UploadBase and subclasses are the backend of MediaWiki's file uploads. More...

Inheritance diagram for UploadBase:

Public Member Functions
	__construct ()
	checkSvgScriptCallback ($element, $attribs, $data=null)
	checkWarnings ()
	Check for non fatal problems with the file.
	cleanupTempFile ()
	If we've modified the upload file we need to manually remove it on exit to clean up.
	convertVerifyErrorToStatus ($error)
	fetchFile ()
	Fetch the file.
	getFileSize ()
	Return the file size.
	getImageInfo ($result)
	Gets image info about the file just uploaded.
	getLocalFile ()
	Return the local file and initializes if necessary.
	getRealPath ($srcPath)
	getSourceType ()
	Returns the upload type.
	getTempFileSha1Base36 ()
	Get the base 36 SHA1 of the file.
	getTempPath ()
	getTitle ()
	Returns the title of the file to be uploaded.
	getVerificationErrorCode ($error)
	initializeFromRequest (&$request)
	Initialize from a WebRequest.
	initializePathInfo ($name, $tempPath, $fileSize, $removeTempFile=false)
	Initialize the path information.
	isEmptyFile ()
	Return true if the file is empty.
	performUpload ($comment, $pageText, $watch, $user)
	Really perform the upload.
	stashFile (User $user=null)
	If the user does not supply all necessary information in the first upload form submission (either by accident or by design) then we may want to stash the file temporarily, get more information, and publish the file later.
	stashFileGetKey ()
	Stash a file in a temporary directory, returning a key which can be used to find the file again.
	stashSession ()
	alias for stashFileGetKey, for backwards compatibility
	validateName ()
	Verify that the name is valid and, if necessary, that we can overwrite.
	verifyPermissions ($user)
	Alias for verifyTitlePermissions.
	verifyTitlePermissions ($user)
	Check whether the user can edit, upload and create the image.
	verifyUpload ()
	Verify whether the upload is sane.
	zipEntryCallback ($entry)
	Callback for ZipDirectoryReader to detect Java class files.
Static Public Member Functions
static	checkFileExtension ($ext, $list)
	Perform case-insensitive match against a list of file extensions.
static	checkFileExtensionList ($ext, $list)
	Perform case-insensitive match against a list of file extensions.
static	checkSvgPICallback ($target, $data)
	Callback to filter SVG Processing Instructions.
static	checkXMLEncodingMissmatch ($file)
	Check a whitelist of xml encodings that are known not to be interpreted differently by the server's xml parser (expat) and some common browsers.
static	createFromRequest (&$request, $type=null)
	Create a form of UploadBase depending on wpSourceType and initializes it.
static	detectScript ($file, $mime, $extension)
	Heuristic for detecting files that could contain JavaScript instructions or things that may look like HTML to a browser and are thus potentially harmful.
static	detectVirus ($file)
	Generic wrapper function for a virus scanner program.
static	getExistsWarning ($file)
	Helper function that does various existence checks for a file.
static	getFilenamePrefixBlacklist ()
	Get a list of blacklisted filename prefixes from [[MediaWiki:Filename-prefix-blacklist]].
static	getMaxUploadSize ($forType=null)
static	getSessionStatus ($statusKey)
	Get the current status of a chunked upload (used for polling).
static	isAllowed ($user)
	Returns true if the user can use this upload module or else a string identifying the missing permission.
static	isEnabled ()
	Returns true if uploads are enabled.
static	isThumbName ($filename)
	Helper function that checks whether the filename looks like a thumbnail.
static	isValidRequest ($request)
	Check whether a request if valid for this handler.
static	setSessionStatus ($statusKey, $value)
	Set the current status of a chunked upload (used for polling).
static	splitExtensions ($filename)
	Split a file into a base name and all dot-delimited 'extensions' on the end.
static	userCanReUpload (User $user, $img)
	Check if a user is the last uploader.
static	verifyExtension ($mime, $extension)
	Checks if the mime type of the uploaded file matches the file extension.
Public Attributes
	$mDestName
	$mFileProps
	$mFileSize
	$mFinalExtension
	$mRemoveTempFile
	$mSourceType
	$mSVGNSError
	$mTitleError = 0
const	EMPTY_FILE = 3
const	FILE_TOO_LARGE = 12
const	FILENAME_TOO_LONG = 14
const	FILETYPE_BADTYPE = 9
const	FILETYPE_MISSING = 8
const	HOOK_ABORTED = 11
const	ILLEGAL_FILENAME = 5
const	MIN_LENGTH_PARTNAME = 4
const	OK = 0
const	OVERWRITE_EXISTING_FILE = 7
const	SESSION_STATUS_KEY = 'wsUploadStatusData'
const	SUCCESS = 0
const	UPLOAD_VERIFICATION_ERROR = 11
const	VERIFICATION_ERROR = 10
const	WINDOWS_NONASCII_FILENAME = 13
Static Public Attributes
static	$uploadHandlers = array( 'Stash', 'File', 'Url' )
Protected Member Functions
	detectScriptInSvg ($filename)
	verifyFile ()
	Verifies that it's ok to include the uploaded file.
	verifyMimeType ($mime)
	Verify the mime type.
	verifyPartialFile ()
	A verification routine suitable for partial files.
Protected Attributes
	$mBlackListedExtensions
	$mDesiredDestName
	$mFilteredName
	$mJavaDetected
	$mLocalFile
	$mTempPath
	$mTitle = false
Static Protected Attributes
static	$safeXmlEncodings = array( 'UTF-8', 'ISO-8859-1', 'ISO-8859-2', 'UTF-16', 'UTF-32' )
Private Member Functions
	checkOverwrite ($user)
	Check if there's an overwrite conflict and, if so, if restrictions forbid this user from performing the upload.
	stripXmlNamespace ($name)
Static Private Member Functions
static	checkCssFragment ($value)
	Check a block of CSS or CSS fragment for anything that looks like it is bringing in remote code.
static	splitXmlNamespace ($element)
	Divide the element name passed by the xml parser to the callback into URI and prifix.

Detailed Description

UploadBase and subclasses are the backend of MediaWiki's file uploads.

The frontends are formed by ApiUpload and SpecialUpload.

Constructor & Destructor Documentation

UploadBase::__construct ( )

Definition at line 184 of file UploadBase.php.

Member Function Documentation

static UploadBase::checkCssFragment ( $ value ) [static, private]

Check a block of CSS or CSS fragment for anything that looks like it is bringing in remote code.

Parameters:

string	$value	a string of CSS
bool	$propOnly	only check css properties (start regex with :)

Returns:: bool true if the CSS contains an illegal string, false if otherwise

Definition at line 1396 of file UploadBase.php.

References $matches, $value, and as.

static UploadBase::checkFileExtension	(	$	ext,
		$	list
	)		`[static]`

Perform case-insensitive match against a list of file extensions.

Returns true if the extension is in the list.

Parameters:

$ext	String
$list	Array

Returns:: Boolean

Definition at line 907 of file UploadBase.php.

References $ext.

Referenced by checkWarnings(), and verifyMimeType().

static UploadBase::checkFileExtensionList	(	$	ext,
		$	list
	)		`[static]`

Perform case-insensitive match against a list of file extensions.

Returns an array of matching extensions.

Parameters:

$ext	Array
$list	Array

Returns:: Boolean

Definition at line 919 of file UploadBase.php.

References $ext.

Referenced by StreamFile\contentTypeFromPath(), and getTitle().

UploadBase::checkOverwrite ( $ user ) [private]

Check if there's an overwrite conflict and, if so, if restrictions forbid this user from performing the upload.

Parameters:

$user User

Returns:: mixed true on success, array on failure

Definition at line 1571 of file UploadBase.php.

Referenced by verifyTitlePermissions().

static UploadBase::checkSvgPICallback	(	$	target,
		$	data
	)		`[static]`

Callback to filter SVG Processing Instructions.

Parameters:

$target	string processing instruction name
$data	string processing instruction attribute and value

Returns:: bool (true if the filter identified something bad)

Definition at line 1190 of file UploadBase.php.

UploadBase::checkSvgScriptCallback	(	$	element,
		$	attribs,
		$	data = `null`
	)

Todo:: Replace this with a whitelist filter!

Parameters:

$element	string
$attribs	array

Returns:: bool

Definition at line 1204 of file UploadBase.php.

References $attribs, $value, array(), as, list, Sanitizer\normalizeCss(), splitXmlNamespace(), stripXmlNamespace(), and wfDebug().

UploadBase::checkWarnings ( )

Check for non fatal problems with the file.

This should not assume that mTempPath is set.

Returns:: Array of warnings

Reimplemented in UploadFromUrl.

Definition at line 602 of file UploadBase.php.

References $extensions, $hash, $key, $title, $wgFileExtensions, $wgLang, array(), as, Title\capitalize(), checkFileExtension(), getExistsWarning(), getLocalFile(), getTempFileSha1Base36(), getTitle(), global, RepoGroup\singleton(), wfProfileIn(), and wfProfileOut().

static UploadBase::checkXMLEncodingMissmatch ( $ file ) [static]

Check a whitelist of xml encodings that are known not to be interpreted differently by the server's xml parser (expat) and some common browsers.

Parameters:

string $file pathname to the temporary upload file

Returns:: Boolean: true if the file contains an encoding that could be misinterpreted

Definition at line 1112 of file UploadBase.php.

References $file, $matches, array(), as, global, wfDebug(), wfRestoreWarnings(), and wfSuppressWarnings().

UploadBase::cleanupTempFile ( )

If we've modified the upload file we need to manually remove it on exit to clean up.

Definition at line 873 of file UploadBase.php.

References wfDebug().

UploadBase::convertVerifyErrorToStatus ( $ error )

Parameters:

$error array

Returns:: Status

Definition at line 1783 of file UploadBase.php.

References $error, getVerificationErrorCode(), and Status\newFatal().

static UploadBase::createFromRequest	(	&$	request,
		$	type = `null`
	)		`[static]`

Create a form of UploadBase depending on wpSourceType and initializes it.

Parameters:

$request	WebRequest
$type

Returns:: null

Definition at line 138 of file UploadBase.php.

References array(), wfDebug(), and wfRunHooks().

static UploadBase::detectScript	(	$	file,
		$	mime,
		$	extension
	)		`[static]`

Heuristic for detecting files that *could* contain JavaScript instructions or things that may look like HTML to a browser and are thus potentially harmful.

The present implementation will produce false positives in some situations.

Parameters:

string	$file	pathname to the temporary upload file
string	$mime	the mime type of the file
string	$extension	the extension of the file

Returns:: Boolean: true if the file contains something looking like embedded scripts

Definition at line 978 of file UploadBase.php.

References $file, $mime, array(), as, Sanitizer\decodeCharReferences(), global, in, wfDebug(), wfProfileIn(), and wfProfileOut().

UploadBase::detectScriptInSvg ( $ filename ) [protected]

Parameters:

$filename string

Returns:: bool

Definition at line 1164 of file UploadBase.php.

References array().

Referenced by verifyPartialFile().

static UploadBase::detectVirus ( $ file ) [static]

Generic wrapper function for a virus scanner program.

This relies on the $wgAntivirus and $wgAntivirusSetup variables. $wgAntivirusRequired may be used to deny upload if the scan fails.

Parameters:

string $file pathname to the temporary upload file

Returns:: mixed false if not virus is found, NULL if the scan fails or is disabled, or a string containing feedback from the virus scanner if a virus was found. If textual feedback is missing but a virus was found, this function returns true.

Definition at line 1474 of file UploadBase.php.

References $file, $output, $wgOut, array(), global, there, wfDebug(), wfEscapeShellArg(), wfMessage(), wfProfileIn(), wfProfileOut(), and wfShellExecWithStderr().

Referenced by verifyPartialFile().

UploadBase::fetchFile ( )

Fetch the file.

Usually a no-op

Returns:: Status

Definition at line 223 of file UploadBase.php.

References Status\newGood().

static UploadBase::getExistsWarning ( $ file ) [static]

Helper function that does various existence checks for a file.

The following checks are performed:

The file exists
Article with the same name as the file exists
File exists with normalized extension
The file looks like a thumbnail and the original exists

Parameters:

$file File The File object to check

Returns:: mixed False if the file does not exists, else an array

Definition at line 1628 of file UploadBase.php.

Referenced by checkWarnings(), and ApiQueryImageInfo\getInfo().

static UploadBase::getFilenamePrefixBlacklist ( ) [static]

Get a list of blacklisted filename prefixes from [[MediaWiki:Filename-prefix-blacklist]].

Returns:: array list of prefixes

Definition at line 1733 of file UploadBase.php.

References $comment, $lines, array(), as, and wfMessage().

UploadBase::getFileSize ( )

Return the file size.

Returns:: integer

Definition at line 239 of file UploadBase.php.

UploadBase::getImageInfo ( $ result )

Gets image info about the file just uploaded.

Also has the effect of setting metadata to be an 'indexed tag name' in returned API result if 'metadata' was requested. Oddly, we have to pass the "result" object down just so it can do that with the appropriate format, presumably.

Parameters:

$result ApiResult:

Returns:: Array: image info

Definition at line 1765 of file UploadBase.php.

References $file, $result, ApiQueryImageInfo\getInfo(), getLocalFile(), and ApiQueryImageInfo\getPropertyNames().

UploadBase::getLocalFile ( )

Return the local file and initializes if necessary.

Returns:: LocalFile|null

Definition at line 819 of file UploadBase.php.

References getTitle(), and wfLocalFile().

Referenced by checkWarnings(), getImageInfo(), performUpload(), and validateName().

static UploadBase::getMaxUploadSize ( $ forType = null ) [static]

Parameters:

$forType null|string

Returns:: int

Definition at line 1793 of file UploadBase.php.

References global.

Referenced by UploadFromChunks\addChunk(), ApiQuerySiteinfo\appendGeneralInfo(), and verifyUpload().

UploadBase::getRealPath ( $ srcPath )

Parameters:

string $srcPath the source path

Returns:: string|bool the real path if it was a virtual URL Returns false on failure

Definition at line 255 of file UploadBase.php.

References $path, RepoGroup\singleton(), wfProfileIn(), and wfProfileOut().

Referenced by UploadFromChunks\continueChunks(), and UploadFromStash\initialize().

static UploadBase::getSessionStatus ( $ statusKey ) [static]

Get the current status of a chunked upload (used for polling).

The status will be read from the *current* user session.

Parameters:

$statusKey string

Returns:: Array|bool

Definition at line 1813 of file UploadBase.php.

References SESSION_STATUS_KEY.

UploadBase::getSourceType ( )

Returns the upload type.

Should be overridden by child classes

Since:: 1.18

Returns:: string

Reimplemented in UploadFromUrl, UploadFromStash, and UploadFromFile.

Definition at line 192 of file UploadBase.php.

Referenced by stashFile(), and verifyUpload().

UploadBase::getTempFileSha1Base36 ( )

Get the base 36 SHA1 of the file.

Returns:: string

Reimplemented in UploadFromStash.

Definition at line 247 of file UploadBase.php.

References FSFile\getSha1Base36FromPath().

Referenced by checkWarnings().

UploadBase::getTempPath ( )

Definition at line 880 of file UploadBase.php.

UploadBase::getTitle ( )

Returns the title of the file to be uploaded.

Sets mTitleError in case the name was illegal.

Returns:: Title The title of the file or null in case the name was illegal

Definition at line 711 of file UploadBase.php.

References $ext, $mime, $title, $wgFileExtensions, array(), checkFileExtensionList(), FILENAME_TOO_LONG, FILETYPE_BADTYPE, FILETYPE_MISSING, global, ILLEGAL_FILENAME, list, Title\makeTitleSafe(), MIN_LENGTH_PARTNAME, Title\newFromText(), MimeMagic\singleton(), splitExtensions(), wfIsWindows(), wfStripIllegalFilenameChars(), and WINDOWS_NONASCII_FILENAME.

Referenced by checkWarnings(), getLocalFile(), UploadFromUrl\insertJob(), performUpload(), UploadTestHandler\testTitleValidation(), validateName(), verifyPartialFile(), and verifyTitlePermissions().

UploadBase::getVerificationErrorCode ( $ error )

Parameters:

$error int

Returns:: string

Definition at line 74 of file UploadBase.php.

References $error, and array().

Referenced by UploadFromChunks\concatenateChunks(), and convertVerifyErrorToStatus().

UploadBase::initializeFromRequest ( &$ request ) [abstract]

Initialize from a WebRequest.

Override this in a subclass.

Reimplemented in UploadTestHandler, UploadFromUrl, UploadFromStash, and UploadFromFile.

UploadBase::initializePathInfo	(	$	name,
		$	tempPath,
		$	fileSize,
		$	removeTempFile = `false`
	)

Initialize the path information.

Parameters:

string	$name	the desired destination name
string	$tempPath	the temporary path
int	$fileSize	the file size
bool	$removeTempFile	(false) remove the temporary file?

Exceptions:

MWException

Definition at line 204 of file UploadBase.php.

References $name, and FileBackend\isStoragePath().

Referenced by UploadFromChunks\continueChunks(), UploadFromStash\initialize(), and UploadFromUrl\initialize().

static UploadBase::isAllowed ( $ user ) [static]

Returns true if the user can use this upload module or else a string identifying the missing permission.

Can be overridden by subclasses.

Parameters:

$user User

Returns:: bool

Reimplemented in UploadFromUrl.

Definition at line 119 of file UploadBase.php.

References $user, array(), and as.

Referenced by SkinTemplate\buildNavUrls().

UploadBase::isEmptyFile ( )

Return true if the file is empty.

Returns:: bool

Definition at line 231 of file UploadBase.php.

References empty.

Referenced by verifyUpload().

static UploadBase::isEnabled ( ) [static]

Returns true if uploads are enabled.

Can be override by subclasses.

Returns:: bool

Reimplemented in UploadFromUrl.

Definition at line 100 of file UploadBase.php.

References global, wfIniGetBool(), and wfIsHipHop().

Referenced by SkinTemplate\buildNavUrls(), and ApiUpload\execute().

static UploadBase::isThumbName ( $ filename ) [static]

Helper function that checks whether the filename looks like a thumbnail.

Parameters:

$filename string

Returns:: bool

Definition at line 1718 of file UploadBase.php.

References $n.

static UploadBase::isValidRequest ( $ request ) [static]

Check whether a request if valid for this handler.

Parameters:

$request

Returns:: bool

Reimplemented in UploadFromUrl, UploadFromStash, and UploadFromFile.

Definition at line 180 of file UploadBase.php.

UploadBase::performUpload	(	$	comment,
		$	pageText,
		$	watch,
		$	user
	)

Really perform the upload.

Stores the file in the local repo, watches if necessary and runs the UploadComplete hook.

Parameters:

$comment
$pageText
$watch
$user	User

Returns:: Status indicating the whether the upload succeeded.

Reimplemented in UploadFromUrl, UploadFromStash, and UploadFromChunks.

Definition at line 681 of file UploadBase.php.

References $comment, $user, array(), File\DELETE_SOURCE, WatchAction\doWatch(), getLocalFile(), getTitle(), WatchedItem\IGNORE_USER_RIGHTS, wfProfileIn(), wfProfileOut(), and wfRunHooks().

static UploadBase::setSessionStatus	(	$	statusKey,
		$	value
	)		`[static]`

Set the current status of a chunked upload (used for polling).

The status will be stored in the *current* user session.

Parameters:

$statusKey	string
$value	array\|false

Returns:: void

Definition at line 1826 of file UploadBase.php.

References $value, and SESSION_STATUS_KEY.

Referenced by AssembleUploadChunksJob\run(), and PublishStashedFileJob\run().

static UploadBase::splitExtensions ( $ filename ) [static]

Split a file into a base name and all dot-delimited 'extensions' on the end.

Some web server configurations will fall back to earlier pseudo-'extensions' to determine type and execute scripts, so the blacklist needs to check them all.

Parameters:

$filename string

Returns:: array

Definition at line 893 of file UploadBase.php.

References array().

Referenced by StreamFile\contentTypeFromPath(), and getTitle().

static UploadBase::splitXmlNamespace ( $ element ) [static, private]

Divide the element name passed by the xml parser to the callback into URI and prifix.

Parameters:

$name string

Returns:: array containing the namespace URI and prefix

Definition at line 1446 of file UploadBase.php.

References $name, and array().

Referenced by checkSvgScriptCallback().

UploadBase::stashFile ( User $ user = null )

If the user does not supply all necessary information in the first upload form submission (either by accident or by design) then we may want to stash the file temporarily, get more information, and publish the file later.

This method will stash a file in a temporary directory for later processing, and save the necessary descriptive info into the database. This method returns the file object, which also has a 'fileKey' property which can be passed through a form or API request to find this stashed file again.

Parameters:

$user User

Returns:: UploadStashFile stashed file

Reimplemented in UploadFromStash, and UploadFromChunks.

Definition at line 839 of file UploadBase.php.

References $file, $user, getSourceType(), RepoGroup\singleton(), wfProfileIn(), and wfProfileOut().

Referenced by stashFileGetKey().

UploadBase::stashFileGetKey ( )

Stash a file in a temporary directory, returning a key which can be used to find the file again.

See stashFile().

Returns:: String: file key

Definition at line 856 of file UploadBase.php.

References stashFile().

Referenced by stashSession().

UploadBase::stashSession ( )

alias for stashFileGetKey, for backwards compatibility

Returns:: String: file key

Reimplemented in UploadFromStash.

Definition at line 865 of file UploadBase.php.

References stashFileGetKey().

Referenced by UploadFromUrl\insertJob().

UploadBase::stripXmlNamespace ( $ name ) [private]

Parameters:

$name string

Returns:: string

Definition at line 1458 of file UploadBase.php.

References $name.

Referenced by checkSvgScriptCallback().

static UploadBase::userCanReUpload	(	User $	user,
		$	img
	)		`[static]`

Check if a user is the last uploader.

Parameters:

	$user	User object
string	$img	image name

Returns:: Boolean

Definition at line 1600 of file UploadBase.php.

UploadBase::validateName ( )

Verify that the name is valid and, if necessary, that we can overwrite.

Returns:: mixed true if valid, otherwise and array with 'status' and other keys

Definition at line 341 of file UploadBase.php.

References $result, array(), getLocalFile(), and getTitle().

Referenced by verifyUpload().

static UploadBase::verifyExtension	(	$	mime,
		$	extension
	)		`[static]`

Checks if the mime type of the uploaded file matches the file extension.

Parameters:

string	$mime	the mime type of the uploaded file
string	$extension	the filename extension that the file is to be served with

Returns:: Boolean

Definition at line 930 of file UploadBase.php.

References $mime, MimeMagic\singleton(), and wfDebug().

Referenced by verifyFile().

UploadBase::verifyFile ( ) [protected]

Verifies that it's ok to include the uploaded file.

Returns:: mixed true of the file is verified, array otherwise.

Definition at line 406 of file UploadBase.php.

References $mime, array(), MediaHandler\getHandler(), FSFile\getPropsFromPath(), global, verifyExtension(), verifyPartialFile(), wfDebug(), wfProfileIn(), wfProfileOut(), and wfRunHooks().

Referenced by verifyUpload().

UploadBase::verifyMimeType ( $ mime ) [protected]

Verify the mime type.

Note:: Only checks that it is not an evil mime. The does it have correct extension given its mime type check is in verifyFile.

Parameters:

string $mime representing the mime

Returns:: mixed true if the file is verified, an array otherwise

Definition at line 369 of file UploadBase.php.

References $mime, array(), as, checkFileExtension(), global, MimeMagic\singleton(), wfDebug(), wfProfileIn(), and wfProfileOut().

Referenced by verifyPartialFile().

UploadBase::verifyPartialFile ( ) [protected]

A verification routine suitable for partial files.

Runs the blacklist checks, but not any checks that may assume the entire file is present.

Returns:: Mixed true for valid or array with error message key.

Definition at line 457 of file UploadBase.php.

References $error, $mime, array(), detectScriptInSvg(), detectVirus(), FSFile\getPropsFromPath(), getTitle(), global, ZipDirectoryReader\read(), verifyMimeType(), wfProfileIn(), and wfProfileOut().

Referenced by UploadFromChunks\verifyChunk(), and verifyFile().

UploadBase::verifyPermissions ( $ user )

Alias for verifyTitlePermissions.

The function was originally 'verifyPermissions' but that suggests it's checking the user, when it's really checking the title + user combination.

Parameters:

$user User object to verify the permissions against

Returns:: mixed An array as returned by getUserPermissionsErrors or true in case the user has proper permissions.

Definition at line 550 of file UploadBase.php.

References $user, and verifyTitlePermissions().

UploadBase::verifyTitlePermissions ( $ user )

Check whether the user can edit, upload and create the image.

This checks only against the current title; if it returns errors, it may very well be that another title will not give errors. Therefore isAllowed() should be called as well for generic is-user-blocked or can-user-upload checking.

Parameters:

$user User object to verify the permissions against