From 014093acc4e0c277d0d92fdc54fb620210d6ec8a Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 8 Mar 2004 09:09:35 +0000 Subject: [PATCH] More globals and uninitialized variables fixes. Added WebRequest ($wgRequest) object to encapsulate the handling of get/post variables: The following grab something out of $_REQUEST. The first parameter is the variable name and is required. The second is an optional default value: $wgRequest->getVal() - any type, returns NULL if no default given $wgRequest->getInt() - forced integer, 0 default $wgRequest->getText() - runs through $wgLang->recodeInput() $wgRequest->getBool() - return true/false $wgRequest->getCheck() - returns true if the var is set, even if to "" $wgRequest strips slashes at initialization if necessary. Also in this fine object: $wgRequest->wasPosted() - returns false if this wasn't a real form post, so we can protect against faked submissions in get urls. There's still plenty of work to do, not everything uses the new functions yet. To test the strict mode, do define('DEBUG_GLOBALS', 1); --- includes/Article.php | 10 +- includes/EditPage.php | 171 ++++++++++++++++-------------- includes/GlobalFunctions.php | 60 ++--------- includes/LinksUpdate.php | 1 + includes/LogPage.php | 12 ++- includes/Parser.php | 2 +- includes/QueryPage.php | 3 +- includes/Setup.php | 3 + includes/SpecialAsksql.php | 46 +++++--- includes/SpecialBlockip.php | 63 +++++------ includes/SpecialContributions.php | 6 +- includes/SpecialEmailuser.php | 29 ++--- includes/SpecialImagelist.php | 9 +- includes/SpecialIpblocklist.php | 47 ++++---- includes/SpecialLockdb.php | 25 +++-- includes/SpecialMovepage.php | 43 ++++---- includes/SpecialNewpages.php | 6 +- includes/SpecialPreferences.php | 14 ++- includes/SpecialUpload.php | 6 +- includes/SpecialUserlogin.php | 7 +- includes/Title.php | 3 +- includes/WatchedItem.php | 1 + includes/WebRequest.php | 106 ++++++++++++++++++ index.php | 68 +++--------- 24 files changed, 410 insertions(+), 331 deletions(-) create mode 100644 includes/WebRequest.php diff --git a/includes/Article.php b/includes/Article.php index d4bb052c89..5dc0e39937 100644 --- a/includes/Article.php +++ b/includes/Article.php @@ -814,7 +814,7 @@ class Article { function doDeleteArticle( $title ) { - global $wgUser, $wgOut, $wgLang, $wpReason; + global $wgUser, $wgOut, $wgLang, $wgRequest; global $wgUseSquid, $wgDeferredUpdateList, $wgInternalServer; $fname = "Article::doDeleteArticle"; @@ -931,7 +931,7 @@ class Article { $log = new LogPage( wfMsg( "dellogpage" ), wfMsg( "dellogpagetext" ) ); $art = $title->getPrefixedText(); - $wpReason = wfCleanQueryVar( $wpReason ); + $wpReason = $wgRequest->getText( "wpReason" ); $log->addEntry( wfMsg( "deletedarticle", $art ), $wpReason ); # Clear the cached article id so the interface doesn't act like we exist @@ -941,7 +941,7 @@ class Article { function rollback() { - global $wgUser, $wgLang, $wgOut, $from; + global $wgUser, $wgLang, $wgOut, $wgRequest; if ( ! $wgUser->isSysop() ) { $wgOut->sysopRequired(); @@ -953,7 +953,7 @@ class Article { } # Enhanced rollback, marks edits rc_bot=1 - $bot = !!$_REQUEST['bot']; + $bot = $wgRequest->getBool( 'bot' ); # Replace all this user's current edits with the next one down $tt = wfStrencode( $this->mTitle->getDBKey() ); @@ -972,7 +972,7 @@ class Article { $uid = $s->cur_user; $pid = $s->cur_id; - $from = str_replace( '_', ' ', wfCleanQueryVar( $from ) ); + $from = str_replace( '_', ' ', $wgRequest->getVal( "from" ) ); if( $from != $s->cur_user_text ) { $wgOut->setPageTitle(wfmsg("rollbackfailed")); $wgOut->addWikiText( wfMsg( "alreadyrolled", diff --git a/includes/EditPage.php b/includes/EditPage.php index 6ea4472b45..1083ae8128 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -9,6 +9,13 @@ class EditPage { var $mArticle; var $mTitle; + # Form values + var $save = false, $preview = false; + var $minoredit = false, $watchthis = false; + var $textbox1 = "", $textbox2 = "", $summary = ""; + var $edittime = "", $section = ""; + var $oldid = 0; + function EditPage( $article ) { $this->mArticle =& $article; global $wgTitle; @@ -19,14 +26,11 @@ class EditPage { function edit() { - global $wgOut, $wgUser, $wgWhitelistEdit; - global $wpTextbox1, $wpSummary, $wpSave, $wpPreview; - global $wpMinoredit, $wpEdittime, $wpTextbox2; + global $wgOut, $wgUser, $wgWhitelistEdit, $wgRequest; // this is not an article $wgOut->setArticleFlag(false); - $fields = array( "wpTextbox1", "wpSummary", "wpTextbox2" ); - wfCleanFormFields( $fields ); + $this->importFormData( $wgRequest ); if ( ! $this->mTitle->userCanEdit() ) { $wgOut->readOnlyPage( $this->mArticle->getContent(), true ); @@ -41,23 +45,45 @@ class EditPage { return; } if ( wfReadOnly() ) { - if( isset( $wpSave ) or isset( $wpPreview ) ) { + if( $this->save || $this->preview ) { $this->editForm( "preview" ); } else { $wgOut->readOnlyPage( $this->mArticle->getContent() ); } return; } - if ( $_SERVER['REQUEST_METHOD'] != "POST" ) unset( $wpSave ); - if ( isset( $wpSave ) ) { + if( !$wgRequest->wasPosted() ) $this->save = false; + if ( $this->save ) { $this->editForm( "save" ); - } else if ( isset( $wpPreview ) ) { + } else if ( $this->preview ) { $this->editForm( "preview" ); } else { # First time through $this->editForm( "initial" ); } } + function importFormData( &$request ) { + # These fields need to be checked for encoding. + # Also remove trailing whitespace, but don't remove _initial_ + # whitespace from the text boxes. This may be significant formatting. + $this->textbox1 = rtrim( $request->getText( "wpTextbox1" ) ); + $this->textbox2 = rtrim( $request->getText( "wpTextbox2" ) ); + $this->summary = trim( $request->getText( "wpSummary" ) ); + + $this->edittime = $request->getVal( 'wpEdittime' ); + if( !preg_match( '/^\d{14}$/', $this->edittime ) ) $this->edittime = ""; + + $this->save = $request->getCheck( 'wpSave' ); + $this->preview = $request->getCheck( 'wpPreview' ); + $this->minoredit = $request->getCheck( 'wpMinoredit' ); + $this->watchthis = $request->getCheck( 'wpWatchthis' ); + + $this->oldid = $request->getInt( 'oldid' ); + + # Section edit can come from either the form or a link + $this->section = $request->getVal( 'wpSection', $request->getVal( 'section' ) ); + } + # Since there is only one text field on the edit form, # pressing will cause the form to be submitted, but # the submit button value won't appear in the query, so we @@ -66,8 +92,7 @@ class EditPage { function submit() { - global $wpSave, $wpPreview; - if ( ! isset( $wpPreview ) ) { $wpSave = 1; } + if( !$this->preview ) $this->save = true; $this->edit(); } @@ -81,18 +106,11 @@ class EditPage { function editForm( $formtype ) { global $wgOut, $wgUser; - global $wpTextbox1, $wpSummary, $wpWatchthis; - global $wpSave, $wpPreview; - global $wpMinoredit, $wpEdittime, $wpTextbox2, $wpSection; - global $oldid, $redirect, $section; global $wgLang, $wgParser, $wgTitle; global $wgAllowAnonymousMinor; - if(isset($wpSection)) { $section=$wpSection; } else { $wpSection=$section; } - $sk = $wgUser->getSkin(); $isConflict = false; - $wpTextbox1 = rtrim ( $wpTextbox1 ) ; # To avoid text getting longer on each preview if(!$this->mTitle->getArticleID()) { # new article $wgOut->addWikiText(wfmsg("newarticletext")); @@ -125,39 +143,40 @@ class EditPage { $aid = $this->mTitle->getArticleID(); if ( 0 == $aid ) { - # we need to strip Windoze linebreaks because some browsers - # append them and the string comparison fails - if ( ( "" == $wpTextbox1 ) || - ( wfMsg( "newarticletext" ) == rtrim( preg_replace("/\r/","",$wpTextbox1) ) ) ) { + # Don't save a new article if it's blank. + if ( ( "" == $this->textbox1 ) || + ( wfMsg( "newarticletext" ) == $this->textbox1 ) ) { $wgOut->redirect( $this->mTitle->getFullURL() ); return; } - $this->mArticle->insertNewArticle( $wpTextbox1, $wpSummary, $wpMinoredit, $wpWatchthis ); + $this->mArticle->insertNewArticle( $this->textbox1, $this->summary, $this->minoredit, $this->watchthis ); return; } # Article exists. Check for edit conflict. # Don't check for conflict when appending a comment - this should always work $this->mArticle->clear(); # Force reload of dates, etc. - if ( $section!="new" && ( $this->mArticle->getTimestamp() != $wpEdittime ) ) { + if( ( $this->section != "new" ) && + ( $this->mArticle->getTimestamp() != $this->edittime ) ) { $isConflict = true; } - $u = $wgUser->getID(); + $userid = $wgUser->getID(); # Suppress edit conflict with self - if ( ( 0 != $u ) && ( $this->mArticle->getUser() == $u ) ) { + if ( ( 0 != $userid ) && ( $this->mArticle->getUser() == $userid ) ) { $isConflict = false; } else { # switch from section editing to normal editing in edit conflict + # FIXME: This is confusing. In theory we should attempt to merge, finding + # the equivalent section if it's unchanged and avoid the conflict. if($isConflict) { - $section="";$wpSection=""; + $this->section = ""; } - } if ( ! $isConflict ) { # All's well: update the article here - if($this->mArticle->updateArticle( $wpTextbox1, $wpSummary, $wpMinoredit, $wpWatchthis, $wpSection )) + if($this->mArticle->updateArticle( $this->textbox1, $this->summary, $this->minoredit, $this->watchthis, $this->section )) return; else $isConflict = true; @@ -167,9 +186,9 @@ class EditPage { # checking, etc. if ( "initial" == $formtype ) { - $wpEdittime = $this->mArticle->getTimestamp(); - $wpTextbox1 = $this->mArticle->getContent(true); - $wpSummary = ""; + $this->edittime = $this->mArticle->getTimestamp(); + $this->textbox1 = $this->mArticle->getContent(true); + $this->summary = ""; } $wgOut->setRobotpolicy( "noindex,nofollow" ); @@ -181,21 +200,21 @@ class EditPage { $wgOut->setPageTitle( $s ); $wgOut->addHTML( wfMsg( "explainconflict" ) ); - $wpTextbox2 = $wpTextbox1; - $wpTextbox1 = $this->mArticle->getContent(true); - $wpEdittime = $this->mArticle->getTimestamp(); + $this->textbox2 = $this->textbox1; + $this->textbox1 = $this->mArticle->getContent(true); + $this->edittime = $this->mArticle->getTimestamp(); } else { $s = wfMsg( "editing", $this->mTitle->getPrefixedText() ); - if($section!="") { - if($section=="new") { + if( $this->section != "" ) { + if( $this->section == "new" ) { $s.=wfMsg("commentedit"); } else { $s.=wfMsg("sectionedit"); } } $wgOut->setPageTitle( $s ); - if ( $oldid ) { + if ( $this->oldid ) { $this->mArticle->setOldSubtitle(); $wgOut->addHTML( wfMsg( "editingold" ) ); } @@ -211,7 +230,7 @@ class EditPage { "
\n" ); } - $kblength = (int)(strlen( $wpTextbox1 ) / 1024); + $kblength = (int)(strlen( $this->textbox1 ) / 1024); if( $kblength > 29 ) { $wgOut->addHTML( "" . wfMsg( "longpagewarning", $kblength ) @@ -226,7 +245,7 @@ class EditPage { else $ew = "" ; $q = "action=submit"; - if ( "no" == $redirect ) { $q .= "&redirect=no"; } + #if ( "no" == $redirect ) { $q .= "&redirect=no"; } $action = $this->mTitle->escapeLocalURL( $q ); $summary = wfMsg( "summary" ); @@ -243,52 +262,47 @@ class EditPage { $copywarn = wfMsg( "copyrightwarning", $sk->makeKnownLink( wfMsg( "copyrightpage" ) ) ); - $wpTextbox1 = wfEscapeHTML( $wpTextbox1 ); - $wpTextbox2 = wfEscapeHTML( $wpTextbox2 ); - $wpSummary = wfEscapeHTML( $wpSummary ); - - if($wgUser->getOption("showtoolbar")) { // prepare toolbar for edit buttons $toolbar=$sk->getEditToolbar(); } // activate checkboxes if user wants them to be always active - if (!$wpPreview && $wgUser->getOption("watchdefault")) $wpWatchthis=1; - if (!$wpPreview && $wgUser->getOption("minordefault")) $wpMinoredit=1; - - // activate checkbox also if user is already watching the page, - // require wpWatchthis to be unset so that second condition is not - // checked unnecessarily - if (!$wpWatchthis && !$wpPreview && $this->mTitle->userIsWatching()) $wpWatchthis=1; - - $minoredithtml = ""; + if( !$this->preview ) { + if( $wgUser->getOption( "watchdefault" ) ) $this->watchthis = true; + if( $wgUser->getOption( "minordefault" ) ) $this->minoredit = true; + + // activate checkbox also if user is already watching the page, + // require wpWatchthis to be unset so that second condition is not + // checked unnecessarily + if( !$this->watchthis && $this->mTitle->userIsWatching() ) $this->watchthis = true; + } + + $minoredithtml = ""; if ( 0 != $wgUser->getID() || $wgAllowAnonymousMinor ) { $minoredithtml = - "". + "minoredit?" checked":"")." id='wpMinoredit'>". ""; } - - $watchhtml = ""; - + + $watchhtml = ""; + if ( 0 != $wgUser->getID() ) { - $watchhtml = "". + $watchhtml = "watchthis?" checked":"")." id='wpWatchthis'>". ""; - } - - $checkboxhtml= $minoredithtml . $watchhtml . "
"; + + $checkboxhtml = $minoredithtml . $watchhtml . "
"; if ( "preview" == $formtype) { - $previewhead="

" . wfMsg( "preview" ) . "

\n

" . - wfMsg( "note" ) . wfMsg( "previewnote" ) . "

\n"; + wfMsg( "note" ) . wfMsg( "previewnote" ) . "

\n"; if ( $isConflict ) { $previewhead.="

" . wfMsg( "previewconflict" ) . "

\n"; } - $previewtext = wfUnescapeHTML( $wpTextbox1 ); + $previewtext = wfUnescapeHTML( $this->textbox1 ); $parserOptions = ParserOptions::newFromUser( $wgUser ); $parserOptions->setUseCategoryMagic( false ); @@ -307,15 +321,16 @@ class EditPage { # if this is a comment, show a subject line at the top, which is also the edit summary. # Otherwise, show a summary field at the bottom - if($section=="new") { - $commentsubject="{$subject}:
"; + $summarytext = htmlspecialchars( $wgLang->recodeForEdit( $this->summary ) ); # FIXME + if( $this->section == "new" ) { + $commentsubject="{$subject}:
"; $editsummary = ""; } else { $commentsubject = ""; - $editsummary="{$summary}:
"; + $editsummary="{$summary}:
"; } - if( $_GET["action"] == "edit" ) { + if( !$this->preview ) { # Don't select the edit box on preview; this interferes with seeing what's going on. $wgOut->setOnloadHandler( "document.editform.wpTextbox1.focus()" ); } @@ -324,19 +339,19 @@ class EditPage {
{$commentsubject} -
{$editsummary} {$checkboxhtml} - - + + {$cancel} | {$edithelp}

{$copywarn} - -\n" ); +section ) . "\" name=\"wpSection\"> +edittime}\" name=\"wpEdittime\">\n" ); if ( $isConflict ) { $wgOut->addHTML( "

" . wfMsg( "yourdiff" ) . "

\n" ); @@ -344,8 +359,8 @@ $wgLang->recodeForEdit( $wpTextbox1 ) . wfMsg( "yourtext" ), wfMsg( "storedversion" ) ); $wgOut->addHTML( "

" . wfMsg( "yourtext" ) . "

-" ); } diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 3fdba5e879..8190cdd112 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -81,11 +81,11 @@ function wfLocalUrlE( $a, $q = "" ) } function wfFullUrl( $a, $q = "" ) { - die( "Call to obsolete function wfFullUrl()" ); + wfDebugDieBacktrace( "Call to obsolete function wfFullUrl(); use Title::getFullURL" ); } function wfFullUrlE( $a, $q = "" ) { - die( "Call to obsolete function wfFullUrlE()" ); + wfDebugDieBacktrace( "Call to obsolete function wfFullUrlE(); use Title::getFullUrlE" ); } @@ -283,37 +283,7 @@ function wfMsgReal( $key, $args, $useDB ) { function wfCleanFormFields( $fields ) { - global $HTTP_POST_VARS; - global $wgInputEncoding, $wgOutputEncoding, $wgEditEncoding, $wgLang; - - if ( get_magic_quotes_gpc() ) { - foreach ( $fields as $fname ) { - if ( isset( $HTTP_POST_VARS[$fname] ) ) { - $HTTP_POST_VARS[$fname] = stripslashes( - $HTTP_POST_VARS[$fname] ); - } - global ${$fname}; - if ( isset( ${$fname} ) ) { - ${$fname} = stripslashes( ${$fname} ); - } - } - } - $enc = $wgOutputEncoding; - if( $wgEditEncoding != "") $enc = $wgEditEncoding; - if ( $enc != $wgInputEncoding ) { - foreach ( $fields as $fname ) { - if ( isset( $HTTP_POST_VARS[$fname] ) ) { - $HTTP_POST_VARS[$fname] = $wgLang->iconv( - $wgOutputEncoding, $wgInputEncoding, - $HTTP_POST_VARS[$fname] ); - } - global ${$fname}; - if ( isset( ${$fname} ) ) { - ${$fname} = $wgLang->iconv( - $enc, $wgInputEncoding, ${$fname} ); - } - } - } + wfDebugDieBacktrace( "Call to obsolete wfCleanFormFields(). Use wgRequest instead..." ); } function wfMungeQuotes( $in ) @@ -334,11 +304,7 @@ function wfDemungeQuotes( $in ) function wfCleanQueryVar( $var ) { - global $wgLang; - if ( get_magic_quotes_gpc() ) { - $var = stripslashes( $var ); - } - return $wgLang->recodeInput( $var ); + wfDebugDieBacktrace( "Call to obsolete function wfCleanQueryVar(); use wgRequest instead" ); } function wfSpecialPage() @@ -384,13 +350,13 @@ function wfSpecialPage() function wfSearch( $s ) { - $se = new SearchEngine( wfCleanQueryVar( $s ) ); + $se = new SearchEngine( $s ); $se->showResults(); } function wfGo( $s ) { # pick the nearest match - $se = new SearchEngine( wfCleanQueryVar( $s ) ); + $se = new SearchEngine( $s ); $se->goResult(); } @@ -688,13 +654,9 @@ function wfClientAcceptsGzip() { # Yay, more global functions! function wfCheckLimits( $deflimit = 50, $optionname = "rclimit" ) { - global $wgUser; + global $wgUser, $wgRequest; - if( isset( $_REQUEST['limit'] ) ) { - $limit = IntVal( $_REQUEST['limit'] ); - } else { - $limit = 0; - } + $limit = $wgRequest->getInt( 'limit', 0 ); if( $limit < 0 ) $limit = 0; if( ( $limit == 0 ) && ( $optionname != "" ) ) { $limit = (int)$wgUser->getOption( $optionname ); @@ -702,11 +664,7 @@ function wfCheckLimits( $deflimit = 50, $optionname = "rclimit" ) { if( $limit <= 0 ) $limit = $deflimit; if( $limit > 5000 ) $limit = 5000; # We have *some* limits... - if( isset( $_REQUEST['offset'] ) ) { - $offset = IntVal( $_REQUEST['offset'] ); - } else { - $offset = 0; - } + $offset = $wgRequest->getInt( 'offset', 0 ); if( $offset < 0 ) $offset = 0; if( $offset > 65000 ) $offset = 65000; # do we need a max? what? diff --git a/includes/LinksUpdate.php b/includes/LinksUpdate.php index fd17d44da5..aebadd706a 100644 --- a/includes/LinksUpdate.php +++ b/includes/LinksUpdate.php @@ -221,6 +221,7 @@ class LinksUpdate { function fixBrokenLinks() { /* Update any brokenlinks *to* this page */ /* Call for a newly created page, or just to make sure state is consistent */ + $fname = "LinksUpdate::fixBrokenLinks"; $sql = "SELECT bl_from FROM brokenlinks WHERE bl_to='{$this->mTitleEnc}'"; $res = wfQuery( $sql, DB_READ, $fname ); diff --git a/includes/LogPage.php b/includes/LogPage.php index d26495c53f..6be15fed9b 100644 --- a/includes/LogPage.php +++ b/includes/LogPage.php @@ -106,8 +106,14 @@ class LogPage { } $d = $wgLang->timeanddate( wfTimestampNow(), false ); - preg_match( "/^(.*?)
    (.*)$/sD", $this->mContent, $m ); - + if( preg_match( "/^(.*?)
      (.*)$/sD", $this->mContent, $m ) ) { + $before = $m[1]; + $after = $m[2]; + } else { + $before = ""; + $after = ""; + } + if($textaction) $this->mComment = $textaction; else @@ -120,7 +126,7 @@ class LogPage { # comment gets escaped again, so we use the unescaped version $this->mComment .= ": {$comment}"; } - $this->mContent = "{$m[1]}
      • {$d} {$ul} {$action}{$inline}
        • \n{$m[2]}"; + $this->mContent = "{$before}
        • {$d} {$ul} {$action}{$inline}
          • \n{$after}"; # TODO: automatic log rotation... diff --git a/includes/Parser.php b/includes/Parser.php index df1a928b79..ac2edbff49 100644 --- a/includes/Parser.php +++ b/includes/Parser.php @@ -1423,7 +1423,7 @@ class Parser $this->mOptions = $options; $this->mTitle = $title; if ( $clearState ) { - $this->clearState; + $this->clearState(); } $stripState = false; diff --git a/includes/QueryPage.php b/includes/QueryPage.php index b7a19ffef5..62c5c7f1a8 100644 --- a/includes/QueryPage.php +++ b/includes/QueryPage.php @@ -171,7 +171,8 @@ class QueryPage { function feedUrl() { global $wgLang; - return wfFullUrl( $wgLang->SpecialPage( $this->getName() ) ); + $title = Title::MakeTitle( NS_SPECIAL, $this->getName() ); + return $title->getFullURL(); } } diff --git a/includes/Setup.php b/includes/Setup.php index f421e05aea..d39465d1e4 100644 --- a/includes/Setup.php +++ b/includes/Setup.php @@ -51,6 +51,9 @@ include_once( "MessageCache.php" ); include_once( "BlockCache.php" ); include_once( "Parser.php" ); include_once( "ParserCache.php" ); +include_once( "WebRequest.php" ); +$wgRequest = new WebRequest(); + wfProfileOut( "$fname-includes" ); wfProfileIn( "$fname-memcached" ); diff --git a/includes/SpecialAsksql.php b/includes/SpecialAsksql.php index 528c0cb952..150137c439 100644 --- a/includes/SpecialAsksql.php +++ b/includes/SpecialAsksql.php @@ -2,26 +2,39 @@ function wfSpecialAsksql() { - global $wgUser, $wgOut, $action; + global $wgUser, $wgOut, $wgRequest; if ( ! $wgUser->isSysop() ) { $wgOut->sysopRequired(); return; } - $fields = array( "wpSqlQuery" ); - wfCleanFormFields( $fields ); - $f = new SqlQueryForm(); + + if( $wgRequest->wasPosted() ) { + $query = $wgRequest->getVal( 'wpSqlQuery' ); + $action = $wgRequest->getVal( 'action' ); + } else { + $query = ""; + $action = ""; + } + $f = new SqlQueryForm( $query); - if ( "submit" == $action ) { $f->doSubmit(); } - else { $f->showForm( "" ); } + if ( "submit" == $action ) { + $f->doSubmit(); + } else { + $f->showForm( "" ); + } } class SqlQueryForm { - + var $query = ""; + + function SqlQueryForm( $query ) { + $this->query = $query; + } + function showForm( $err ) { global $wgOut, $wgUser, $wgLang; - global $wpSqlQuery; global $wgLogQueries; $wgOut->setPagetitle( wfMsg( "asksql" ) ); @@ -33,7 +46,7 @@ class SqlQueryForm { if ( "" != $err ) { $wgOut->addHTML( "

          " . htmlspecialchars($err) . "\n" ); } - if ( ! $wpSqlQuery ) { $wpSqlQuery = "SELECT ... FROM ... WHERE ..."; } + if ( ! $this->query ) { $this->query = "SELECT ... FROM ... WHERE ..."; } $q = wfMsg( "sqlquery" ); $qb = wfMsg( "querybtn" ); $titleObj = Title::makeTitle( NS_SPECIAL, "Asksql" ); @@ -45,7 +58,7 @@ class SqlQueryForm { {$q}: @@ -59,22 +72,21 @@ class SqlQueryForm { function doSubmit() { global $wgOut, $wgUser, $wgServer, $wgScript, $wgArticlePath, $wgLang; - global $wpSqlQuery; global $wgDBserver, $wgDBsqluser, $wgDBsqlpassword, $wgDBname, $wgSqlTimeout; # Use a limit, folks! - $wpSqlQuery = trim( $wpSqlQuery ); - if( preg_match( "/^SELECT/i", $wpSqlQuery ) - and !preg_match( "/LIMIT/i", $wpSqlQuery ) ) { - $wpSqlQuery .= " LIMIT 100"; + $this->query = trim( $this->query ); + if( preg_match( "/^SELECT/i", $this->query ) + and !preg_match( "/LIMIT/i", $this->query ) ) { + $this->query .= " LIMIT 100"; } $conn = Database::newFromParams( $wgDBserver, $wgDBsqluser, $wgDBsqlpassword, $wgDBname ); - $this->logQuery( $wpSqlQuery ); + $this->logQuery( $this->query ); # Start timer, will kill the DB thread in $wgSqlTimeout seconds $conn->startTimer( $wgSqlTimeout ); - $res = $conn->query( $wpSqlQuery, "SpecialAsksql::doSubmit" ); + $res = $conn->query( $this->query, "SpecialAsksql::doSubmit" ); $conn->stopTimer(); $this->logFinishedQuery(); diff --git a/includes/SpecialBlockip.php b/includes/SpecialBlockip.php index 56deeee97c..ffc9025e81 100644 --- a/includes/SpecialBlockip.php +++ b/includes/SpecialBlockip.php @@ -2,37 +2,40 @@ function wfSpecialBlockip() { - global $wgUser, $wgOut, $action; + global $wgUser, $wgOut, $wgRequest; if ( ! $wgUser->isSysop() ) { $wgOut->sysopRequired(); return; } - $fields = array( "wpBlockAddress", "wpBlockReason", "wpBlockExpiry" ); - wfCleanFormFields( $fields ); $ipb = new IPBlockForm(); + $action = $wgRequest->getVal( 'action' ); if ( "success" == $action ) { $ipb->showSuccess(); } - else if ( "submit" == $action ) { $ipb->doSubmit(); } + else if ( $wgRequest->wasPosted() && "submit" == $action ) { $ipb->doSubmit(); } else { $ipb->showForm( "" ); } } class IPBlockForm { + var $BlockAddress, $BlockExpiry, $BlockReason; + function IPBlockForm() { + global $wgRequest; + $this->BlockAddress = $wgRequest->getVal( 'wpBlockAddress', $wgRequest->getVal( 'ip' ) ); + $this->BlockReason = $wgRequest->getText( 'wpBlockReason' ); + $this->BlockExpiry = $wgRequest->getVal( 'wpBlockExpiry' ); + } + function showForm( $err ) { global $wgOut, $wgUser, $wgLang, $wgDefaultBlockExpiry; - global $ip, $wpBlockAddress, $wpBlockExpiry, $wpBlockReason; + global $wgRequest; $wgOut->setPagetitle( wfMsg( "blockip" ) ); $wgOut->addWikiText( wfMsg( "blockiptext" ) ); - if ( ! $wpBlockAddress ) { - $wpBlockAddress = $ip; - } - - if ( is_null( $wpBlockExpiry ) || $wpBlockExpiry === "" ) { - $wpBlockExpiry = $wgDefaultBlockExpiry; + if ( is_null( $this->BlockExpiry ) || $this->BlockExpiry === "" ) { + $this->BlockExpiry = $wgDefaultBlockExpiry; } $mIpaddress = wfMsg( "ipaddress" ); @@ -47,9 +50,9 @@ class IPBlockForm { $wgOut->addHTML( "

          {$err}\n" ); } - $scBlockAddress = htmlspecialchars( $wpBlockAddress ); - $scBlockExpiry = htmlspecialchars( $wpBlockExpiry ); - $scBlockReason = htmlspecialchars( $wpBlockReason ); + $scBlockAddress = htmlspecialchars( $this->BlockAddress ); + $scBlockExpiry = htmlspecialchars( $this->BlockExpiry ); + $scBlockReason = htmlspecialchars( $this->BlockReason ); $wgOut->addHTML( "

          @@ -76,21 +79,20 @@ class IPBlockForm { function doSubmit() { global $wgOut, $wgUser, $wgLang; - global $ip, $wpBlockAddress, $wpBlockReason, $wpBlockExpiry; global $wgSysopUserBans, $wgSysopRangeBans; $userId = 0; - $wpBlockAddress = trim( $wpBlockAddress ); + $this->BlockAddress = trim( $this->BlockAddress ); $rxIP = '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'; # Check for invalid specifications - if ( ! preg_match( "/^$rxIP$/", $wpBlockAddress ) ) { - if ( preg_match( "/^($rxIP)\\/(\\d{1,2})$/", $wpBlockAddress, $matches ) ) { + if ( ! preg_match( "/^$rxIP$/", $this->BlockAddress ) ) { + if ( preg_match( "/^($rxIP)\\/(\\d{1,2})$/", $this->BlockAddress, $matches ) ) { if ( $wgSysopRangeBans ) { if ( $matches[2] > 31 || $matches[2] < 16 ) { $this->showForm( wfMsg( "ip_range_invalid" ) ); } - $wpBlockAddress = Block::normaliseRange( $wpBlockAddress ); + $this->BlockAddress = Block::normaliseRange( $this->BlockAddress ); } else { # Range block illegal $this->showForm( wfMsg( "range_block_disabled" ) ); @@ -99,9 +101,9 @@ class IPBlockForm { } else { # Username block if ( $wgSysopUserBans ) { - $userId = User::idFromName( $wpBlockAddress ); + $userId = User::idFromName( $this->BlockAddress ); if ( $userId == 0 ) { - $this->showForm( wfMsg( "nosuchuser", htmlspecialchars( $wpBlockAddress ) ) ); + $this->showForm( wfMsg( "nosuchuser", htmlspecialchars( $this->BlockAddress ) ) ); return; } } else { @@ -111,11 +113,11 @@ class IPBlockForm { } } - if ( $wpBlockExpiry == "infinite" || $wpBlockExpiry == "indefinite" ) { + if ( $this->BlockExpiry == "infinite" || $this->BlockExpiry == "indefinite" ) { $expiry = ''; } else { # Convert GNU-style date, returns -1 on error - $expiry = strtotime( $wpBlockExpiry ); + $expiry = strtotime( $this->BlockExpiry ); if ( $expiry < 0 ) { $this->showForm( wfMsg( "ipb_expiry_invalid" ) ); @@ -127,7 +129,7 @@ class IPBlockForm { } - if ( "" == $wpBlockReason ) { + if ( "" == $this->BlockReason ) { $this->showForm( wfMsg( "noblockreason" ) ); return; } @@ -135,28 +137,27 @@ class IPBlockForm { # Create block # Note: for a user block, ipb_address is only for display purposes - $ban = new Block( $wpBlockAddress, $userId, $wgUser->getID(), - wfStrencode( $wpBlockReason ), wfTimestampNow(), 0, $expiry ); + $ban = new Block( $this->BlockAddress, $userId, $wgUser->getID(), + wfStrencode( $this->BlockReason ), wfTimestampNow(), 0, $expiry ); $ban->insert(); # Make log entry $log = new LogPage( wfMsg( "blocklogpage" ), wfMsg( "blocklogtext" ) ); - $action = wfMsg( "blocklogentry", $wpBlockAddress, $wpBlockExpiry ); - $log->addEntry( $action, $wpBlockReason ); + $action = wfMsg( "blocklogentry", $this->BlockAddress, $this->BlockExpiry ); + $log->addEntry( $action, $this->BlockReason ); # Report to the user $titleObj = Title::makeTitle( NS_SPECIAL, "Blockip" ); - $wgOut->redirect( $titleObj->getFullURL( "action=success&ip={$wpBlockAddress}" ) ); + $wgOut->redirect( $titleObj->getFullURL( "action=success&ip={$this->BlockAddress}" ) ); } function showSuccess() { global $wgOut, $wgUser; - global $ip; $wgOut->setPagetitle( wfMsg( "blockip" ) ); $wgOut->setSubtitle( wfMsg( "blockipsuccesssub" ) ); - $text = wfMsg( "blockipsuccesstext", $ip ); + $text = wfMsg( "blockipsuccesstext", $this->BlockAddress ); $wgOut->addWikiText( $text ); } } diff --git a/includes/SpecialContributions.php b/includes/SpecialContributions.php index 1d97b1ea95..a68c7c20b7 100644 --- a/includes/SpecialContributions.php +++ b/includes/SpecialContributions.php @@ -2,14 +2,14 @@ function wfSpecialContributions( $par = "" ) { - global $wgUser, $wgOut, $wgLang, $target, $hideminor; + global $wgUser, $wgOut, $wgLang, $wgRequest; $fname = "wfSpecialContributions"; $sysop = $wgUser->isSysop(); if( $par ) $target = $par; else - $target = wfCleanQueryVar( $target ); + $target = $wgResult->getVal( 'target' ); if ( "" == $target ) { $wgOut->errorpage( "notargettitle", "notargettext" ); @@ -20,7 +20,7 @@ function wfSpecialContributions( $par = "" ) list( $limit, $offset ) = wfCheckLimits( 50, "" ); $offlimit = $limit + $offset; $querylimit = $offlimit + 1; - $hideminor = ($hideminor ? 1 : 0); + $hideminor = ($wgRequest->getVal( 'hideminor' ) ? 1 : 0); $nt = Title::newFromURL( $target ); $nt->setNamespace( Namespace::getUser() ); diff --git a/includes/SpecialEmailuser.php b/includes/SpecialEmailuser.php index fe854b2af2..c1a071f9e4 100644 --- a/includes/SpecialEmailuser.php +++ b/includes/SpecialEmailuser.php @@ -4,14 +4,15 @@ require_once('UserMailer.php'); function wfSpecialEmailuser() { - global $wgUser, $wgOut, $action, $target; + global $wgUser, $wgOut, $wgRequest; if ( 0 == $wgUser->getID() || ( false === strpos( $wgUser->getEmail(), "@" ) ) ) { $wgOut->errorpage( "mailnologin", "mailnologintext" ); return; } - $target = wfCleanQueryVar( $target ); + $action = $wgRequest->getVal( $action ); + $target = $wgRequest->getVal( $target ); if ( "" == $target ) { $wgOut->errorpage( "notargettitle", "notargettext" ); return; @@ -32,29 +33,33 @@ function wfSpecialEmailuser() $wgOut->errorpage( "noemailtitle", "noemailtext" ); return; } - $fields = array( "wpSubject", "wpText" ); - wfCleanFormFields( $fields ); - $f = new EmailUserForm( $nu->getName() . " <{$address}>" ); + $f = new EmailUserForm( $nu->getName() . " <{$address}>", $target ); if ( "success" == $action ) { $f->showSuccess(); } - else if ( "submit" == $action ) { $f->doSubmit(); } + else if ( "submit" == $action && $wgRequest->wasPosted() ) { $f->doSubmit(); } else { $f->showForm( "" ); } } class EmailUserForm { var $mAddress; + var $target; + var $text, $subject; - function EmailUserForm( $addr ) + function EmailUserForm( $addr, $target ) { + global $wgRequest; $this->mAddress = $addr; + $this->target = $target; + $this->text = $wgRequest->getText( 'wpText' ); + $this->subject = $wgRequest->getText( 'wpSubject' ); } function showForm( $err ) { global $wgOut, $wgUser, $wgLang; - global $wpSubject, $wpText, $target; + global $wpSubject, $wpText; $wgOut->setPagetitle( wfMsg( "emailpage" ) ); $wgOut->addWikiText( wfMsg( "emailpagetext" ) ); @@ -64,13 +69,13 @@ class EmailUserForm { $emf = wfMsg( "emailfrom" ); $sender = $wgUser->getName(); $emt = wfMsg( "emailto" ); - $rcpt = str_replace( "_", " ", urldecode( $target ) ); + $rcpt = str_replace( "_", " ", $this->target ); $emr = wfMsg( "emailsubject" ); $emm = wfMsg( "emailmessage" ); $ems = wfMsg( "emailsend" ); $titleObj = Title::makeTitle( NS_SPECIAL, "Emailuser" ); - $action = $titleObj->escapeLocalURL( "target={$target}&action=submit" ); + $action = $titleObj->escapeLocalURL( "target={$this->target}&action=submit" ); if ( "" != $err ) { $wgOut->setSubtitle( wfMsg( "formerror" ) ); @@ -106,7 +111,7 @@ class EmailUserForm { function doSubmit() { global $wgOut, $wgUser, $wgLang, $wgOutputEncoding; - global $wpSubject, $wpText, $target; + global $wpSubject, $wpText, $this->target; $from = wfQuotedPrintable( $wgUser->getName() ) . " <" . $wgUser->getEmail() . ">"; @@ -115,7 +120,7 @@ class EmailUserForm { if (! $mailResult) { $titleObj = Title::makeTitle( NS_SPECIAL, "Emailuser" ); - $wgOut->redirect( $titleObj->getFullURL( "target={$target}&action=success" ) ); + $wgOut->redirect( $titleObj->getFullURL( "target={$this->target}&action=success" ) ); } else $wgOut->addHTML( wfMsg( "usermailererror" ) . $mailResult); diff --git a/includes/SpecialImagelist.php b/includes/SpecialImagelist.php index 855aec0c79..7432ebc6cf 100644 --- a/includes/SpecialImagelist.php +++ b/includes/SpecialImagelist.php @@ -2,11 +2,10 @@ function wfSpecialImagelist() { - global $wgUser, $wgOut, $wgLang, $sort; - global $wpIlMatch, $wpIlSubmit; - - $fields = array( 'wpIlMatch' ); - wfCleanFormFields( $fields ); + global $wgUser, $wgOut, $wgLang, $wgRequest; + + $sort = $wgRequest->getVal( 'sort' ); + $wpIlMatch = $wgRequest->getText( 'wpIlMatch' ); $sql = "SELECT img_size,img_name,img_user,img_user_text," . "img_description,img_timestamp FROM image"; diff --git a/includes/SpecialIpblocklist.php b/includes/SpecialIpblocklist.php index 064a97c35e..7d16f4826d 100644 --- a/includes/SpecialIpblocklist.php +++ b/includes/SpecialIpblocklist.php @@ -2,16 +2,17 @@ function wfSpecialIpblocklist() { - global $wgUser, $wgOut, $action, $ip; - - $fields = array( "wpUnblockAddress" ); - wfCleanFormFields( $fields ); - $ipu = new IPUnblockForm(); + global $wgUser, $wgOut, $wgRequest, $action; + + $ip = $wgRequest->getVal( 'wpUnblockAddress', $wgRequest->getVal( 'ip' ) ); + $reason = $wgRequest->getText( 'wpUnblockReason' ); + + $ipu = new IPUnblockForm( $ip, $reason ); if ( "success" == $action ) { $msg = wfMsg( "ipusuccess", $ip ); $ipu->showList( $msg ); - } else if ( "submit" == $action ) { + } else if ( "submit" == $action && $wgRequest->wasPosted() ) { if ( ! $wgUser->isSysop() ) { $wgOut->sysopRequired(); return; @@ -25,19 +26,23 @@ function wfSpecialIpblocklist() } class IPUnblockForm { - + var $ip, $reason; + + function IPUnblockForm( $ip, $reason ) { + $this->ip = $ip; + $this->reason = $reason; + } + function showForm( $err ) { global $wgOut, $wgUser, $wgLang; - global $ip, $wpUnblockAddress; $wgOut->setPagetitle( wfMsg( "unblockip" ) ); $wgOut->addWikiText( wfMsg( "unblockiptext" ) ); - if ( ! $wpUnblockAddress ) { $wpUnblockAddress = $ip; } $ipa = wfMsg( "ipaddress" ); $ipr = wfMsg( "ipbreason" ); - $ipus = wfMsg( "ipusubmit" ); + $ipus = htmlspecialchars( wfMsg( "ipusubmit" ) ); $titleObj = Title::makeTitle( NS_SPECIAL, "Ipblocklist" ); $action = $titleObj->escapeLocalURL( "action=submit" ); @@ -45,16 +50,17 @@ class IPUnblockForm { $wgOut->setSubtitle( wfMsg( "formerror" ) ); $wgOut->addHTML( "

          {$err}\n" ); } + $wgOut->addHTML( "

          {$ipa}: - +ip ) . "\">
          {$ipr}: - +reason ) . "\">
            @@ -66,15 +72,14 @@ class IPUnblockForm { function doSubmit() { global $wgOut, $wgUser, $wgLang; - global $wpUnblockAddress, $wpUnblockReason; $block = new Block(); - $wpUnblockAddress = trim( $wpUnblockAddress ); + $this->ip = trim( $this->ip ); - if ( $wpUnblockAddress{0} == "#" ) { - $block->mId = substr( $wpUnblockAddress, 1 ); + if ( $this->ip{0} == "#" ) { + $block->mId = substr( $this->ip, 1 ); } else { - $block->mAddress = $wpUnblockAddress; + $block->mAddress = $this->ip; } # Delete block (if it exists) @@ -83,12 +88,12 @@ class IPUnblockForm { # Make log entry $log = new LogPage( wfMsg( "blocklogpage" ), wfMsg( "blocklogtext" ) ); - $action = wfMsg( "unblocklogentry", $wpUnblockAddress ); - $log->addEntry( $action, $wpUnblockReason ); + $action = wfMsg( "unblocklogentry", $this->ip ); + $log->addEntry( $action, $this->reason ); # Report to the user $titleObj = Title::makeTitle( NS_SPECIAL, "Ipblocklist" ); - $success = $titleObj->getFullURL( "action=success&ip=" . urlencode($wpUnblockAddress) ); + $success = $titleObj->getFullURL( "action=success&ip=" . urlencode( $this->ip ) ); $wgOut->redirect( $success ); } @@ -108,7 +113,7 @@ class IPUnblockForm { # Callback function to output a block function wfAddRow( $block, $tag ) { - global $wgOut, $wgUser, $wgLang, $ip; + global $wgOut, $wgUser, $wgLang; $sk = $wgUser->getSkin(); diff --git a/includes/SpecialLockdb.php b/includes/SpecialLockdb.php index 628ab7121c..435a8dde29 100644 --- a/includes/SpecialLockdb.php +++ b/includes/SpecialLockdb.php @@ -2,24 +2,28 @@ function wfSpecialLockdb() { - global $wgUser, $wgOut, $action; + global $wgUser, $wgOut, $wgRequest, $action; if ( ! $wgUser->isDeveloper() ) { $wgOut->developerRequired(); return; } - $fields = array( "wpLockReason" ); - wfCleanFormFields( $fields ); $f = new DBLockForm(); if ( "success" == $action ) { $f->showSuccess(); } - else if ( "submit" == $action ) { $f->doSubmit(); } + else if ( "submit" == $action && $wgRequest->wasPosted() ) { $f->doSubmit(); } else { $f->showForm( "" ); } } class DBLockForm { - + var $reason = ""; + + function DBLockForm() { + global $wgRequest; + $this->reason = $wgRequest->getText( 'wpLockReason' ); + } + function showForm( $err ) { global $wgOut, $wgUser, $wgLang; @@ -58,10 +62,10 @@ class DBLockForm { function doSubmit() { - global $wgOut, $wgUser, $wgLang; - global $wpLockConfirm, $wpLockReason, $wgReadOnlyFile; + global $wgOut, $wgUser, $wgLang, $wgRequest; + global $wgReadOnlyFile; - if ( ! $wpLockConfirm ) { + if ( ! $wgRequest->getCheck( 'wpLockConfirm' ) ) { $this->showForm( wfMsg( "locknoconfirm" ) ); return; } @@ -71,7 +75,7 @@ class DBLockForm { $wgOut->fileNotFoundError( $wgReadOnlyFile ); return; } - fwrite( $fp, $wpLockReason ); + fwrite( $fp, $this->reason ); fwrite( $fp, "\n

          (by " . $wgUser->getName() . " at " . $wgLang->timeanddate( wfTimestampNow() ) . ")\n" ); fclose( $fp ); @@ -83,11 +87,10 @@ class DBLockForm { function showSuccess() { global $wgOut, $wgUser; - global $ip; $wgOut->setPagetitle( wfMsg( "lockdb" ) ); $wgOut->setSubtitle( wfMsg( "lockdbsuccesssub" ) ); - $wgOut->addWikiText( wfMsg( "lockdbsuccesstext", $ip ) ); + $wgOut->addWikiText( wfMsg( "lockdbsuccesstext" ) ); } } diff --git a/includes/SpecialMovepage.php b/includes/SpecialMovepage.php index f8f0c6c2f0..a2e648030d 100644 --- a/includes/SpecialMovepage.php +++ b/includes/SpecialMovepage.php @@ -3,7 +3,7 @@ include_once( "LinksUpdate.php" ); function wfSpecialMovepage() { - global $wgUser, $wgOut; + global $wgUser, $wgOut, $wgRequest, $action; if ( 0 == $wgUser->getID() or $wgUser->isBlocked() ) { $wgOut->errorpage( "movenologin", "movenologintext" ); @@ -13,18 +13,17 @@ function wfSpecialMovepage() $wgOut->readOnlyPage(); return; } - $fields = array( "wpNewTitle", "wpOldTitle" ); - wfCleanFormFields( $fields ); $f = new MovePageForm(); - if ( "success" == $_REQUEST['action'] ) { $f->showSuccess(); } - else if ( "submit" == $_REQUEST['action'] ) { $f->doSubmit(); } + if ( "success" == $action ) { $f->showSuccess(); } + else if ( "submit" == $action && $wgRequest->wasPosted() ) { $f->doSubmit(); } else { $f->showForm( "" ); } } class MovePageForm { - + var $oldTitle, $newTitle; # Text input + var $ot, $nt; # Old, new Title objects var $ons, $nns; # Namespaces var $odt, $ndt; # Pagenames (dbkey form) @@ -33,30 +32,32 @@ class MovePageForm { var $oldid, $newid; # "cur_id" field (yes, both from "cur") var $talkmoved = 0; + function MovePageForm() { + global $wgRequest; + $this->oldTitle = $wgRequest->getText( 'wpOldTitle', $wgRequest->getVal( 'target' ) ); + $this->newTitle = $wgRequest->getText( 'wpNewTitle' ); + } + function showForm( $err ) { global $wgOut, $wgUser, $wgLang; $wgOut->setPagetitle( wfMsg( "movepage" ) ); - if ( ! $_REQUEST['wpOldTitle'] ) { - if ( "" == $_REQUEST['target'] ) { - $wgOut->errorpage( "notargettitle", "notargettext" ); - return; - } - $oldTitle = htmlspecialchars( $_REQUEST['target'] ); - } else { - $oldTitle = htmlspecialchars( $_REQUEST['wpOldTitle'] ); + if ( empty( $this->oldTitle ) ) { + $wgOut->errorpage( "notargettitle", "notargettext" ); + return; } - $encOldTitle = htmlspecialchars( $oldTitle ); - $encNewTitle = htmlspecialchars( $_REQUEST['wpNewTitle'] ); - $ot = Title::newFromURL( $oldTitle ); + $encOldTitle = htmlspecialchars( $this->oldTitle ); + $encNewTitle = htmlspecialchars( $this->newTitle ); + $ot = Title::newFromURL( $this->oldTitle ); $ott = $ot->getPrefixedText(); $wgOut->addWikiText( wfMsg( "movepagetext" ) ); - if ( ! Namespace::isTalk( $ot->getNamespace() ) ) + if ( ! Namespace::isTalk( $ot->getNamespace() ) ) { $wgOut->addWikiText( "\n\n" . wfMsg( "movepagetalktext" ) ); + } $ma = wfMsg( "movearticle" ); $newt = wfMsg( "newtitle" ); @@ -107,8 +108,8 @@ class MovePageForm { global $wgUseSquid, $wgInternalServer; $fname = "MovePageForm::doSubmit"; - $this->ot = Title::newFromText( $_REQUEST['wpOldTitle'] ); - $this->nt = Title::newFromText( $_REQUEST['wpNewTitle'] ); + $this->ot = Title::newFromText( $this->oldTitle ); + $this->nt = Title::newFromText( $this->newTitle ); if( !$this->ot or !$this->nt ) { $this->showForm( wfMsg( "badtitletext" ) ); return; @@ -134,7 +135,7 @@ class MovePageForm { ( "" != $this->ot->getInterwiki() ) || ( !$this->ot->userCanEdit() ) || ( !$this->oldid ) || - ( ! Namespace::isMovable( $nns ) ) || + ( ! Namespace::isMovable( $this->nns ) ) || ( "" == $this->ndt ) || ( "" != $this->nt->getInterwiki() ) || ( !$this->nt->userCanEdit() ) || diff --git a/includes/SpecialNewpages.php b/includes/SpecialNewpages.php index f0dfa2554a..f142a20f8d 100644 --- a/includes/SpecialNewpages.php +++ b/includes/SpecialNewpages.php @@ -13,7 +13,7 @@ class NewPagesPage extends QueryPage { } function getSQL( $offset, $limit ) { - return "SELECT rc_title AS cur_title,rc_user AS cur_user,rc_user_text AS cur_user_text,rc_comment as cur_comment," . + return "SELECT rc_namespace AS cur_namespace, rc_title AS cur_title,rc_user AS cur_user,rc_user_text AS cur_user_text,rc_comment as cur_comment," . "rc_timestamp AS cur_timestamp,length(cur_text) as cur_length FROM recentchanges,cur " . "WHERE rc_cur_id=cur_id AND rc_new=1 AND rc_namespace=0 AND cur_is_redirect=0 " . "ORDER BY rc_timestamp DESC LIMIT {$offset}, {$limit}"; @@ -49,12 +49,12 @@ class NewPagesPage extends QueryPage { function wfSpecialNewpages() { + global $wgRequest; list( $limit, $offset ) = wfCheckLimits(); $npp = new NewPagesPage(); - - if( !$npp->doFeed( $_GET["feed"] ) ) { + if( !$npp->doFeed( $wgRequest->getVal( 'feed' ) ) ) { $npp->doQuery( $offset, $limit ); } } diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php index 71800eed5d..395ef77ee7 100644 --- a/includes/SpecialPreferences.php +++ b/includes/SpecialPreferences.php @@ -3,11 +3,15 @@ function wfSpecialPreferences() { global $wgUser, $wgOut, $wgUseDynamicDates, $action; - global $wpSaveprefs, $wpReset; - - $fields = array( "wpOldpass", "wpNewpass", "wpRetypePass", - "wpUserEmail", "wpNick" ); - wfCleanFormFields( $fields ); + global $wpSaveprefs, $wpReset, $wgRequest; + + # EWWWWWW temp hack + global $wpOldpass, $wpNewpass, $wpRetypePass, $wpNick, $wpUserEmail; + $wpOldpass = $wgRequest->getText( 'wpOldpass' ); + $wpNewpass = $wgRequest->getText( 'wpNewpass' ); + $wpRetypePass = $wgRequest->getText( 'wpRetypePass' ); + $wpNick = $wgRequest->getText( 'wpNick' ); + $wpUserEmail = $wgRequest->getVal( 'wpUserEmail' ); if ( 0 == $wgUser->getID() ) { $wgOut->errorpage( "prefsnologin", "prefsnologintext" ); diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index d0b5dfe8e0..5b46e0b67e 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -4,9 +4,6 @@ function wfSpecialUpload() { global $wgUser, $wgOut, $wpUpload, $wpReUpload, $action; global $wgDisableUploads; - - $fields = array( "wpUploadFile", "wpUploadDescription" ); - wfCleanFormFields( $fields ); if ( $wgDisableUploads ) { $wgOut->addWikiText( wfMsg( "uploaddisabled" ) ); @@ -60,8 +57,7 @@ function processUpload() $wpUploadSize = $HTTP_POST_FILES['wpUploadFile']['size']; } $prev = error_reporting( E_ALL & ~( E_NOTICE | E_WARNING ) ); - $oname = wfCleanQueryVar( $HTTP_POST_FILES['wpUploadFile']['name'] ); - if ( $wpUploadSaveName != "" ) $wpUploadSaveName = wfCleanQueryVar( $wpUploadSaveName ); + $oname = $wgRequest->getVal( $HTTP_POST_FILES['wpUploadFile'], 'name' ); error_reporting( $prev ); if ( "" != $oname ) { diff --git a/includes/SpecialUserlogin.php b/includes/SpecialUserlogin.php index 98afd91f82..5062ac5b1d 100644 --- a/includes/SpecialUserlogin.php +++ b/includes/SpecialUserlogin.php @@ -10,8 +10,11 @@ function wfSpecialUserlogin() } $fields = array( "wpName", "wpPassword", "wpName", - "wpPassword", "wpRetype", "wpEmail" ); - wfCleanFormFields( $fields ); + "wpPassword", "wpRetype" ); + # FIXME: UGLY HACK + foreach( $fields as $x ) { + $_REQUEST[$x] = $wgRequest->getText( $x ); + } # When switching accounts, it sucks to get automatically logged out global $wgLang; diff --git a/includes/Title.php b/includes/Title.php index 2ab5a898af..a3a20da33a 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -100,12 +100,13 @@ class Title { # For links that came from outside, check for alternate/legacy # character encoding. - wfDebug( "Refer: {$_SERVER['HTTP_REFERER']}\n" ); wfDebug( "Servr: $wgServer\n" ); if( empty( $_SERVER["HTTP_REFERER"] ) || strncmp($wgServer, $_SERVER["HTTP_REFERER"], strlen( $wgServer ) ) ) { $s = $wgLang->checkTitleEncoding( $s ); + } else { + wfDebug( "Refer: {$_SERVER['HTTP_REFERER']}\n" ); } $t->mDbkeyform = str_replace( " ", "_", $s ); diff --git a/includes/WatchedItem.php b/includes/WatchedItem.php index b5933f0776..74371be4bf 100644 --- a/includes/WatchedItem.php +++ b/includes/WatchedItem.php @@ -59,6 +59,7 @@ class WatchedItem { } /* static */ function duplicateEntries( $ot, $nt ) { + $fname = "WatchedItem::duplicateEntries"; global $wgMemc, $wgDBname; $oldnamespace = $ot->getNamespace() & ~1; $newnamespace = $nt->getNamespace() & ~1; diff --git a/includes/WebRequest.php b/includes/WebRequest.php new file mode 100644 index 0000000000..4fc7f9499e --- /dev/null +++ b/includes/WebRequest.php @@ -0,0 +1,106 @@ +checkMagicQuotes(); + $this->checkRegisterGlobals(); + } + + function &fix_magic_quotes( &$arr ) { + foreach( $arr as $key => $val ) { + if( is_array( $val ) ) { + $this->fix_magic_quotes( $arr[$key] ); + } else { + $arr[$key] = stripslashes( $val ); + } + } + return $arr; + } + + function checkMagicQuotes() { + if ( get_magic_quotes_gpc() ) { + $this->fix_magic_quotes( $_COOKIE ); + $this->fix_magic_quotes( $_ENV ); + $this->fix_magic_quotes( $_GET ); + $this->fix_magic_quotes( $_POST ); + $this->fix_magic_quotes( $_REQUEST ); + $this->fix_magic_quotes( $_SERVER ); + } elseif( defined('DEBUG_GLOBALS') ) { + die("DEBUG_GLOBALS: turn on magic_quotes_gpc" ); + } + } + + function checkRegisterGlobals() { + if( ini_get( "register_globals" ) ) { + if( defined( "DEBUG_GLOBALS" ) ) { + die( "DEBUG_GLOBALS: Turn register_globals off!" ); + } + } else { + if( !defined( "DEBUG_GLOBALS" ) ) { + # Insecure, but at least it'll run + import_request_variables( "GPC" ); + } + } + } + + function getGPCVal( &$arr, $name, $default ) { + if( isset( $arr[$name] ) ) { + return $arr[$name]; + } else { + return $default; + } + } + + function getGPCText( &$arr, $name, $default ) { + # Text fields may be in an alternate encoding which we should check. + # Also, strip CRLF line endings down to LF to achieve consistency. + global $wgLang; + if( isset( $arr[$name] ) ) { + return str_replace( "\r\n", "\n", $wgLang->recodeInput( $arr[$name] ) ); + } else { + return $default; + } + } + + function getVal( $name, $default = NULL ) { + return $this->getGPCVal( $_REQUEST, $name, $default ); + } + + function getInt( $name, $default = 0 ) { + return IntVal( $this->getVal( $name, $default ) ); + } + + function getBool( $name, $default = false ) { + return $this->getVal( $name, $default ) ? true : false; + } + + function getCheck( $name ) { + # Checkboxes and buttons are only present when clicked + # Presence connotes truth, abscense false + $val = $this->getVal( $name, NULL ); + return isset( $val ); + } + + function getText( $name, $default = "" ) { + return $this->getGPCText( $_REQUEST, $name, $default ); + } + + function wasPosted() { + return $_SERVER['REQUEST_METHOD'] == 'POST'; + } + + function checkSessionCookie() { + return isset( $_COOKIE[ini_get("session.name")] ); + } +} + +?> \ No newline at end of file diff --git a/index.php b/index.php index 45c8bc681d..4496160198 100644 --- a/index.php +++ b/index.php @@ -3,42 +3,6 @@ # $wgRequestTime = microtime(); -## Enable this to debug total elimination of register_globals -#define( "DEBUG_GLOBALS", 1 ); - -if( defined('DEBUG_GLOBALS') ) error_reporting(E_ALL); - -function &fix_magic_quotes( &$arr ) { - foreach( $arr as $key => $val ) { - if( is_array( $val ) ) { - fix_magic_quotes( $arr[$key] ); - } else { - $arr[$key] = stripslashes( $val ); - } - } - return $arr; -} - -if ( get_magic_quotes_gpc() ) { - fix_magic_quotes( $_COOKIE ); - fix_magic_quotes( $_ENV ); - fix_magic_quotes( $_GET ); - fix_magic_quotes( $_POST ); - fix_magic_quotes( $_REQUEST ); - fix_magic_quotes( $_SERVER ); -} elseif( defined('DEBUG_GLOBALS') ) { - die("DEBUG_GLOBALS: turn on magic_quotes_gpc" ); -} - -if( defined('DEBUG_GLOBALS') ) { - if( ini_get( "register_globals" ) ) { - die( "DEBUG_GLOBALS: turn off register_globals" ); - } -} elseif( !ini_get( "register_globals" ) ) { - # Insecure, but at least it'll run - import_request_variables( "GPC" ); -} - unset( $IP ); ini_set( "allow_url_fopen", 0 ); # For security... if(!file_exists("LocalSettings.php")) { @@ -60,18 +24,12 @@ wfProfileIn( "main-misc-setup" ); OutputPage::setEncodings(); # Not really used yet # Query string fields -if( empty( $_REQUEST['action'] ) ) { - $action = "view"; -} else { - $action = $_REQUEST['action']; -} +$action = $wgRequest->getVal( "action", "view" ); if( isset( $_SERVER['PATH_INFO'] ) ) { $title = substr( $_SERVER['PATH_INFO'], 1 ); -} elseif( !empty( $_REQUEST['title'] ) ) { - $title = $_REQUEST['title']; } else { - $title = ""; + $title = $wgRequest->getVal( "title" ); } # Placeholders in case of DB error @@ -80,15 +38,15 @@ $wgArticle = new Article($wgTitle); $action = strtolower( trim( $action ) ); if ( "" == $action ) { $action = "view"; } -if ( !empty( $_REQUEST['printable'] ) && $_REQUEST['printable'] == "yes") { +if ($wgRequest->getVal( "printable" ) == "yes") { $wgOut->setPrintable(); } if ( "" == $title && "delete" != $action ) { $wgTitle = Title::newFromText( wfMsg( "mainpage" ) ); -} elseif ( !empty( $_REQUEST['curid'] ) ) { +} elseif ( $curid = $wgRequest->getInt( 'curid' ) ) { # URLs like this are generated by RC, because rc_title isn't always accurate - $wgTitle = Title::newFromID( $_REQUEST['curid'] ); + $wgTitle = Title::newFromID( $curid ); } else { $wgTitle = Title::newFromURL( $title ); } @@ -104,27 +62,27 @@ if ( !$wgUser->getID() && is_array( $wgWhitelistRead ) && $wgTitle) { } } -if ( !empty( $_REQUEST['search'] ) ) { - if( isset($_REQUEST['fulltext']) ) { - wfSearch( $_REQUEST['search'] ); +if ( $search = $wgRequest->getText( 'search' ) ) { + if( $wgRequest->getVal( 'fulltext' ) ) { + wfSearch( $search ); } else { - wfGo( $_REQUEST['search'] ); + wfGo( $search ); } } else if( !$wgTitle or $wgTitle->getInterwiki() != "" or $wgTitle->getDBkey() == "" ) { $wgTitle = Title::newFromText( wfMsg( "badtitle" ) ); $wgOut->errorpage( "badtitle", "badtitletext" ); } else if ( ( $action == "view" ) && $wgTitle->getPrefixedDBKey() != $title ) { /* redirect to canonical url, make it a 301 to allow caching */ - $wgOut->redirect( wfLocalUrl( $wgTitle->getPrefixedURL() ), '301'); + $wgOut->redirect( $wgTitle->getFullURL(), '301'); } else if ( Namespace::getSpecial() == $wgTitle->getNamespace() ) { wfSpecialPage(); } else { if ( Namespace::getMedia() == $wgTitle->getNamespace() ) { $wgTitle = Title::makeTitle( Namespace::getImage(), $wgTitle->getDBkey() ); - } + } switch( $wgTitle->getNamespace() ) { - case 6: + case NS_IMAGE: include_once( "ImagePage.php" ); $wgArticle = new ImagePage( $wgTitle ); break; @@ -149,7 +107,7 @@ if ( !empty( $_REQUEST['search'] ) ) { break; case "edit": case "submit": - if( !$wgCommandLineMode && !isset( $_COOKIE[ini_get("session.name")] ) ) { + if( !$wgCommandLineMode && !$wgRequest->checkSessionCookie() ) { User::SetupSession(); } include_once( "EditPage.php" ); -- 2.20.1