status::newFatal( 'upload-copy-upload-invalid-domain' );
 		}
+		if ( !self::isAllowedUrl( $this->mUrl ) ) {
+			return Status::newFatal( 'upload-copy-upload-invalid-url' );
+		}
 		if ( !$this->mAsync ) {
-			return $this->reallyFetchFile();
+			return $this->reallyFetchFile( $httpOptions );
 		}
 		return Status::newGood();
 	}
@@ -191,9 +237,12 @@ class UploadFromUrl extends UploadBase {
 	/**
 	 * Download the file, save it to the temporary file and update the file
 	 * size and set $mRemoveTempFile to true.
+	 *
+	 * @param Array $httpOptions Array of options for MWHttpRequest
 	 * @return Status
 	 */
-	protected function reallyFetchFile() {
+	protected function reallyFetchFile( $httpOptions = array() ) {
+		global $wgCopyUploadProxy, $wgCopyUploadTimeout;
 		if ( $this->mTempPath === false ) {
 			return Status::newFatal( 'tmp-create-error' );
 		}
@@ -207,13 +256,15 @@ class UploadFromUrl extends UploadBase {
 		$this->mRemoveTempFile = true;
 		$this->mFileSize = 0;
 
-		$options = array(
-			'followRedirects' => true
+		$options = $httpOptions + array(
+			'followRedirects' => true,
 		);
-		global $wgCopyUploadProxy;
 		if ( $wgCopyUploadProxy !== false ) {
 			$options['proxy'] = $wgCopyUploadProxy;
 		}
+		if ( $wgCopyUploadTimeout && !isset( $options['timeout'] ) ) {
+			$options['timeout'] = $wgCopyUploadTimeout;
+		}
 		$req = MWHttpRequest::factory( $this->mUrl, $options );
 		$req->setCallback( array( $this, 'saveTempFileChunk' ) );
 		$status = $req->execute();
@@ -312,7 +363,7 @@ class UploadFromUrl extends UploadBase {
 			'sessionKey' => $sessionKey,
 		) );
 		$job->initializeSessionData();
-		$job->insert();
+		JobQueueGroup::singleton()->push( $job );
 		return $sessionKey;
 	}