From: Sam Reed <reedy@users.mediawiki.org>
Date: Thu, 9 Feb 2012 23:22:38 +0000 (+0000)
Subject: * (bug 32341) Add upload by URL domain limitation.
X-Git-Tag: 1.31.0-rc.0~24808
X-Git-Url: https://git.cyclocoop.org/%28%28?a=commitdiff_plain;h=b834075972ab3ecaf8911c67b42cc7a183a731ae;p=lhc%2Fweb%2Fwiklou.git

* (bug 32341) Add upload by URL domain limitation.

Essentially reverts r109741  live again

Which was r109562, r109564, r109570
---

diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20
index 77362622fb..37f0068b35 100644
--- a/RELEASE-NOTES-1.20
+++ b/RELEASE-NOTES-1.20
@@ -14,6 +14,7 @@ production.
 
 === New features in 1.20 ===
 * Added TitleIsKnown hook which gets called when determining if a page exists.
+* (bug 32341) Add upload by URL domain limitation.
 
 === Bug fixes in 1.20 ===
 * (bug 30245) Use the correct way to construct a log page title.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index ffd261248f..2375c99b07 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -453,6 +453,10 @@ $wgAllowCopyUploads = false;
  * This feature is experimental and broken as of r81612.
  */
 $wgAllowAsyncCopyUploads = false;
+/**
+ * A list of domains copy uploads can come from
+ */
+$wgCopyUploadsDomains = array();
 
 /**
  * Max size for uploads, in bytes. If not set to an array, applies to all
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 5a7ae268b8..9a62780d3e 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1231,6 +1231,7 @@ abstract class ApiBase extends ContextSource {
 		'nouploadmodule' => array( 'code' => 'nouploadmodule', 'info' => 'No upload module set' ),
 		'uploaddisabled' => array( 'code' => 'uploaddisabled', 'info' => 'Uploads are not enabled.  Make sure $wgEnableUploads is set to true in LocalSettings.php and the PHP ini setting file_uploads is true' ),
 		'copyuploaddisabled' => array( 'code' => 'copyuploaddisabled', 'info' => 'Uploads by URL is not enabled.  Make sure $wgAllowCopyUploads is set to true in LocalSettings.php.' ),
+		'copyuploadbaddomain' => array( 'code' => 'copyuploadbaddomain', 'info' => 'Uploads by URL are not allowed from this domain.' ),
 
 		'filename-tooshort' => array( 'code' => 'filename-tooshort', 'info' => 'The filename is too short' ),
 		'filename-toolong' => array( 'code' => 'filename-toolong', 'info' => 'The filename is too long' ),
diff --git a/includes/api/ApiUpload.php b/includes/api/ApiUpload.php
index 9136e8ceaa..67165b9a6d 100644
--- a/includes/api/ApiUpload.php
+++ b/includes/api/ApiUpload.php
@@ -322,6 +322,10 @@ class ApiUpload extends ApiBase {
 				$this->dieUsageMsg( 'copyuploaddisabled' );
 			}
 
+			if ( !UploadFromUrl::isAllowedHost( $this->mParams['url'] ) ) {
+				$this->dieUsageMsg( 'copyuploadbaddomain' );
+			}
+
 			$async = false;
 			if ( $this->mParams['asyncdownload'] ) {
 				$this->checkAsyncDownloadEnabled();
diff --git a/includes/upload/UploadFromUrl.php b/includes/upload/UploadFromUrl.php
index 252cbc86aa..13b0e14ecd 100644
--- a/includes/upload/UploadFromUrl.php
+++ b/includes/upload/UploadFromUrl.php
@@ -36,6 +36,28 @@ class UploadFromUrl extends UploadBase {
 		return $wgAllowCopyUploads && parent::isEnabled();
 	}
 
+	/**
+	 * Checks whether the URL is for an allowed host
+	 *
+	 * @param $url string
+	 * @return bool
+	 */
+	public static function isAllowedHost( $url ) {
+		global $wgCopyUploadsDomains;
+		if ( !count( $wgCopyUploadsDomains ) ) {
+			return true;
+		}
+		$valid = false;
+		$parsedUrl = wfParseUrl( $url );
+		foreach( $wgCopyUploadsDomains as $domain ) {
+			if ( $parsedUrl['host'] === $domain ) {
+				$valid = true;
+				break;
+			}
+		}
+		return $valid;
+	}
+
 	/**
 	 * Entry point for API upload
 	 *
@@ -101,6 +123,9 @@ class UploadFromUrl extends UploadBase {
 			return Status::newFatal( 'http-invalid-url' );
 		}
 
+		if( !self::isAllowedHost( $this->mUrl ) ) {
+			return Status::newFatal( 'upload-copy-upload-invalid-domain' );
+		}
 		if ( !$this->mAsync ) {
 			return $this->reallyFetchFile();
 		}
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php
index 153cdd3704..039eec2f9c 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -2236,6 +2236,7 @@ If the problem persists, contact an [[Special:ListUsers/sysop|administrator]].',
 'upload-too-many-redirects' => 'The URL contained too many redirects',
 'upload-unknown-size'       => 'Unknown size',
 'upload-http-error'         => 'An HTTP error occured: $1',
+'upload-copy-upload-invalid-domain' => 'Copy uploads are not available from this domain.',
 
 # File backend
 'backend-fail-stream'        => 'Could not stream file $1.',
diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc
index bdd4d397e5..7c86165e36 100644
--- a/maintenance/language/messages.inc
+++ b/maintenance/language/messages.inc
@@ -1345,6 +1345,7 @@ $wgMessageStructure = array(
 		'upload-too-many-redirects',
 		'upload-unknown-size',
 		'upload-http-error',
+		'upload-copy-upload-invalid-domain',
 	),
 
 	'filebackend-errors' => array(