return $_GET;
}
+ /**
+ * Return the contents of the Query with no decoding. Use when you need to
+ * know exactly what was sent, e.g. for an OAuth signature over the elements.
+ *
+ * @return String
+ */
+ public function getRawQueryString() {
+ return $_SERVER['QUERY_STRING'];
+ }
+
+ /**
+ * Return the contents of the POST with no decoding. Use when you need to
+ * know exactly what was sent, e.g. for an OAuth signature over the elements.
+ *
+ * @return String
+ */
+ public function getRawPostString() {
+ if ( !$this->wasPosted() ) {
+ return '';
+ }
+ return $this->getRawInput();
+ }
+
+ /**
+ * Return the raw request body, with no processing. Cached since some methods
+ * disallow reading the stream more than once. As stated in the php docs, this
+ * does not work with enctype="multipart/form-data".
+ *
+ * @return String
+ */
+ public function getRawInput() {
+ static $input = false;
+ if ( $input === false ) {
+ $input = file_get_contents( 'php://input' );
+ }
+ return $input;
+ }
+
/**
* Get the HTTP method used for this request.
*
return;
}
- if ( function_exists( 'apache_request_headers' ) ) {
- foreach ( apache_request_headers() as $tempName => $tempValue ) {
+ $apacheHeaders = function_exists( 'apache_request_headers' ) ? apache_request_headers() : false;
+ if ( $apacheHeaders ) {
+ foreach ( $apacheHeaders as $tempName => $tempValue ) {
$this->headers[strtoupper( $tempName )] = $tempValue;
}
} else {
# unless the address is not sensible (e.g. private). However, prefer private
# IP addresses over proxy servers controlled by this site (more sensible).
foreach ( $ipchain as $i => $curIP ) {
- $curIP = IP::canonicalize( $curIP );
+ $curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) );
if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) {
- if ( wfIsConfiguredProxy( $curIP ) || // bug 48919
- ( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs )
+ if ( wfIsConfiguredProxy( $curIP ) || // bug 48919; treat IP as sane
+ IP::isPublic( $ipchain[$i + 1] ) ||
+ $wgUsePrivateIPs
) {
- $ip = IP::canonicalize( $ipchain[$i + 1] );
+ $nextIP = IP::canonicalize( $ipchain[$i + 1] );
+ if ( !$nextIP && wfIsConfiguredProxy( $ip ) ) {
+ // We have not yet made it past CDN/proxy servers of this site,
+ // so either they are misconfigured or there is some IP spoofing.
+ throw new MWException( "Invalid IP given in XFF '$forwardedFor'." );
+ }
+ $ip = $nextIP;
continue;
}
}
wfRunHooks( 'GetIP', array( &$ip ) );
if ( !$ip ) {
- throw new MWException( "Unable to determine IP" );
+ throw new MWException( "Unable to determine IP." );
}
wfDebug( "IP: $ip\n" );
return false;
}
+ /**
+ * FauxRequests shouldn't depend on raw request data (but that could be implemented here)
+ * @return String
+ */
+ public function getRawQueryString() {
+ return '';
+ }
+
+ /**
+ * FauxRequests shouldn't depend on raw request data (but that could be implemented here)
+ * @return String
+ */
+ public function getRawPostString() {
+ return '';
+ }
+
+ /**
+ * FauxRequests shouldn't depend on raw request data (but that could be implemented here)
+ * @return String
+ */
+ public function getRawInput() {
+ return '';
+ }
+
/**
* @param array $extWhitelist
* @return bool