X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;f=api.php;h=9e1f5dd334e9404688904ee6c64c865b0a6d0db0;hb=56dbeaa4482ff031f8d270f65c66462375e4a1df;hp=ec805fccebbbec454dcc73580c61a279d5fb7127;hpb=b54addda93b32e314f059f63f07c6b276ff53fa1;p=lhc%2Fweb%2Fwiklou.git diff --git a/api.php b/api.php index ec805fcceb..9e1f5dd334 100644 --- a/api.php +++ b/api.php @@ -1,9 +1,16 @@ @gmail.com + * Copyright © 2006 Yuri Astrakhan @gmail.com * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,100 +24,86 @@ * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * http://www.gnu.org/copyleft/gpl.html * * @file */ -/** - * This file is the entry point for all API queries. It begins by checking - * whether the API is enabled on this wiki; if not, it informs the user that - * s/he should set $wgEnableAPI to true and exits. Otherwise, it constructs - * a new ApiMain using the parameter passed to it as an argument in the URL - * ('?action=') and with write-enabled set to the value of $wgEnableWriteAPI - * as specified in LocalSettings.php. It then invokes "execute()" on the - * ApiMain object instance, which produces output in the format sepecified - * in the URL. - */ - -// Initialise common code -require (dirname(__FILE__) . '/includes/WebStart.php'); +// So extensions (and other code) can check whether they're running in API mode +define( 'MW_API', true ); -wfProfileIn('api.php'); +// Bail if PHP is too low +if ( !function_exists( 'version_compare' ) || version_compare( phpversion(), '5.3.2' ) < 0 ) { + require( dirname( __FILE__ ) . '/includes/PHPVersionError.php' ); + wfPHPVersionError( 'api.php' ); +} -// URL safety checks -// -// See RawPage.php for details; summary is that MSIE can override the -// Content-Type if it sees a recognized extension on the URL, such as -// might be appended via PATH_INFO after 'api.php'. -// -// Some data formats can end up containing unfiltered user-provided data -// which will end up triggering HTML detection and execution, hence -// XSS injection and all that entails. -// -// Ensure that all access is through the canonical entry point... -// -if( isset( $_SERVER['SCRIPT_NAME'] ) ) { - $url = $_SERVER['SCRIPT_NAME']; +// Initialise common code. +if ( isset( $_SERVER['MW_COMPILED'] ) ) { + require ( 'core/includes/WebStart.php' ); } else { - $url = $_SERVER['URL']; + require ( dirname( __FILE__ ) . '/includes/WebStart.php' ); } -if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { - wfHttpError( 403, 'Forbidden', - 'API must be accessed through the primary script entry point.' ); + +wfProfileIn( 'api.php' ); +$starttime = microtime( true ); + +// URL safety checks +if ( !$wgRequest->checkUrlExtension() ) { return; } // Verify that the API has not been disabled -if (!$wgEnableAPI) { - echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; - echo '
$wgEnableAPI=true;
'; +if ( !$wgEnableAPI ) { + header( $_SERVER['SERVER_PROTOCOL'] . ' 500 MediaWiki configuration Error', true, 500 ); + echo( 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php' + . '
$wgEnableAPI=true;
' ); die(1); } -// Selectively allow cross-site AJAX -if ( $wgCrossSiteAJAXdomains && isset($_SERVER['HTTP_ORIGIN']) ) { - if ( $wgCrossSiteAJAXdomains == '*' ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - } elseif ( $wgCrossSiteAJAXdomainsRegex ) { - foreach ( $wgCrossSiteAJAXdomains as $regex ) { - if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - break; - } - } - } elseif ( in_array( $_SERVER['HTTP_ORIGIN'], $wgCrossSiteAJAXdomains ) ) { - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - } -} - -// So extensions can check whether they're running in API mode -define('MW_API', true); - // Set a dummy $wgTitle, because $wgTitle == null breaks various things // In a perfect world this wouldn't be necessary -$wgTitle = Title::newFromText('API'); +$wgTitle = Title::makeTitle( NS_MAIN, 'API' ); /* Construct an ApiMain with the arguments passed via the URL. What we get back * is some form of an ApiMain, possibly even one that produces an error message, * but we don't care here, as that is handled by the ctor. */ -$processor = new ApiMain($wgRequest, $wgEnableWriteAPI); +$processor = new ApiMain( RequestContext::getMain(), $wgEnableWriteAPI ); // Process data & print results $processor->execute(); // Execute any deferred updates -wfDoUpdates(); +DeferredUpdates::doUpdates(); // Log what the user did, for book-keeping purposes. -wfProfileOut('api.php'); +$endtime = microtime( true ); +wfProfileOut( 'api.php' ); wfLogProfilingData(); -// Shut down the database -wfGetLBFactory()->shutdown(); +// Log the request +if ( $wgAPIRequestLog ) { + $items = array( + wfTimestamp( TS_MW ), + $endtime - $starttime, + $wgRequest->getIP(), + $_SERVER['HTTP_USER_AGENT'] + ); + $items[] = $wgRequest->wasPosted() ? 'POST' : 'GET'; + $module = $processor->getModule(); + if ( $module->mustBePosted() ) { + $items[] = "action=" . $wgRequest->getVal( 'action' ); + } else { + $items[] = wfArrayToCGI( $wgRequest->getValues() ); + } + wfErrorLog( implode( ',', $items ) . "\n", $wgAPIRequestLog ); + wfDebug( "Logged API request to $wgAPIRequestLog\n" ); +} + +// Shut down the database. foo()->bar() syntax is not supported in PHP4: we won't ever actually +// get here to worry about whether this should be = or =&, but the file has to parse properly. +$lb = wfGetLBFactory(); +$lb->shutdown();