diff options
| author | Umherirrender <umherirrender_de.wp@web.de> | 2024-09-27 22:00:28 +0200 |
|---|---|---|
| committer | Umherirrender <umherirrender_de.wp@web.de> | 2024-10-17 18:22:41 +0000 |
| commit | be1c33e05ea3e01efe4ac0cd79c67dda3b89183e (patch) | |
| tree | 14bf9a69a01afde78693783c8e80ee91d802f8b8 | |
| parent | 73bb50edb4ee7734471b010178679ec1bbb32ee9 (diff) | |
| download | mediawikicore-be1c33e05ea3e01efe4ac0cd79c67dda3b89183e.tar.gz mediawikicore-be1c33e05ea3e01efe4ac0cd79c67dda3b89183e.zip | |
api: Check for post_max_size on api requests
php documentation:
If the size of post data is greater than post_max_size, the $_POST and
$_FILES superglobals are empty.
When the action= and format= are not in the GET data,
the help page is returned in html, breaking the clients expected format.
Return api error with http status 413
Bug: T291754
Change-Id: I5906fb6b4412b161b198df0b51e2476e7e1079b8
| -rw-r--r-- | includes/api/ApiMain.php | 18 | ||||
| -rw-r--r-- | includes/api/i18n/en.json | 1 | ||||
| -rw-r--r-- | includes/api/i18n/qqq.json | 1 |
3 files changed, 16 insertions, 4 deletions
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 7ea691074831..58810a91b89e 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -1907,10 +1907,20 @@ class ApiMain extends ApiBase { $this->dieWithErrorOrDebug( [ 'apierror-mustbeposted', $this->mAction ] ); } - if ( $request->wasPosted() && !$request->getHeader( 'Content-Type' ) ) { - $this->addDeprecation( - 'apiwarn-deprecation-post-without-content-type', 'post-without-content-type' - ); + if ( $request->wasPosted() ) { + if ( !$request->getHeader( 'Content-Type' ) ) { + $this->addDeprecation( + 'apiwarn-deprecation-post-without-content-type', 'post-without-content-type' + ); + } + $contentLength = $request->getHeader( 'Content-Length' ); + $maxPostSize = wfShorthandToInteger( ini_get( 'post_max_size' ), 0 ); + if ( $maxPostSize && $contentLength > $maxPostSize ) { + $this->dieWithError( + [ 'apierror-http-contenttoolarge', Message::sizeParam( $maxPostSize ) ], + null, null, 413 + ); + } } // See if custom printer is used diff --git a/includes/api/i18n/en.json b/includes/api/i18n/en.json index ecd1dd158ca2..699a0490e440 100644 --- a/includes/api/i18n/en.json +++ b/includes/api/i18n/en.json @@ -1859,6 +1859,7 @@ "apierror-filenopath": "Cannot get local file path.", "apierror-filetypecannotberotated": "File type cannot be rotated.", "apierror-formatphp": "This response cannot be represented using <kbd>format=php</kbd>. See https://phabricator.wikimedia.org/T68776.", + "apierror-http-contenttoolarge": "HTTP Request Content too large. Maximum length: $1.", "apierror-imageusage-badtitle": "The title for <kbd>$1</kbd> must be a file.", "apierror-import-unknownerror": "Unknown error on import: $1.", "apierror-info-singlepagerevision": "Multiple pages or revisions were supplied, but <var>$1prop=preloadcontent</var> and <var>$1prop=editintro</var> may only be used with a single page and revision.", diff --git a/includes/api/i18n/qqq.json b/includes/api/i18n/qqq.json index 40a06bfc6d34..992f372baa46 100644 --- a/includes/api/i18n/qqq.json +++ b/includes/api/i18n/qqq.json @@ -1762,6 +1762,7 @@ "apierror-filenopath": "{{doc-apierror}}", "apierror-filetypecannotberotated": "{{doc-apierror}}", "apierror-formatphp": "{{doc-apierror}}", + "apierror-http-contenttoolarge": "{{doc-apierror}}\n\nParameters:\n* $1 - maximum size parameter (already formatted as \"1 KB\" or similar).", "apierror-imageusage-badtitle": "{{doc-apierror}}\n\nParameters:\n* $1 - Module name.", "apierror-import-unknownerror": "{{doc-apierror}}\n\nParameters:\n* $1 - Error message returned by the import, probably in English.", "apierror-info-singlepagerevision": "{{doc-apierror}}\n\nParameters:\n* $1 - Module parameter prefix, e.g. \"in\".", |