Remove references to safe_mode INI setting

[lhc/web/wiklou.git] / includes / HttpFunctions.php

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 60196ab..032710c 100644 (file)
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -80,7 +80,8 @@ class Http {
                } else {
                        $errors = $status->getErrorsByType( 'error' );
                        $logger = LoggerFactory::getInstance( 'http' );
-                       $logger->warning( $status->getWikiText(), array( 'caller' => $caller ) );
+                       $logger->warning( $status->getWikiText(),
+                               array( 'error' => $errors, 'caller' => $caller, 'content' => $req->getContent() ) );
                        return false;
                }
        }
@@ -781,7 +782,22 @@ class CurlHttpRequest extends MWHttpRequest {
                        $this->curlOptions[CURLOPT_HEADER] = true;
                } elseif ( $this->method == 'POST' ) {
                        $this->curlOptions[CURLOPT_POST] = true;
-                       $this->curlOptions[CURLOPT_POSTFIELDS] = $this->postData;
+                       $postData = $this->postData;
+                       // Don't interpret POST parameters starting with '@' as file uploads, because this
+                       // makes it impossible to POST plain values starting with '@' (and causes security
+                       // issues potentially exposing the contents of local files).
+                       // The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+                       // but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+                       if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+                               $this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
+                       } elseif ( is_array( $postData ) ) {
+                               // In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+                               // is an array, but not if it's a string. So convert $req['body'] to a string
+                               // for safety.
+                               $postData = wfArrayToCgi( $postData );
+                       }
+                       $this->curlOptions[CURLOPT_POSTFIELDS] = $postData;
+
                        // Suppress 'Expect: 100-continue' header, as some servers
                        // will reject it with a 417 and Curl won't auto retry
                        // with HTTP 1.0 fallback
@@ -802,7 +818,7 @@ class CurlHttpRequest extends MWHttpRequest {
                        MediaWiki\suppressWarnings();
                        if ( !curl_setopt( $curlHandle, CURLOPT_FOLLOWLOCATION, true ) ) {
                                wfDebug( __METHOD__ . ": Couldn't set CURLOPT_FOLLOWLOCATION. " .
-                                       "Probably safe_mode or open_basedir is set.\n" );
+                                       "Probably open_basedir is set.\n" );
                                // Continue the processing. If it were in curl_setopt_array,
                                // processing would have halted on its entry
                        }
@@ -847,8 +863,8 @@ class CurlHttpRequest extends MWHttpRequest {
                }
 
                if ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
-                       if ( strval( ini_get( 'open_basedir' ) ) !== '' || wfIniGetBool( 'safe_mode' ) ) {
-                               wfDebug( "Cannot follow redirects in safe mode\n" );
+                       if ( strval( ini_get( 'open_basedir' ) ) !== '' ) {
+                               wfDebug( "Cannot follow redirects when open_basedir is set\n" );
                                return false;
                        }
                }