From 9de57fff82b79d0c0ec69b40028ab8e9edaa40bd Mon Sep 17 00:00:00 2001 From: "Mark A. Hershberger" Date: Wed, 2 Feb 2011 01:08:15 +0000 Subject: [PATCH] * Remove last bit of code that uses PATH_INFO from img_auth.php so that people who want to use protected images on hosts with sadly mis-shapen PHPs (e.g. GoDaddy) can. * Mangle PATH_INFO handler in WebRequest so that all the relevant bits are in a (couple of) static functions. --- img_auth.php | 14 ++--- includes/WebRequest.php | 117 ++++++++++++++++++++-------------------- 2 files changed, 61 insertions(+), 70 deletions(-) diff --git a/img_auth.php b/img_auth.php index d9b4a78bc5..e6485fc111 100644 --- a/img_auth.php +++ b/img_auth.php @@ -30,6 +30,7 @@ require_once( dirname( __FILE__ ) . '/includes/WebStart.php' ); wfProfileIn( 'img_auth.php' ); require_once( dirname( __FILE__ ) . '/includes/StreamFile.php' ); +$wgActionPaths[] = $_SERVER['SCRIPT_NAME']; // See if this is a public Wiki (no protections) if ( $wgImgAuthPublicTest && in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) @@ -37,17 +38,8 @@ if ( $wgImgAuthPublicTest wfForbidden('img-auth-accessdenied','img-auth-public'); } -// Extract path and image information -if( !isset( $_SERVER['PATH_INFO'] ) ) { - $path = $wgRequest->getText( 'path' ); - if( !$path ) { - wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' ); - } - $path = "/$path"; -} else { - $path = $_SERVER['PATH_INFO']; -} - +$matches = WebRequest::getPathInfo(); +$path = $matches['title']; $filename = realpath( $wgUploadDirectory . $path ); $realUpload = realpath( $wgUploadDirectory ); diff --git a/includes/WebRequest.php b/includes/WebRequest.php index a856237e1d..bf1155f88e 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -55,6 +55,60 @@ class WebRequest { $this->data = $_POST + $_GET; } + static public function getPathInfo( $want = 'all' ) { + if ( !empty( $_SERVER['REQUEST_URI'] ) ) { + // Slurp out the path portion to examine... + $url = $_SERVER['REQUEST_URI']; + if ( !preg_match( '!^https?://!', $url ) ) { + $url = 'http://unused' . $url; + } + $a = parse_url( $url ); + if( $a ) { + $path = isset( $a['path'] ) ? $a['path'] : ''; + + global $wgScript; + if( $path == $wgScript && $want !== 'all' ) { + // Script inside a rewrite path? + // Abort to keep from breaking... + return; + } + // Raw PATH_INFO style + $matches = self::extractTitle( $path, "$wgScript/$1" ); + + global $wgArticlePath; + if( !$matches && $wgArticlePath ) { + $matches = self::extractTitle( $path, $wgArticlePath ); + } + + global $wgActionPaths; + if( !$matches && $wgActionPaths ) { + $matches = self::extractTitle( $path, $wgActionPaths, 'action' ); + } + + global $wgVariantArticlePath, $wgContLang; + if( !$matches && $wgVariantArticlePath ) { + $variantPaths = array(); + foreach( $wgContLang->getVariants() as $variant ) { + $variantPaths[$variant] = + str_replace( '$2', $variant, $wgVariantArticlePath ); + } + $matches = self::extractTitle( $path, $variantPaths, 'variant' ); + } + } + } elseif ( isset( $_SERVER['ORIG_PATH_INFO'] ) && $_SERVER['ORIG_PATH_INFO'] != '' ) { + // Mangled PATH_INFO + // http://bugs.php.net/bug.php?id=31892 + // Also reported when ini_get('cgi.fix_pathinfo')==false + $matches['title'] = substr( $_SERVER['ORIG_PATH_INFO'], 1 ); + + } elseif ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != '') ) { + // Regular old PATH_INFO yay + $matches['title'] = substr( $_SERVER['PATH_INFO'], 1 ); + } + + return $matches; + } + /** * Check for title, action, and/or variant data in the URL * and interpolate it into the GET variables. @@ -70,64 +124,9 @@ class WebRequest { return; } - if ( $wgUsePathInfo ) { - // PATH_INFO is mangled due to http://bugs.php.net/bug.php?id=31892 - // And also by Apache 2.x, double slashes are converted to single slashes. - // So we will use REQUEST_URI if possible. - $matches = array(); - - if ( !empty( $_SERVER['REQUEST_URI'] ) ) { - // Slurp out the path portion to examine... - $url = $_SERVER['REQUEST_URI']; - if ( !preg_match( '!^https?://!', $url ) ) { - $url = 'http://unused' . $url; - } - $a = parse_url( $url ); - if( $a ) { - $path = isset( $a['path'] ) ? $a['path'] : ''; - - global $wgScript; - if( $path == $wgScript ) { - // Script inside a rewrite path? - // Abort to keep from breaking... - return; - } - // Raw PATH_INFO style - $matches = $this->extractTitle( $path, "$wgScript/$1" ); - - global $wgArticlePath; - if( !$matches && $wgArticlePath ) { - $matches = $this->extractTitle( $path, $wgArticlePath ); - } - - global $wgActionPaths; - if( !$matches && $wgActionPaths ) { - $matches = $this->extractTitle( $path, $wgActionPaths, 'action' ); - } - - global $wgVariantArticlePath, $wgContLang; - if( !$matches && $wgVariantArticlePath ) { - $variantPaths = array(); - foreach( $wgContLang->getVariants() as $variant ) { - $variantPaths[$variant] = - str_replace( '$2', $variant, $wgVariantArticlePath ); - } - $matches = $this->extractTitle( $path, $variantPaths, 'variant' ); - } - } - } elseif ( isset( $_SERVER['ORIG_PATH_INFO'] ) && $_SERVER['ORIG_PATH_INFO'] != '' ) { - // Mangled PATH_INFO - // http://bugs.php.net/bug.php?id=31892 - // Also reported when ini_get('cgi.fix_pathinfo')==false - $matches['title'] = substr( $_SERVER['ORIG_PATH_INFO'], 1 ); - - } elseif ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != '') ) { - // Regular old PATH_INFO yay - $matches['title'] = substr( $_SERVER['PATH_INFO'], 1 ); - } - foreach( $matches as $key => $val) { - $this->data[$key] = $_GET[$key] = $_REQUEST[$key] = $val; - } + $matches = self::getPathInfo( 'title' ); + foreach( $matches as $key => $val) { + $this->data[$key] = $_GET[$key] = $_REQUEST[$key] = $val; } } @@ -141,7 +140,7 @@ class WebRequest { * passed on as the value of this URL parameter * @return array of URL variables to interpolate; empty if no match */ - private function extractTitle( $path, $bases, $key=false ) { + private static function extractTitle( $path, $bases, $key=false ) { foreach( (array)$bases as $keyValue => $base ) { // Find the part after $wgArticlePath $base = str_replace( '$1', '', $base ); -- 2.20.1