X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/mediawiki.git/blobdiff_plain/005c63129390e462618d69b42e7fd90eb81f8b9e..HEAD:/api.php diff --git a/api.php b/api.php index 10baa13e..d9a69db3 100644 --- a/api.php +++ b/api.php @@ -1,9 +1,16 @@ @gmail.com + * Copyright © 2006 Yuri Astrakhan @gmail.com * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,130 +24,106 @@ * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * http://www.gnu.org/copyleft/gpl.html * * @file */ -/** - * This file is the entry point for all API queries. It begins by checking - * whether the API is enabled on this wiki; if not, it informs the user that - * s/he should set $wgEnableAPI to true and exits. Otherwise, it constructs - * a new ApiMain using the parameter passed to it as an argument in the URL - * ('?action=') and with write-enabled set to the value of $wgEnableWriteAPI - * as specified in LocalSettings.php. It then invokes "execute()" on the - * ApiMain object instance, which produces output in the format sepecified - * in the URL. - */ +use MediaWiki\Logger\LegacyLogger; -// Initialise common code -require ( dirname( __FILE__ ) . '/includes/WebStart.php' ); +// So extensions (and other code) can check whether they're running in API mode +define( 'MW_API', true ); + +require __DIR__ . '/includes/WebStart.php'; -wfProfileIn( 'api.php' ); $starttime = microtime( true ); // URL safety checks -// -// See RawPage.php for details; summary is that MSIE can override the -// Content-Type if it sees a recognized extension on the URL, such as -// might be appended via PATH_INFO after 'api.php'. -// -// Some data formats can end up containing unfiltered user-provided data -// which will end up triggering HTML detection and execution, hence -// XSS injection and all that entails. -// -if ( $wgRequest->isPathInfoBad() ) { - wfHttpError( 403, 'Forbidden', - 'Invalid file extension found in PATH_INFO. ' . - 'The API must be accessed through the primary script entry point.' ); +if ( !$wgRequest->checkUrlExtension() ) { return; } -// Verify that the API has not been disabled -if ( !$wgEnableAPI ) { - echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; - echo '
$wgEnableAPI=true;
'; +// Pathinfo can be used for stupid things. We don't support it for api.php at +// all, so error out if it's present. +if ( isset( $_SERVER['PATH_INFO'] ) && $_SERVER['PATH_INFO'] != '' ) { + $correctUrl = wfAppendQuery( wfScript( 'api' ), $wgRequest->getQueryValues() ); + $correctUrl = wfExpandUrl( $correctUrl, PROTO_CANONICAL ); + header( "Location: $correctUrl", true, 301 ); + echo 'This endpoint does not support "path info", i.e. extra text between "api.php"' + . 'and the "?". Remove any such text and try again.'; die( 1 ); } -// Selectively allow cross-site AJAX - -/* - * Helper function to convert wildcard string into a regex - * '*' => '.*?' - * '?' => '.' - * @ return string - */ -function convertWildcard( $search ) { - $search = preg_quote( $search, '/' ); - $search = str_replace( - array( '\*', '\?' ), - array( '.*?', '.' ), - $search - ); - return "/$search/"; -} - -if ( $wgCrossSiteAJAXdomains && isset( $_SERVER['HTTP_ORIGIN'] ) ) { - $exceptions = array_map( 'convertWildcard', $wgCrossSiteAJAXdomainExceptions ); - $regexes = array_map( 'convertWildcard', $wgCrossSiteAJAXdomains ); - foreach ( $regexes as $regex ) { - if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) { - foreach ( $exceptions as $exc ) { // Check against exceptions - if ( preg_match( $exc, $_SERVER['HTTP_ORIGIN'] ) ) { - break 2; - } - } - header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" ); - header( 'Access-Control-Allow-Credentials: true' ); - break; - } - } +// Verify that the API has not been disabled +if ( !$wgEnableAPI ) { + header( $_SERVER['SERVER_PROTOCOL'] . ' 500 MediaWiki configuration Error', true, 500 ); + echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php' + . '
$wgEnableAPI=true;
'; + die( 1 ); } -// So extensions can check whether they're running in API mode -define( 'MW_API', true ); - // Set a dummy $wgTitle, because $wgTitle == null breaks various things // In a perfect world this wouldn't be necessary -$wgTitle = Title::makeTitle( NS_MAIN, 'API' ); - -/* Construct an ApiMain with the arguments passed via the URL. What we get back - * is some form of an ApiMain, possibly even one that produces an error message, - * but we don't care here, as that is handled by the ctor. - */ -$processor = new ApiMain( $wgRequest, $wgEnableWriteAPI ); +$wgTitle = Title::makeTitle( NS_SPECIAL, 'Badtitle/dummy title for API calls set in api.php' ); + +// RequestContext will read from $wgTitle, but it will also whine about it. +// In a perfect world this wouldn't be necessary either. +RequestContext::getMain()->setTitle( $wgTitle ); + +try { + /* Construct an ApiMain with the arguments passed via the URL. What we get back + * is some form of an ApiMain, possibly even one that produces an error message, + * but we don't care here, as that is handled by the constructor. + */ + $processor = new ApiMain( RequestContext::getMain(), $wgEnableWriteAPI ); + + // Last chance hook before executing the API + Hooks::run( 'ApiBeforeMain', [ &$processor ] ); + if ( !$processor instanceof ApiMain ) { + throw new MWException( 'ApiBeforeMain hook set $processor to a non-ApiMain class' ); + } +} catch ( Exception $e ) { + // Crap. Try to report the exception in API format to be friendly to clients. + ApiMain::handleApiBeforeMainException( $e ); + $processor = false; +} // Process data & print results -$processor->execute(); - -// Execute any deferred updates -wfDoUpdates(); +if ( $processor ) { + $processor->execute(); +} // Log what the user did, for book-keeping purposes. $endtime = microtime( true ); -wfProfileOut( 'api.php' ); -wfLogProfilingData(); // Log the request if ( $wgAPIRequestLog ) { - $items = array( - wfTimestamp( TS_MW ), - $endtime - $starttime, - wfGetIP(), - $_SERVER['HTTP_USER_AGENT'] - ); + $items = [ + wfTimestamp( TS_MW ), + $endtime - $starttime, + $wgRequest->getIP(), + $wgRequest->getHeader( 'User-agent' ) + ]; $items[] = $wgRequest->wasPosted() ? 'POST' : 'GET'; - if ( $processor->getModule()->mustBePosted() ) { - $items[] = "action=" . $wgRequest->getVal( 'action' ); + if ( $processor ) { + try { + $manager = $processor->getModuleManager(); + $module = $manager->getModule( $wgRequest->getVal( 'action' ), 'action' ); + } catch ( Exception $ex ) { + $module = null; + } + if ( !$module || $module->mustBePosted() ) { + $items[] = "action=" . $wgRequest->getVal( 'action' ); + } else { + $items[] = wfArrayToCgi( $wgRequest->getValues() ); + } } else { - $items[] = wfArrayToCGI( $wgRequest->getValues() ); + $items[] = "failed in ApiBeforeMain"; } - wfErrorLog( implode( ',', $items ) . "\n", $wgAPIRequestLog ); + LegacyLogger::emit( implode( ',', $items ) . "\n", $wgAPIRequestLog ); wfDebug( "Logged API request to $wgAPIRequestLog\n" ); } -// Shut down the database -wfGetLBFactory()->shutdown(); - +$mediawiki = new MediaWiki(); +$mediawiki->doPostOutputShutdown( 'fast' );