X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/password.php?a=blobdiff_plain;f=api.php;h=e031dfac7e292ac0df22504c8c0a5d58fd57e534;hb=726760153c557cfd2aea8bbeb3256f2c726d4847;hp=7db2ce09b1fc1b4f11135887d3865b0d944eabf2;hpb=d656615e9f200af542751e713112ac9be42b135b;p=lhc%2Fweb%2Fwiklou.git diff --git a/api.php b/api.php index 7db2ce09b1..e031dfac7e 100644 --- a/api.php +++ b/api.php @@ -1,25 +1,27 @@ @gmail.com -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License along -* with this program; if not, write to the Free Software Foundation, Inc., -* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -* http://www.gnu.org/copyleft/gpl.html -*/ +/** + * API for MediaWiki 1.8+ + * + * Copyright (C) 2006 Yuri Astrakhan @gmail.com + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * http://www.gnu.org/copyleft/gpl.html + * + * @file + */ /** * This file is the entry point for all API queries. It begins by checking @@ -37,23 +39,59 @@ require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); +// URL safety checks +// +// See RawPage.php for details; summary is that MSIE can override the +// Content-Type if it sees a recognized extension on the URL, such as +// might be appended via PATH_INFO after 'api.php'. +// +// Some data formats can end up containing unfiltered user-provided data +// which will end up triggering HTML detection and execution, hence +// XSS injection and all that entails. +// +// Ensure that all access is through the canonical entry point... +// +if( isset( $_SERVER['SCRIPT_NAME'] ) ) { + $url = $_SERVER['SCRIPT_NAME']; +} else { + $url = $_SERVER['URL']; +} +if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { + wfHttpError( 403, 'Forbidden', + 'API must be accessed through the primary script entry point.' ); + return; +} + // Verify that the API has not been disabled if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; echo '
$wgEnableAPI=true;
'; - die(-1); + die(1); } +// So extensions can check whether they're running in API mode +define('MW_API', true); + +// Set a dummy $wgTitle, because $wgTitle == null breaks various things +// In a perfect world this wouldn't be necessary +$wgTitle = Title::newFromText('API'); + /* Construct an ApiMain with the arguments passed via the URL. What we get back * is some form of an ApiMain, possibly even one that produces an error message, * but we don't care here, as that is handled by the ctor. */ $processor = new ApiMain($wgRequest, $wgEnableWriteAPI); -// Generate the output. +// Process data & print results $processor->execute(); +// Execute any deferred updates +wfDoUpdates(); + // Log what the user did, for book-keeping purposes. wfProfileOut('api.php'); wfLogProfilingData(); -?> + +// Shut down the database +wfGetLBFactory()->shutdown(); +