Issues in FileDeleteForm.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/FileDeleteForm.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * File deletion user interface.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @author Rob Church <[email protected]>
 * @ingroup Media
 */

/**
 * File deletion user interface
 *
 * @ingroup Media
 */
class FileDeleteForm {

	/**
	 * @var Title
	 */
	private $title = null;

	/**
	 * @var File
	 */
	private $file = null;

	/**
	 * @var File
	 */
	private $oldfile = null;
	private $oldimage = '';

	/**
	 * Constructor
	 *
	 * @param File $file File object we're deleting
	 */
	public function __construct( $file ) {
		$this->title = $file->getTitle();
		$this->file = $file;
	}

	/**
	 * Fulfil the request; shows the form or deletes the file,
	 * pending authentication, confirmation, etc.
	 */
	public function execute() {
		global $wgOut, $wgRequest, $wgUser, $wgUploadMaintenance;

		$permissionErrors = $this->title->getUserPermissionsErrors( 'delete', $wgUser );
		if ( count( $permissionErrors ) ) {
			throw new PermissionsError( 'delete', $permissionErrors );
		}

		if ( wfReadOnly() ) {
			throw new ReadOnlyError;
		}

		if ( $wgUploadMaintenance ) {
			throw new ErrorPageError( 'filedelete-maintenance-title', 'filedelete-maintenance' );
		}

		$this->setHeaders();

		$this->oldimage = $wgRequest->getText( 'oldimage', false );
		$token = $wgRequest->getText( 'wpEditToken' );
		# Flag to hide all contents of the archived revisions
		$suppress = $wgRequest->getVal( 'wpSuppress' ) && $wgUser->isAllowed( 'suppressrevision' );

		if ( $this->oldimage ) {
			$this->oldfile = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName(
				$this->title,
				$this->oldimage
			);
		}

		if ( !self::haveDeletableFile( $this->file, $this->oldfile, $this->oldimage ) ) {
			$wgOut->addHTML( $this->prepareMessage( 'filedelete-nofile' ) );
			$wgOut->addReturnTo( $this->title );
			return;
		}

		// Perform the deletion if appropriate
		if ( $wgRequest->wasPosted() && $wgUser->matchEditToken( $token, $this->oldimage ) ) {
			$deleteReasonList = $wgRequest->getText( 'wpDeleteReasonList' );
			$deleteReason = $wgRequest->getText( 'wpReason' );

			if ( $deleteReasonList == 'other' ) {
				$reason = $deleteReason;
			} elseif ( $deleteReason != '' ) {
				// Entry from drop down menu + additional comment
				$reason = $deleteReasonList . wfMessage( 'colon-separator' )
					->inContentLanguage()->text() . $deleteReason;
			} else {
				$reason = $deleteReasonList;
			}

			$status = self::doDelete(
				$this->title,
				$this->file,
				$this->oldimage,
				$reason,
				$suppress,
				$wgUser
			);

			if ( !$status->isGood() ) {
				$wgOut->addHTML( '<h2>' . $this->prepareMessage( 'filedeleteerror-short' ) . "</h2>\n" );
				$wgOut->addWikiText( '<div class="error">' .
					$status->getWikiText( 'filedeleteerror-short', 'filedeleteerror-long' )
					. '</div>' );
			}
			if ( $status->isOK() ) {
				$wgOut->setPageTitle( wfMessage( 'actioncomplete' ) );
				$wgOut->addHTML( $this->prepareMessage( 'filedelete-success' ) );
				// Return to the main page if we just deleted all versions of the
				// file, otherwise go back to the description page
				$wgOut->addReturnTo( $this->oldimage ? $this->title : Title::newMainPage() );

				WatchAction::doWatchOrUnwatch( $wgRequest->getCheck( 'wpWatch' ), $this->title, $wgUser );
			}
			return;
		}

		$this->showForm();
		$this->showLogEntries();
	}

	/**
	 * Really delete the file
	 *
	 * @param Title $title
	 * @param File $file
	 * @param string $oldimage Archive name
	 * @param string $reason Reason of the deletion
	 * @param bool $suppress Whether to mark all deleted versions as restricted
	 * @param User $user User object performing the request
	 * @param array $tags Tags to apply to the deletion action
	 * @throws MWException
	 * @return bool|Status
	 */
	public static function doDelete( &$title, &$file, &$oldimage, $reason,
		$suppress, User $user = null, $tags = []
	) {
		if ( $user === null ) {
			global $wgUser;
			$user = $wgUser;
		}

		if ( $oldimage ) {
			$page = null;
			$status = $file->deleteOld( $oldimage, $reason, $suppress, $user );

			if ( $status->ok ) {
				// Need to do a log item
				$logComment = wfMessage( 'deletedrevision', $oldimage )->inContentLanguage()->text();
				if ( trim( $reason ) != '' ) {
					$logComment .= wfMessage( 'colon-separator' )
						->inContentLanguage()->text() . $reason;
				}

				$logtype = $suppress ? 'suppress' : 'delete';

				$logEntry = new ManualLogEntry( $logtype, 'delete' );
				$logEntry->setPerformer( $user );
				$logEntry->setTarget( $title );
				$logEntry->setComment( $logComment );
				$logEntry->setTags( $tags );
				$logid = $logEntry->insert();
				$logEntry->publish( $logid );

				$status->value = $logid;
			}
		} else {
			$status = Status::newFatal( 'cannotdelete',
				wfEscapeWikiText( $title->getPrefixedText() )
			);
			$page = WikiPage::factory( $title );
			$dbw = wfGetDB( DB_MASTER );
			$dbw->startAtomic( __METHOD__ );
			// delete the associated article first
			$error = '';
			$deleteStatus = $page->doDeleteArticleReal( $reason, $suppress, 0, false, $error,
				$user, $tags );
			// doDeleteArticleReal() returns a non-fatal error status if the page
			// or revision is missing, so check for isOK() rather than isGood()
			if ( $deleteStatus->isOK() ) {
				$status = $file->delete( $reason, $suppress, $user );
				if ( $status->isOK() ) {
					$status->value = $deleteStatus->value; // log id
					$dbw->endAtomic( __METHOD__ );
				} else {
					// Page deleted but file still there? rollback page delete
					wfGetLBFactory()->rollbackMasterChanges( __METHOD__ );

				}
			} else {
				// Done; nothing changed
				$dbw->endAtomic( __METHOD__ );
			}
		}

		if ( $status->isOK() ) {
			Hooks::run( 'FileDeleteComplete', [ &$file, &$oldimage, &$page, &$user, &$reason ] );
		}

		return $status;
	}

	/**
	 * Show the confirmation form
	 */
	private function showForm() {
		global $wgOut, $wgUser, $wgRequest;

		if ( $wgUser->isAllowed( 'suppressrevision' ) ) {
			$suppress = "<tr id=\"wpDeleteSuppressRow\">
					<td></td>
					<td class='mw-input'><strong>" .
						Xml::checkLabel( wfMessage( 'revdelete-suppress' )->text(),
							'wpSuppress', 'wpSuppress', false, [ 'tabindex' => '3' ] ) .
					"</strong></td>
				</tr>";
		} else {
			$suppress = '';
		}

		$checkWatch = $wgUser->getBoolOption( 'watchdeletion' ) || $wgUser->isWatched( $this->title );
		$form = Xml::openElement( 'form', [ 'method' => 'post', 'action' => $this->getAction(),
			'id' => 'mw-img-deleteconfirm' ] ) .
			Xml::openElement( 'fieldset' ) .
			Xml::element( 'legend', null, wfMessage( 'filedelete-legend' )->text() ) .
			Html::hidden( 'wpEditToken', $wgUser->getEditToken( $this->oldimage ) ) .
			$this->prepareMessage( 'filedelete-intro' ) .
			Xml::openElement( 'table', [ 'id' => 'mw-img-deleteconfirm-table' ] ) .
			"<tr>
				<td class='mw-label'>" .
					Xml::label( wfMessage( 'filedelete-comment' )->text(), 'wpDeleteReasonList' ) .
				"</td>
				<td class='mw-input'>" .
					Xml::listDropDown(
						'wpDeleteReasonList',
						wfMessage( 'filedelete-reason-dropdown' )->inContentLanguage()->text(),
						wfMessage( 'filedelete-reason-otherlist' )->inContentLanguage()->text(),
						'',
						'wpReasonDropDown',
						1
					) .
				"</td>
			</tr>
			<tr>
				<td class='mw-label'>" .
					Xml::label( wfMessage( 'filedelete-otherreason' )->text(), 'wpReason' ) .
				"</td>
				<td class='mw-input'>" .
					Xml::input( 'wpReason', 60, $wgRequest->getText( 'wpReason' ),
						[ 'type' => 'text', 'maxlength' => '255', 'tabindex' => '2', 'id' => 'wpReason' ] ) .
				"</td>
			</tr>
			{$suppress}";
		if ( $wgUser->isLoggedIn() ) {
			$form .= "
			<tr>
				<td></td>
				<td class='mw-input'>" .
					Xml::checkLabel( wfMessage( 'watchthis' )->text(),
						'wpWatch', 'wpWatch', $checkWatch, [ 'tabindex' => '3' ] ) .
				"</td>
			</tr>";
		}
		$form .= "
			<tr>
				<td></td>
				<td class='mw-submit'>" .
					Xml::submitButton(
						wfMessage( 'filedelete-submit' )->text(),
						[
							'name' => 'mw-filedelete-submit',
							'id' => 'mw-filedelete-submit',
							'tabindex' => '4'
						]
					) .
				"</td>
			</tr>" .
			Xml::closeElement( 'table' ) .
			Xml::closeElement( 'fieldset' ) .
			Xml::closeElement( 'form' );

			if ( $wgUser->isAllowed( 'editinterface' ) ) {
				$title = wfMessage( 'filedelete-reason-dropdown' )->inContentLanguage()->getTitle();
				$link = Linker::linkKnown(
					$title,
					wfMessage( 'filedelete-edit-reasonlist' )->escaped(),
					[],
					[ 'action' => 'edit' ]
				);
				$form .= '<p class="mw-filedelete-editreasons">' . $link . '</p>';
			}

		$wgOut->addHTML( $form );
	}

	/**
	 * Show deletion log fragments pertaining to the current file
	 */
	private function showLogEntries() {
		global $wgOut;
		$deleteLogPage = new LogPage( 'delete' );
		$wgOut->addHTML( '<h2>' . $deleteLogPage->getName()->escaped() . "</h2>\n" );
		LogEventsList::showLogExtract( $wgOut, 'delete', $this->title );
	}

	/**
	 * Prepare a message referring to the file being deleted,
	 * showing an appropriate message depending upon whether
	 * it's a current file or an old version
	 *
	 * @param string $message Message base
	 * @return string
	 */
	private function prepareMessage( $message ) {
		global $wgLang;
		if ( $this->oldimage ) {
			# Message keys used:
			# 'filedelete-intro-old', 'filedelete-nofile-old', 'filedelete-success-old'
			return wfMessage(
				"{$message}-old",
				wfEscapeWikiText( $this->title->getText() ),
				$wgLang->date( $this->getTimestamp(), true ),
				$wgLang->time( $this->getTimestamp(), true ),
				wfExpandUrl( $this->file->getArchiveUrl( $this->oldimage ), PROTO_CURRENT ) )->parseAsBlock();
		} else {
			return wfMessage(
				$message,
				wfEscapeWikiText( $this->title->getText() )
			)->parseAsBlock();
		}
	}

	/**
	 * Set headers, titles and other bits
	 */
	private function setHeaders() {
		global $wgOut;
		$wgOut->setPageTitle( wfMessage( 'filedelete', $this->title->getText() ) );
		$wgOut->setRobotPolicy( 'noindex,nofollow' );
		$wgOut->addBacklinkSubtitle( $this->title );
	}

	/**
	 * Is the provided `oldimage` value valid?
	 *
	 * @param string $oldimage
	 * @return bool
	 */
	public static function isValidOldSpec( $oldimage ) {
		return strlen( $oldimage ) >= 16
			&& strpos( $oldimage, '/' ) === false
			&& strpos( $oldimage, '\\' ) === false;
	}

	/**
	 * Could we delete the file specified? If an `oldimage`
	 * value was provided, does it correspond to an
	 * existing, local, old version of this file?
	 *
	 * @param File $file
	 * @param File $oldfile
	 * @param File $oldimage
	 * @return bool
	 */
	public static function haveDeletableFile( &$file, &$oldfile, $oldimage ) {
		return $oldimage
			? $oldfile && $oldfile->exists() && $oldfile->isLocal()
			: $file && $file->exists() && $file->isLocal();
	}

	/**
	 * Prepare the form action
	 *
	 * @return string
	 */
	private function getAction() {
		$q = [];
		$q['action'] = 'delete';

		if ( $this->oldimage ) {
			$q['oldimage'] = $this->oldimage;
		}

		return $this->title->getLocalURL( $q );
	}

	/**
	 * Extract the timestamp of the old version
	 *
	 * @return string
	 */
	private function getTimestamp() {
		return $this->oldfile->getTimestamp();
	}
}


1		<?php
2		/**
3		* File deletion user interface.
4		*
5		* This program is free software; you can redistribute it and/or modify
6		* it under the terms of the GNU General Public License as published by
7		* the Free Software Foundation; either version 2 of the License, or
8		* (at your option) any later version.
9		*
10		* This program is distributed in the hope that it will be useful,
11		* but WITHOUT ANY WARRANTY; without even the implied warranty of
12		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		* GNU General Public License for more details.
14		*
15		* You should have received a copy of the GNU General Public License along
16		* with this program; if not, write to the Free Software Foundation, Inc.,
17		* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18		* http://www.gnu.org/copyleft/gpl.html
19		*
20		* @file
21		* @author Rob Church <[email protected]>
22		* @ingroup Media
23		*/
24
25		/**
26		* File deletion user interface
27		*
28		* @ingroup Media
29		*/
30		class FileDeleteForm {
31
32		/**
33		* @var Title
34		*/
35		private $title = null;
36
37		/**
38		* @var File
39		*/
40		private $file = null;
41
42		/**
43		* @var File
44		*/
45		private $oldfile = null;
46		private $oldimage = '';
47
48		/**
49		* Constructor
50		*
51		* @param File $file File object we're deleting
52		*/
53		public function __construct( $file ) {
54		$this->title = $file->getTitle();
55		$this->file = $file;
56		}
57
58		/**
59		* Fulfil the request; shows the form or deletes the file,
60		* pending authentication, confirmation, etc.
61		*/
62		public function execute() {
63		global $wgOut, $wgRequest, $wgUser, $wgUploadMaintenance;
64
65		$permissionErrors = $this->title->getUserPermissionsErrors( 'delete', $wgUser );
66		if ( count( $permissionErrors ) ) {
67		throw new PermissionsError( 'delete', $permissionErrors );
68		}
69
70		if ( wfReadOnly() ) {
71		throw new ReadOnlyError;
72		}
73
74		if ( $wgUploadMaintenance ) {
75		throw new ErrorPageError( 'filedelete-maintenance-title', 'filedelete-maintenance' );
76		}
77
78		$this->setHeaders();
79
80		$this->oldimage = $wgRequest->getText( 'oldimage', false );
81		$token = $wgRequest->getText( 'wpEditToken' );
82		# Flag to hide all contents of the archived revisions
83		$suppress = $wgRequest->getVal( 'wpSuppress' ) && $wgUser->isAllowed( 'suppressrevision' );
84
85		if ( $this->oldimage ) {
86		$this->oldfile = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName(
87		$this->title,
88		$this->oldimage
89		);
90		}
91
92		if ( !self::haveDeletableFile( $this->file, $this->oldfile, $this->oldimage ) ) {
93		$wgOut->addHTML( $this->prepareMessage( 'filedelete-nofile' ) );
94		$wgOut->addReturnTo( $this->title );
95		return;
96		}
97
98		// Perform the deletion if appropriate
99		if ( $wgRequest->wasPosted() && $wgUser->matchEditToken( $token, $this->oldimage ) ) {
100		$deleteReasonList = $wgRequest->getText( 'wpDeleteReasonList' );
101		$deleteReason = $wgRequest->getText( 'wpReason' );
102
103	View Code Duplication	if ( $deleteReasonList == 'other' ) {
104		$reason = $deleteReason;
105		} elseif ( $deleteReason != '' ) {
106		// Entry from drop down menu + additional comment
107		$reason = $deleteReasonList . wfMessage( 'colon-separator' )
108		->inContentLanguage()->text() . $deleteReason;
109		} else {
110		$reason = $deleteReasonList;
111		}
112
113		$status = self::doDelete(
114		$this->title,
115		$this->file,
116		$this->oldimage,
117		$reason,
118		$suppress,
119		$wgUser
120		);
121
122		if ( !$status->isGood() ) {
123		$wgOut->addHTML( '<h2>' . $this->prepareMessage( 'filedeleteerror-short' ) . "</h2>\n" );
124		$wgOut->addWikiText( '<div class="error">' .
125		$status->getWikiText( 'filedeleteerror-short', 'filedeleteerror-long' )
126		. '</div>' );
127		}
128		if ( $status->isOK() ) {
129		$wgOut->setPageTitle( wfMessage( 'actioncomplete' ) );
130		$wgOut->addHTML( $this->prepareMessage( 'filedelete-success' ) );
131		// Return to the main page if we just deleted all versions of the
132		// file, otherwise go back to the description page
133		$wgOut->addReturnTo( $this->oldimage ? $this->title : Title::newMainPage() );
134
135		WatchAction::doWatchOrUnwatch( $wgRequest->getCheck( 'wpWatch' ), $this->title, $wgUser );
136		}
137		return;
138		}
139
140		$this->showForm();
141		$this->showLogEntries();
142		}
143
144		/**
145		* Really delete the file
146		*
147		* @param Title $title
148		* @param File $file
149		* @param string $oldimage Archive name
150		* @param string $reason Reason of the deletion
151		* @param bool $suppress Whether to mark all deleted versions as restricted
152		* @param User $user User object performing the request
153		* @param array $tags Tags to apply to the deletion action
154		* @throws MWException
155		* @return bool\|Status
156		*/
157		public static function doDelete( &$title, &$file, &$oldimage, $reason,
158		$suppress, User $user = null, $tags = []
159		) {
160		if ( $user === null ) {
161		global $wgUser;
162		$user = $wgUser;
163		}
164
165		if ( $oldimage ) {
166		$page = null;
167		$status = $file->deleteOld( $oldimage, $reason, $suppress, $user );
		0 ignored issues – show Bug introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `deleteOld()` does not exist on `File`. Did you maybe mean `delete()`? This check marks calls to methods that do not seem to exist on an object. This is most likely the result of a method being renamed without all references to it being renamed likewise. Loading history...
168		if ( $status->ok ) {
169		// Need to do a log item
170		$logComment = wfMessage( 'deletedrevision', $oldimage )->inContentLanguage()->text();
171		if ( trim( $reason ) != '' ) {
172		$logComment .= wfMessage( 'colon-separator' )
173		->inContentLanguage()->text() . $reason;
174		}
175
176		$logtype = $suppress ? 'suppress' : 'delete';
177
178		$logEntry = new ManualLogEntry( $logtype, 'delete' );
179		$logEntry->setPerformer( $user );
180		$logEntry->setTarget( $title );
181		$logEntry->setComment( $logComment );
182		$logEntry->setTags( $tags );
183		$logid = $logEntry->insert();
184		$logEntry->publish( $logid );
185
186		$status->value = $logid;
187		}
188		} else {
189		$status = Status::newFatal( 'cannotdelete',
190		wfEscapeWikiText( $title->getPrefixedText() )
191		);
192		$page = WikiPage::factory( $title );
193		$dbw = wfGetDB( DB_MASTER );
194		$dbw->startAtomic( __METHOD__ );
195		// delete the associated article first
196		$error = '';
197		$deleteStatus = $page->doDeleteArticleReal( $reason, $suppress, 0, false, $error,
198		$user, $tags );
199		// doDeleteArticleReal() returns a non-fatal error status if the page
200		// or revision is missing, so check for isOK() rather than isGood()
201		if ( $deleteStatus->isOK() ) {
202		$status = $file->delete( $reason, $suppress, $user );
203		if ( $status->isOK() ) {
204		$status->value = $deleteStatus->value; // log id
205		$dbw->endAtomic( __METHOD__ );
206		} else {
207		// Page deleted but file still there? rollback page delete
208		wfGetLBFactory()->rollbackMasterChanges( __METHOD__ );
		0 ignored issues – show Deprecated Code introduced 2016-07-22 17:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The function `wfGetLBFactory()` has been deprecated with message: since 1.27, use MediaWikiServices::getDBLoadBalancerFactory() instead. This function has been deprecated. The supplier of the file has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the function will be removed from the class and what other function to use instead. Loading history...
209		}
210		} else {
211		// Done; nothing changed
212		$dbw->endAtomic( __METHOD__ );
213		}
214		}
215
216		if ( $status->isOK() ) {
217		Hooks::run( 'FileDeleteComplete', [ &$file, &$oldimage, &$page, &$user, &$reason ] );
218		}
219
220		return $status;
221		}
222
223		/**
224		* Show the confirmation form
225		*/
226		private function showForm() {
227		global $wgOut, $wgUser, $wgRequest;
228
229		if ( $wgUser->isAllowed( 'suppressrevision' ) ) {
230		$suppress = "<tr id=\"wpDeleteSuppressRow\">
231		<td></td>
232		<td class='mw-input'><strong>" .
233		Xml::checkLabel( wfMessage( 'revdelete-suppress' )->text(),
234		'wpSuppress', 'wpSuppress', false, [ 'tabindex' => '3' ] ) .
235		"</strong></td>
236		</tr>";
237		} else {
238		$suppress = '';
239		}
240
241		$checkWatch = $wgUser->getBoolOption( 'watchdeletion' ) \|\| $wgUser->isWatched( $this->title );
242		$form = Xml::openElement( 'form', [ 'method' => 'post', 'action' => $this->getAction(),
243		'id' => 'mw-img-deleteconfirm' ] ) .
244		Xml::openElement( 'fieldset' ) .
245		Xml::element( 'legend', null, wfMessage( 'filedelete-legend' )->text() ) .
246		Html::hidden( 'wpEditToken', $wgUser->getEditToken( $this->oldimage ) ) .
247		$this->prepareMessage( 'filedelete-intro' ) .
248		Xml::openElement( 'table', [ 'id' => 'mw-img-deleteconfirm-table' ] ) .
249		"<tr>
250		<td class='mw-label'>" .
251		Xml::label( wfMessage( 'filedelete-comment' )->text(), 'wpDeleteReasonList' ) .
252		"</td>
253		<td class='mw-input'>" .
254		Xml::listDropDown(
255		'wpDeleteReasonList',
256		wfMessage( 'filedelete-reason-dropdown' )->inContentLanguage()->text(),
257		wfMessage( 'filedelete-reason-otherlist' )->inContentLanguage()->text(),
258		'',
259		'wpReasonDropDown',
260		1
261		) .
262		"</td>
263		</tr>
264		<tr>
265		<td class='mw-label'>" .
266		Xml::label( wfMessage( 'filedelete-otherreason' )->text(), 'wpReason' ) .
267		"</td>
268		<td class='mw-input'>" .
269		Xml::input( 'wpReason', 60, $wgRequest->getText( 'wpReason' ),
270		[ 'type' => 'text', 'maxlength' => '255', 'tabindex' => '2', 'id' => 'wpReason' ] ) .
271		"</td>
272		</tr>
273		{$suppress}";
274	View Code Duplication	if ( $wgUser->isLoggedIn() ) {
275		$form .= "
276		<tr>
277		<td></td>
278		<td class='mw-input'>" .
279		Xml::checkLabel( wfMessage( 'watchthis' )->text(),
280		'wpWatch', 'wpWatch', $checkWatch, [ 'tabindex' => '3' ] ) .
281		"</td>
282		</tr>";
283		}
284		$form .= "
285		<tr>
286		<td></td>
287		<td class='mw-submit'>" .
288		Xml::submitButton(
289		wfMessage( 'filedelete-submit' )->text(),
290		[
291		'name' => 'mw-filedelete-submit',
292		'id' => 'mw-filedelete-submit',
293		'tabindex' => '4'
294		]
295		) .
296		"</td>
297		</tr>" .
298		Xml::closeElement( 'table' ) .
299		Xml::closeElement( 'fieldset' ) .
300		Xml::closeElement( 'form' );
301
302		if ( $wgUser->isAllowed( 'editinterface' ) ) {
303		$title = wfMessage( 'filedelete-reason-dropdown' )->inContentLanguage()->getTitle();
304		$link = Linker::linkKnown(
305		$title,
306		wfMessage( 'filedelete-edit-reasonlist' )->escaped(),
307		[],
308		[ 'action' => 'edit' ]
309		);
310		$form .= '<p class="mw-filedelete-editreasons">' . $link . '</p>';
311		}
312
313		$wgOut->addHTML( $form );
314		}
315
316		/**
317		* Show deletion log fragments pertaining to the current file
318		*/
319		private function showLogEntries() {
320		global $wgOut;
321		$deleteLogPage = new LogPage( 'delete' );
322		$wgOut->addHTML( '<h2>' . $deleteLogPage->getName()->escaped() . "</h2>\n" );
323		LogEventsList::showLogExtract( $wgOut, 'delete', $this->title );
324		}
325
326		/**
327		* Prepare a message referring to the file being deleted,
328		* showing an appropriate message depending upon whether
329		* it's a current file or an old version
330		*
331		* @param string $message Message base
332		* @return string
333		*/
334		private function prepareMessage( $message ) {
335		global $wgLang;
336		if ( $this->oldimage ) {
337		# Message keys used:
338		# 'filedelete-intro-old', 'filedelete-nofile-old', 'filedelete-success-old'
339		return wfMessage(
340		"{$message}-old",
341		wfEscapeWikiText( $this->title->getText() ),
342		$wgLang->date( $this->getTimestamp(), true ),
343		$wgLang->time( $this->getTimestamp(), true ),
344		wfExpandUrl( $this->file->getArchiveUrl( $this->oldimage ), PROTO_CURRENT ) )->parseAsBlock();
345		} else {
346		return wfMessage(
347		$message,
348		wfEscapeWikiText( $this->title->getText() )
349		)->parseAsBlock();
350		}
351		}
352
353		/**
354		* Set headers, titles and other bits
355		*/
356		private function setHeaders() {
357		global $wgOut;
358		$wgOut->setPageTitle( wfMessage( 'filedelete', $this->title->getText() ) );
359		$wgOut->setRobotPolicy( 'noindex,nofollow' );
360		$wgOut->addBacklinkSubtitle( $this->title );
361		}
362
363		/**
364		* Is the provided `oldimage` value valid?
365		*
366		* @param string $oldimage
367		* @return bool
368		*/
369		public static function isValidOldSpec( $oldimage ) {
370		return strlen( $oldimage ) >= 16
371		&& strpos( $oldimage, '/' ) === false
372		&& strpos( $oldimage, '\\' ) === false;
373		}
374
375		/**
376		* Could we delete the file specified? If an `oldimage`
377		* value was provided, does it correspond to an
378		* existing, local, old version of this file?
379		*
380		* @param File $file
381		* @param File $oldfile
382		* @param File $oldimage
383		* @return bool
384		*/
385		public static function haveDeletableFile( &$file, &$oldfile, $oldimage ) {
386		return $oldimage
387		? $oldfile && $oldfile->exists() && $oldfile->isLocal()
388		: $file && $file->exists() && $file->isLocal();
389		}
390
391		/**
392		* Prepare the form action
393		*
394		* @return string
395		*/
396		private function getAction() {
397		$q = [];
398		$q['action'] = 'delete';
399
400		if ( $this->oldimage ) {
401		$q['oldimage'] = $this->oldimage;
402		}
403
404		return $this->title->getLocalURL( $q );
405		}
406
407		/**
408		* Extract the timestamp of the old version
409		*
410		* @return string
411		*/
412		private function getTimestamp() {
413		return $this->oldfile->getTimestamp();
414		}
415		}
416

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/FileDeleteForm.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like