*/
private static $Modules = [
'login' => 'ApiLogin',
+ 'clientlogin' => 'ApiClientLogin',
'logout' => 'ApiLogout',
- 'createaccount' => 'ApiCreateAccount',
+ 'createaccount' => 'ApiAMCreateAccount',
+ 'linkaccount' => 'ApiLinkAccount',
+ 'unlinkaccount' => 'ApiRemoveAuthenticationData',
+ 'changeauthenticationdata' => 'ApiChangeAuthenticationData',
+ 'removeauthenticationdata' => 'ApiRemoveAuthenticationData',
+ 'resetpassword' => 'ApiResetPassword',
'query' => 'ApiQuery',
'expandtemplates' => 'ApiExpandTemplates',
'parse' => 'ApiParse',
private $mModuleMgr, $mResult, $mErrorFormatter, $mContinuationManager;
private $mAction;
private $mEnableWrite;
- private $mInternalMode, $mSquidMaxage, $mModule;
+ private $mInternalMode, $mSquidMaxage;
+ /** @var ApiBase */
+ private $mModule;
private $mCacheMode = 'private';
private $mCacheControl = [];
private $mParamsUsed = [];
+ /** @var bool|null Cached return value from self::lacksSameOriginSecurity() */
+ private $lacksSameOriginSecurity = null;
+
/**
* Constructs an instance of ApiMain that utilizes the module and format specified by $request.
*
return $this->mResult;
}
+ /**
+ * Get the security flag for the current request
+ * @return bool
+ */
+ public function lacksSameOriginSecurity() {
+ if ( $this->lacksSameOriginSecurity !== null ) {
+ return $this->lacksSameOriginSecurity;
+ }
+
+ $request = $this->getRequest();
+
+ // JSONP mode
+ if ( $request->getVal( 'callback' ) !== null ) {
+ $this->lacksSameOriginSecurity = true;
+ return true;
+ }
+
+ // Header to be used from XMLHTTPRequest when the request might
+ // otherwise be used for XSS.
+ if ( $request->getHeader( 'Treat-as-Untrusted' ) !== false ) {
+ $this->lacksSameOriginSecurity = true;
+ return true;
+ }
+
+ // Allow extensions to override.
+ $this->lacksSameOriginSecurity = !Hooks::run( 'RequestHasSameOriginSecurity', array( $request ) );
+ return $this->lacksSameOriginSecurity;
+ }
+
+
/**
* Get the ApiErrorFormatter object associated with current request
* @return ApiErrorFormatter
if ( $this->mInternalMode ) {
$this->executeAction();
} else {
- $start = microtime( true );
$this->executeActionWithErrorHandling();
- if ( $this->isWriteMode() && $this->getRequest()->wasPosted() ) {
- $timeMs = 1000 * max( 0, microtime( true ) - $start );
- $this->getStats()->timing(
- 'api.' . $this->getModuleName() . '.executeTiming', $timeMs );
- }
}
}
$isError = false;
try {
$this->executeAction();
- $this->logRequest( microtime( true ) - $t );
-
+ $runTime = microtime( true ) - $t;
+ $this->logRequest( $runTime );
+ if ( $this->mModule->isWriteMode() && $this->getRequest()->wasPosted() ) {
+ $this->getStats()->timing(
+ 'api.' . $this->getModuleName() . '.executeTiming', 1000 * $runTime );
+ }
} catch ( Exception $e ) {
$this->handleException( $e );
$this->logRequest( microtime( true ) - $t, $e );
$response = $this->getRequest()->response();
$out = $this->getOutput();
+ $out->addVaryHeader( 'Treat-as-Untrusted' );
+
$config = $this->getConfig();
if ( $config->get( 'VaryOnXFP' ) ) {
TS_MW, time() - $this->getConfig()->get( 'SquidMaxage' )
);
}
- Hooks::run( 'OutputPageCheckLastModified', [ &$modifiedTimes ] );
+ Hooks::run( 'OutputPageCheckLastModified', [ &$modifiedTimes, $this->getOutput() ] );
$lastMod = max( $modifiedTimes );
$return304 = wfTimestamp( TS_MW, $lastMod ) <= $ts->getTimestamp( TS_MW );
}
$trxProfiler->setExpectations( $limits['POST'], __METHOD__ );
} else {
$trxProfiler->setExpectations( $limits['POST-nonwrite'], __METHOD__ );
+ $this->getRequest()->markAsSafeRequest();
}
} else {
$trxProfiler->setExpectations( $limits['GET'], __METHOD__ );
return array_keys( $this->mParamsUsed );
}
+ /**
+ * Mark parameters as used
+ * @param string|string[] $params
+ */
+ public function markParamsUsed( $params ) {
+ $this->mParamsUsed += array_fill_keys( (array)$params, true );
+ }
+
/**
* Get a request value, and register the fact that it was used, for logging.
* @param string $name
$tocnumber = &$options['tocnumber'];
$header = $this->msg( 'api-help-datatypes-header' )->parse();
+
+ // Add an additional span with sanitized ID
+ if ( !$this->getConfig()->get( 'ExperimentalHtmlIds' ) ) {
+ $header = Html::element( 'span', [ 'id' => Sanitizer::escapeId( 'main/datatypes' ) ] ) .
+ $header;
+ }
$help['datatypes'] .= Html::rawElement( 'h' . min( 6, $level ),
[ 'id' => 'main/datatypes', 'class' => 'apihelp-header' ],
- Html::element( 'span', [ 'id' => Sanitizer::escapeId( 'main/datatypes' ) ] ) .
$header
);
$help['datatypes'] .= $this->msg( 'api-help-datatypes' )->parseAsBlock();
];
}
+ // Add an additional span with sanitized ID
+ if ( !$this->getConfig()->get( 'ExperimentalHtmlIds' ) ) {
+ $header = Html::element( 'span', [ 'id' => Sanitizer::escapeId( 'main/credits' ) ] ) .
+ $header;
+ }
$header = $this->msg( 'api-credits-header' )->parse();
$help['credits'] .= Html::rawElement( 'h' . min( 6, $level ),
[ 'id' => 'main/credits', 'class' => 'apihelp-header' ],
- Html::element( 'span', [ 'id' => Sanitizer::escapeId( 'main/credits' ) ] ) .
$header
);
$help['credits'] .= $this->msg( 'api-credits' )->useDatabase( false )->parseAsBlock();
return "* $paramName={$module->getModuleName()} $modulePrefix*";
}
- /**
- * Check whether the user wants us to show version information in the API help
- * @return bool
- * @deprecated since 1.21, always returns false
- */
- public function getShowVersions() {
- wfDeprecated( __METHOD__, '1.21' );
-
- return false;
- }
-
- /**
- * Add or overwrite a module in this ApiMain instance. Intended for use by extending
- * classes who wish to add their own modules to their lexicon or override the
- * behavior of inherent ones.
- *
- * @deprecated since 1.21, Use getModuleManager()->addModule() instead.
- * @param string $name The identifier for this module.
- * @param ApiBase $class The class where this module is implemented.
- */
- protected function addModule( $name, $class ) {
- $this->getModuleManager()->addModule( $name, 'action', $class );
- }
-
- /**
- * Add or overwrite an output format for this ApiMain. Intended for use by extending
- * classes who wish to add to or modify current formatters.
- *
- * @deprecated since 1.21, Use getModuleManager()->addModule() instead.
- * @param string $name The identifier for this format.
- * @param ApiFormatBase $class The class implementing this format.
- */
- protected function addFormat( $name, $class ) {
- $this->getModuleManager()->addModule( $name, 'format', $class );
- }
-
- /**
- * Returns the list of supported formats in form ( 'format' => 'ClassName' )
- *
- * @since 1.18
- * @deprecated since 1.21, Use getModuleManager()'s methods instead.
- * @return array
- */
- public function getFormats() {
- return $this->getModuleManager()->getNamesWithClasses( 'format' );
- }
-
/**@}*/
}