diff options
Diffstat (limited to 'framework/web/CHttpRequest.php')
| -rw-r--r-- | framework/web/CHttpRequest.php | 1064 |
1 files changed, 1064 insertions, 0 deletions
diff --git a/framework/web/CHttpRequest.php b/framework/web/CHttpRequest.php new file mode 100644 index 0000000..031ad64 --- /dev/null +++ b/framework/web/CHttpRequest.php @@ -0,0 +1,1064 @@ +<?php +/** + * CHttpRequest and CCookieCollection class file. + * + * @author Qiang Xue <qiang.xue@gmail.com> + * @link http://www.yiiframework.com/ + * @copyright Copyright © 2008-2011 Yii Software LLC + * @license http://www.yiiframework.com/license/ + */ + + +/** + * CHttpRequest encapsulates the $_SERVER variable and resolves its inconsistency among different Web servers. + * + * CHttpRequest also manages the cookies sent from and sent to the user. + * By setting {@link enableCookieValidation} to true, + * cookies sent from the user will be validated to see if they are tampered. + * The property {@link getCookies cookies} returns the collection of cookies. + * For more details, see {@link CCookieCollection}. + * + * CHttpRequest is a default application component loaded by {@link CWebApplication}. It can be + * accessed via {@link CWebApplication::getRequest()}. + * + * @property string $url Part of the request URL after the host info. + * @property string $hostInfo Schema and hostname part (with port number if needed) of the request URL (e.g. http://www.yiiframework.com). + * @property string $baseUrl The relative URL for the application. + * @property string $scriptUrl The relative URL of the entry script. + * @property string $pathInfo Part of the request URL that is after the entry script and before the question mark. + * Note, the returned pathinfo is decoded starting from 1.1.4. + * Prior to 1.1.4, whether it is decoded or not depends on the server configuration + * (in most cases it is not decoded). + * @property string $requestUri The request URI portion for the currently requested URL. + * @property string $queryString Part of the request URL that is after the question mark. + * @property boolean $isSecureConnection If the request is sent via secure channel (https). + * @property string $requestType Request type, such as GET, POST, HEAD, PUT, DELETE. + * @property boolean $isPostRequest Whether this is a POST request. + * @property boolean $isDeleteRequest Whether this is a DELETE request. + * @property boolean $isPutRequest Whether this is a PUT request. + * @property boolean $isAjaxRequest Whether this is an AJAX (XMLHttpRequest) request. + * @property string $serverName Server name. + * @property integer $serverPort Server port number. + * @property string $urlReferrer URL referrer, null if not present. + * @property string $userAgent User agent, null if not present. + * @property string $userHostAddress User IP address. + * @property string $userHost User host name, null if cannot be determined. + * @property string $scriptFile Entry script file path (processed w/ realpath()). + * @property array $browser User browser capabilities. + * @property string $acceptTypes User browser accept types, null if not present. + * @property integer $port Port number for insecure requests. + * @property integer $securePort Port number for secure requests. + * @property CCookieCollection $cookies The cookie collection. + * @property string $preferredLanguage The user preferred language. + * @property string $csrfToken The random token for CSRF validation. + * + * @author Qiang Xue <qiang.xue@gmail.com> + * @version $Id: CHttpRequest.php 3560 2012-02-10 14:13:00Z mdomba $ + * @package system.web + * @since 1.0 + */ +class CHttpRequest extends CApplicationComponent +{ + /** + * @var boolean whether cookies should be validated to ensure they are not tampered. Defaults to false. + */ + public $enableCookieValidation=false; + /** + * @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to false. + * By setting this property to true, forms submitted to an Yii Web application must be originated + * from the same application. If not, a 400 HTTP exception will be raised. + * Note, this feature requires that the user client accepts cookie. + * You also need to use {@link CHtml::form} or {@link CHtml::statefulForm} to generate + * the needed HTML forms in your pages. + * @see http://seclab.stanford.edu/websec/csrf/csrf.pdf + */ + public $enableCsrfValidation=false; + /** + * @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'. + * This property is effectively only when {@link enableCsrfValidation} is true. + */ + public $csrfTokenName='YII_CSRF_TOKEN'; + /** + * @var array the property values (in name-value pairs) used to initialize the CSRF cookie. + * Any property of {@link CHttpCookie} may be initialized. + * This property is effective only when {@link enableCsrfValidation} is true. + */ + public $csrfCookie; + + private $_requestUri; + private $_pathInfo; + private $_scriptFile; + private $_scriptUrl; + private $_hostInfo; + private $_baseUrl; + private $_cookies; + private $_preferredLanguage; + private $_csrfToken; + private $_deleteParams; + private $_putParams; + + /** + * Initializes the application component. + * This method overrides the parent implementation by preprocessing + * the user request data. + */ + public function init() + { + parent::init(); + $this->normalizeRequest(); + } + + /** + * Normalizes the request data. + * This method strips off slashes in request data if get_magic_quotes_gpc() returns true. + * It also performs CSRF validation if {@link enableCsrfValidation} is true. + */ + protected function normalizeRequest() + { + // normalize request + if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) + { + if(isset($_GET)) + $_GET=$this->stripSlashes($_GET); + if(isset($_POST)) + $_POST=$this->stripSlashes($_POST); + if(isset($_REQUEST)) + $_REQUEST=$this->stripSlashes($_REQUEST); + if(isset($_COOKIE)) + $_COOKIE=$this->stripSlashes($_COOKIE); + } + + if($this->enableCsrfValidation) + Yii::app()->attachEventHandler('onBeginRequest',array($this,'validateCsrfToken')); + } + + + /** + * Strips slashes from input data. + * This method is applied when magic quotes is enabled. + * @param mixed $data input data to be processed + * @return mixed processed data + */ + public function stripSlashes(&$data) + { + return is_array($data)?array_map(array($this,'stripSlashes'),$data):stripslashes($data); + } + + /** + * Returns the named GET or POST parameter value. + * If the GET or POST parameter does not exist, the second parameter to this method will be returned. + * If both GET and POST contains such a named parameter, the GET parameter takes precedence. + * @param string $name the GET parameter name + * @param mixed $defaultValue the default parameter value if the GET parameter does not exist. + * @return mixed the GET parameter value + * @see getQuery + * @see getPost + */ + public function getParam($name,$defaultValue=null) + { + return isset($_GET[$name]) ? $_GET[$name] : (isset($_POST[$name]) ? $_POST[$name] : $defaultValue); + } + + /** + * Returns the named GET parameter value. + * If the GET parameter does not exist, the second parameter to this method will be returned. + * @param string $name the GET parameter name + * @param mixed $defaultValue the default parameter value if the GET parameter does not exist. + * @return mixed the GET parameter value + * @see getPost + * @see getParam + */ + public function getQuery($name,$defaultValue=null) + { + return isset($_GET[$name]) ? $_GET[$name] : $defaultValue; + } + + /** + * Returns the named POST parameter value. + * If the POST parameter does not exist, the second parameter to this method will be returned. + * @param string $name the POST parameter name + * @param mixed $defaultValue the default parameter value if the POST parameter does not exist. + * @return mixed the POST parameter value + * @see getParam + * @see getQuery + */ + public function getPost($name,$defaultValue=null) + { + return isset($_POST[$name]) ? $_POST[$name] : $defaultValue; + } + + /** + * Returns the named DELETE parameter value. + * If the DELETE parameter does not exist or if the current request is not a DELETE request, + * the second parameter to this method will be returned. + * @param string $name the DELETE parameter name + * @param mixed $defaultValue the default parameter value if the DELETE parameter does not exist. + * @return mixed the DELETE parameter value + * @since 1.1.7 + */ + public function getDelete($name,$defaultValue=null) + { + if($this->_deleteParams===null) + $this->_deleteParams=$this->getIsDeleteRequest() ? $this->getRestParams() : array(); + return isset($this->_deleteParams[$name]) ? $this->_deleteParams[$name] : $defaultValue; + } + + /** + * Returns the named PUT parameter value. + * If the PUT parameter does not exist or if the current request is not a PUT request, + * the second parameter to this method will be returned. + * @param string $name the PUT parameter name + * @param mixed $defaultValue the default parameter value if the PUT parameter does not exist. + * @return mixed the PUT parameter value + * @since 1.1.7 + */ + public function getPut($name,$defaultValue=null) + { + if($this->_putParams===null) + $this->_putParams=$this->getIsPutRequest() ? $this->getRestParams() : array(); + return isset($this->_putParams[$name]) ? $this->_putParams[$name] : $defaultValue; + } + + /** + * Returns the PUT or DELETE request parameters. + * @return array the request parameters + * @since 1.1.7 + */ + protected function getRestParams() + { + $result=array(); + if(function_exists('mb_parse_str')) + mb_parse_str(file_get_contents('php://input'), $result); + else + parse_str(file_get_contents('php://input'), $result); + return $result; + } + + /** + * Returns the currently requested URL. + * This is the same as {@link getRequestUri}. + * @return string part of the request URL after the host info. + */ + public function getUrl() + { + return $this->getRequestUri(); + } + + /** + * Returns the schema and host part of the application URL. + * The returned URL does not have an ending slash. + * By default this is determined based on the user request information. + * You may explicitly specify it by setting the {@link setHostInfo hostInfo} property. + * @param string $schema schema to use (e.g. http, https). If empty, the schema used for the current request will be used. + * @return string schema and hostname part (with port number if needed) of the request URL (e.g. http://www.yiiframework.com) + * @see setHostInfo + */ + public function getHostInfo($schema='') + { + if($this->_hostInfo===null) + { + if($secure=$this->getIsSecureConnection()) + $http='https'; + else + $http='http'; + if(isset($_SERVER['HTTP_HOST'])) + $this->_hostInfo=$http.'://'.$_SERVER['HTTP_HOST']; + else + { + $this->_hostInfo=$http.'://'.$_SERVER['SERVER_NAME']; + $port=$secure ? $this->getSecurePort() : $this->getPort(); + if(($port!==80 && !$secure) || ($port!==443 && $secure)) + $this->_hostInfo.=':'.$port; + } + } + if($schema!=='') + { + $secure=$this->getIsSecureConnection(); + if($secure && $schema==='https' || !$secure && $schema==='http') + return $this->_hostInfo; + + $port=$schema==='https' ? $this->getSecurePort() : $this->getPort(); + if($port!==80 && $schema==='http' || $port!==443 && $schema==='https') + $port=':'.$port; + else + $port=''; + + $pos=strpos($this->_hostInfo,':'); + return $schema.substr($this->_hostInfo,$pos,strcspn($this->_hostInfo,':',$pos+1)+1).$port; + } + else + return $this->_hostInfo; + } + + /** + * Sets the schema and host part of the application URL. + * This setter is provided in case the schema and hostname cannot be determined + * on certain Web servers. + * @param string $value the schema and host part of the application URL. + */ + public function setHostInfo($value) + { + $this->_hostInfo=rtrim($value,'/'); + } + + /** + * Returns the relative URL for the application. + * This is similar to {@link getScriptUrl scriptUrl} except that + * it does not have the script file name, and the ending slashes are stripped off. + * @param boolean $absolute whether to return an absolute URL. Defaults to false, meaning returning a relative one. + * @return string the relative URL for the application + * @see setScriptUrl + */ + public function getBaseUrl($absolute=false) + { + if($this->_baseUrl===null) + $this->_baseUrl=rtrim(dirname($this->getScriptUrl()),'\\/'); + return $absolute ? $this->getHostInfo() . $this->_baseUrl : $this->_baseUrl; + } + + /** + * Sets the relative URL for the application. + * By default the URL is determined based on the entry script URL. + * This setter is provided in case you want to change this behavior. + * @param string $value the relative URL for the application + */ + public function setBaseUrl($value) + { + $this->_baseUrl=$value; + } + + /** + * Returns the relative URL of the entry script. + * The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework. + * @return string the relative URL of the entry script. + */ + public function getScriptUrl() + { + if($this->_scriptUrl===null) + { + $scriptName=basename($_SERVER['SCRIPT_FILENAME']); + if(basename($_SERVER['SCRIPT_NAME'])===$scriptName) + $this->_scriptUrl=$_SERVER['SCRIPT_NAME']; + else if(basename($_SERVER['PHP_SELF'])===$scriptName) + $this->_scriptUrl=$_SERVER['PHP_SELF']; + else if(isset($_SERVER['ORIG_SCRIPT_NAME']) && basename($_SERVER['ORIG_SCRIPT_NAME'])===$scriptName) + $this->_scriptUrl=$_SERVER['ORIG_SCRIPT_NAME']; + else if(($pos=strpos($_SERVER['PHP_SELF'],'/'.$scriptName))!==false) + $this->_scriptUrl=substr($_SERVER['SCRIPT_NAME'],0,$pos).'/'.$scriptName; + else if(isset($_SERVER['DOCUMENT_ROOT']) && strpos($_SERVER['SCRIPT_FILENAME'],$_SERVER['DOCUMENT_ROOT'])===0) + $this->_scriptUrl=str_replace('\\','/',str_replace($_SERVER['DOCUMENT_ROOT'],'',$_SERVER['SCRIPT_FILENAME'])); + else + throw new CException(Yii::t('yii','CHttpRequest is unable to determine the entry script URL.')); + } + return $this->_scriptUrl; + } + + /** + * Sets the relative URL for the application entry script. + * This setter is provided in case the entry script URL cannot be determined + * on certain Web servers. + * @param string $value the relative URL for the application entry script. + */ + public function setScriptUrl($value) + { + $this->_scriptUrl='/'.trim($value,'/'); + } + + /** + * Returns the path info of the currently requested URL. + * This refers to the part that is after the entry script and before the question mark. + * The starting and ending slashes are stripped off. + * @return string part of the request URL that is after the entry script and before the question mark. + * Note, the returned pathinfo is decoded starting from 1.1.4. + * Prior to 1.1.4, whether it is decoded or not depends on the server configuration + * (in most cases it is not decoded). + * @throws CException if the request URI cannot be determined due to improper server configuration + */ + public function getPathInfo() + { + if($this->_pathInfo===null) + { + $pathInfo=$this->getRequestUri(); + + if(($pos=strpos($pathInfo,'?'))!==false) + $pathInfo=substr($pathInfo,0,$pos); + + $pathInfo=$this->decodePathInfo($pathInfo); + + $scriptUrl=$this->getScriptUrl(); + $baseUrl=$this->getBaseUrl(); + if(strpos($pathInfo,$scriptUrl)===0) + $pathInfo=substr($pathInfo,strlen($scriptUrl)); + else if($baseUrl==='' || strpos($pathInfo,$baseUrl)===0) + $pathInfo=substr($pathInfo,strlen($baseUrl)); + else if(strpos($_SERVER['PHP_SELF'],$scriptUrl)===0) + $pathInfo=substr($_SERVER['PHP_SELF'],strlen($scriptUrl)); + else + throw new CException(Yii::t('yii','CHttpRequest is unable to determine the path info of the request.')); + + $this->_pathInfo=trim($pathInfo,'/'); + } + return $this->_pathInfo; + } + + /** + * Decodes the path info. + * This method is an improved variant of the native urldecode() function and used in {@link getPathInfo getPathInfo()} to + * decode the path part of the request URI. You may override this method to change the way the path info is being decoded. + * @param string $pathInfo encoded path info + * @return string decoded path info + * @since 1.1.10 + */ + protected function decodePathInfo($pathInfo) + { + $pathInfo = urldecode($pathInfo); + + // is it UTF-8? + // http://w3.org/International/questions/qa-forms-utf-8.html + if(preg_match('%^(?: + [\x09\x0A\x0D\x20-\x7E] # ASCII + | [\xC2-\xDF][\x80-\xBF] # non-overlong 2-byte + | \xE0[\xA0-\xBF][\x80-\xBF] # excluding overlongs + | [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2} # straight 3-byte + | \xED[\x80-\x9F][\x80-\xBF] # excluding surrogates + | \xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3 + | [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15 + | \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16 + )*$%xs', $pathInfo)) + { + return $pathInfo; + } + else + { + return utf8_encode($pathInfo); + } + } + + /** + * Returns the request URI portion for the currently requested URL. + * This refers to the portion that is after the {@link hostInfo host info} part. + * It includes the {@link queryString query string} part if any. + * The implementation of this method referenced Zend_Controller_Request_Http in Zend Framework. + * @return string the request URI portion for the currently requested URL. + * @throws CException if the request URI cannot be determined due to improper server configuration + */ + public function getRequestUri() + { + if($this->_requestUri===null) + { + if(isset($_SERVER['HTTP_X_REWRITE_URL'])) // IIS + $this->_requestUri=$_SERVER['HTTP_X_REWRITE_URL']; + else if(isset($_SERVER['REQUEST_URI'])) + { + $this->_requestUri=$_SERVER['REQUEST_URI']; + if(!empty($_SERVER['HTTP_HOST'])) + { + if(strpos($this->_requestUri,$_SERVER['HTTP_HOST'])!==false) + $this->_requestUri=preg_replace('/^\w+:\/\/[^\/]+/','',$this->_requestUri); + } + else + $this->_requestUri=preg_replace('/^(http|https):\/\/[^\/]+/i','',$this->_requestUri); + } + else if(isset($_SERVER['ORIG_PATH_INFO'])) // IIS 5.0 CGI + { + $this->_requestUri=$_SERVER['ORIG_PATH_INFO']; + if(!empty($_SERVER['QUERY_STRING'])) + $this->_requestUri.='?'.$_SERVER['QUERY_STRING']; + } + else + throw new CException(Yii::t('yii','CHttpRequest is unable to determine the request URI.')); + } + + return $this->_requestUri; + } + + /** + * Returns part of the request URL that is after the question mark. + * @return string part of the request URL that is after the question mark + */ + public function getQueryString() + { + return isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:''; + } + + /** + * Return if the request is sent via secure channel (https). + * @return boolean if the request is sent via secure channel (https) + */ + public function getIsSecureConnection() + { + return isset($_SERVER['HTTPS']) && !strcasecmp($_SERVER['HTTPS'],'on'); + } + + /** + * Returns the request type, such as GET, POST, HEAD, PUT, DELETE. + * @return string request type, such as GET, POST, HEAD, PUT, DELETE. + */ + public function getRequestType() + { + return strtoupper(isset($_SERVER['REQUEST_METHOD'])?$_SERVER['REQUEST_METHOD']:'GET'); + } + + /** + * Returns whether this is a POST request. + * @return boolean whether this is a POST request. + */ + public function getIsPostRequest() + { + return isset($_SERVER['REQUEST_METHOD']) && !strcasecmp($_SERVER['REQUEST_METHOD'],'POST'); + } + + /** + * Returns whether this is a DELETE request. + * @return boolean whether this is a DELETE request. + * @since 1.1.7 + */ + public function getIsDeleteRequest() + { + return isset($_SERVER['REQUEST_METHOD']) && !strcasecmp($_SERVER['REQUEST_METHOD'],'DELETE'); + } + + /** + * Returns whether this is a PUT request. + * @return boolean whether this is a PUT request. + * @since 1.1.7 + */ + public function getIsPutRequest() + { + return isset($_SERVER['REQUEST_METHOD']) && !strcasecmp($_SERVER['REQUEST_METHOD'],'PUT'); + } + + /** + * Returns whether this is an AJAX (XMLHttpRequest) request. + * @return boolean whether this is an AJAX (XMLHttpRequest) request. + */ + public function getIsAjaxRequest() + { + return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH']==='XMLHttpRequest'; + } + + /** + * Returns the server name. + * @return string server name + */ + public function getServerName() + { + return $_SERVER['SERVER_NAME']; + } + + /** + * Returns the server port number. + * @return integer server port number + */ + public function getServerPort() + { + return $_SERVER['SERVER_PORT']; + } + + /** + * Returns the URL referrer, null if not present + * @return string URL referrer, null if not present + */ + public function getUrlReferrer() + { + return isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:null; + } + + /** + * Returns the user agent, null if not present. + * @return string user agent, null if not present + */ + public function getUserAgent() + { + return isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:null; + } + + /** + * Returns the user IP address. + * @return string user IP address + */ + public function getUserHostAddress() + { + return isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:'127.0.0.1'; + } + + /** + * Returns the user host name, null if it cannot be determined. + * @return string user host name, null if cannot be determined + */ + public function getUserHost() + { + return isset($_SERVER['REMOTE_HOST'])?$_SERVER['REMOTE_HOST']:null; + } + + /** + * Returns entry script file path. + * @return string entry script file path (processed w/ realpath()) + */ + public function getScriptFile() + { + if($this->_scriptFile!==null) + return $this->_scriptFile; + else + return $this->_scriptFile=realpath($_SERVER['SCRIPT_FILENAME']); + } + + /** + * Returns information about the capabilities of user browser. + * @param string $userAgent the user agent to be analyzed. Defaults to null, meaning using the + * current User-Agent HTTP header information. + * @return array user browser capabilities. + * @see http://www.php.net/manual/en/function.get-browser.php + */ + public function getBrowser($userAgent=null) + { + return get_browser($userAgent,true); + } + + /** + * Returns user browser accept types, null if not present. + * @return string user browser accept types, null if not present + */ + public function getAcceptTypes() + { + return isset($_SERVER['HTTP_ACCEPT'])?$_SERVER['HTTP_ACCEPT']:null; + } + + private $_port; + + /** + * Returns the port to use for insecure requests. + * Defaults to 80, or the port specified by the server if the current + * request is insecure. + * You may explicitly specify it by setting the {@link setPort port} property. + * @return integer port number for insecure requests. + * @see setPort + * @since 1.1.3 + */ + public function getPort() + { + if($this->_port===null) + $this->_port=!$this->getIsSecureConnection() && isset($_SERVER['SERVER_PORT']) ? (int)$_SERVER['SERVER_PORT'] : 80; + return $this->_port; + } + + /** + * Sets the port to use for insecure requests. + * This setter is provided in case a custom port is necessary for certain + * server configurations. + * @param integer $value port number. + * @since 1.1.3 + */ + public function setPort($value) + { + $this->_port=(int)$value; + $this->_hostInfo=null; + } + + private $_securePort; + + /** + * Returns the port to use for secure requests. + * Defaults to 443, or the port specified by the server if the current + * request is secure. + * You may explicitly specify it by setting the {@link setSecurePort securePort} property. + * @return integer port number for secure requests. + * @see setSecurePort + * @since 1.1.3 + */ + public function getSecurePort() + { + if($this->_securePort===null) + $this->_securePort=$this->getIsSecureConnection() && isset($_SERVER['SERVER_PORT']) ? (int)$_SERVER['SERVER_PORT'] : 443; + return $this->_securePort; + } + + /** + * Sets the port to use for secure requests. + * This setter is provided in case a custom port is necessary for certain + * server configurations. + * @param integer $value port number. + * @since 1.1.3 + */ + public function setSecurePort($value) + { + $this->_securePort=(int)$value; + $this->_hostInfo=null; + } + + /** + * Returns the cookie collection. + * The result can be used like an associative array. Adding {@link CHttpCookie} objects + * to the collection will send the cookies to the client; and removing the objects + * from the collection will delete those cookies on the client. + * @return CCookieCollection the cookie collection. + */ + public function getCookies() + { + if($this->_cookies!==null) + return $this->_cookies; + else + return $this->_cookies=new CCookieCollection($this); + } + + /** + * Redirects the browser to the specified URL. + * @param string $url URL to be redirected to. If the URL is a relative one, the base URL of + * the application will be inserted at the beginning. + * @param boolean $terminate whether to terminate the current application + * @param integer $statusCode the HTTP status code. Defaults to 302. See {@link http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html} + * for details about HTTP status code. + */ + public function redirect($url,$terminate=true,$statusCode=302) + { + if(strpos($url,'/')===0) + $url=$this->getHostInfo().$url; + header('Location: '.$url, true, $statusCode); + if($terminate) + Yii::app()->end(); + } + + /** + * Returns the user preferred language. + * The returned language ID will be canonicalized using {@link CLocale::getCanonicalID}. + * This method returns false if the user does not have language preference. + * @return string the user preferred language. + */ + public function getPreferredLanguage() + { + if($this->_preferredLanguage===null) + { + if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) && ($n=preg_match_all('/([\w\-_]+)\s*(;\s*q\s*=\s*(\d*\.\d*))?/',$_SERVER['HTTP_ACCEPT_LANGUAGE'],$matches))>0) + { + $languages=array(); + for($i=0;$i<$n;++$i) + $languages[$matches[1][$i]]=empty($matches[3][$i]) ? 1.0 : floatval($matches[3][$i]); + arsort($languages); + foreach($languages as $language=>$pref) + return $this->_preferredLanguage=CLocale::getCanonicalID($language); + } + return $this->_preferredLanguage=false; + } + return $this->_preferredLanguage; + } + + /** + * Sends a file to user. + * @param string $fileName file name + * @param string $content content to be set. + * @param string $mimeType mime type of the content. If null, it will be guessed automatically based on the given file name. + * @param boolean $terminate whether to terminate the current application after calling this method + */ + public function sendFile($fileName,$content,$mimeType=null,$terminate=true) + { + if($mimeType===null) + { + if(($mimeType=CFileHelper::getMimeTypeByExtension($fileName))===null) + $mimeType='text/plain'; + } + header('Pragma: public'); + header('Expires: 0'); + header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); + header("Content-type: $mimeType"); + if(ob_get_length()===false) + header('Content-Length: '.(function_exists('mb_strlen') ? mb_strlen($content,'8bit') : strlen($content))); + header("Content-Disposition: attachment; filename=\"$fileName\""); + header('Content-Transfer-Encoding: binary'); + + if($terminate) + { + // clean up the application first because the file downloading could take long time + // which may cause timeout of some resources (such as DB connection) + Yii::app()->end(0,false); + echo $content; + exit(0); + } + else + echo $content; + } + + /** + * Sends existing file to a browser as a download using x-sendfile. + * + * X-Sendfile is a feature allowing a web application to redirect the request for a file to the webserver + * that in turn processes the request, this way eliminating the need to perform tasks like reading the file + * and sending it to the user. When dealing with a lot of files (or very big files) this can lead to a great + * increase in performance as the web application is allowed to terminate earlier while the webserver is + * handling the request. + * + * The request is sent to the server through a special non-standard HTTP-header. + * When the web server encounters the presence of such header it will discard all output and send the file + * specified by that header using web server internals including all optimizations like caching-headers. + * + * As this header directive is non-standard different directives exists for different web servers applications: + * <ul> + * <li>Apache: {@link http://tn123.org/mod_xsendfile X-Sendfile}</li> + * <li>Lighttpd v1.4: {@link http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file X-LIGHTTPD-send-file}</li> + * <li>Lighttpd v1.5: {@link http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file X-Sendfile}</li> + * <li>Nginx: {@link http://wiki.nginx.org/XSendfile X-Accel-Redirect}</li> + * <li>Cherokee: {@link http://www.cherokee-project.com/doc/other_goodies.html#x-sendfile X-Sendfile and X-Accel-Redirect}</li> + * </ul> + * So for this method to work the X-SENDFILE option/module should be enabled by the web server and + * a proper xHeader should be sent. + * + * <b>Note:</b> + * This option allows to download files that are not under web folders, and even files that are otherwise protected (deny from all) like .htaccess + * + * <b>Side effects</b>: + * If this option is disabled by the web server, when this method is called a download configuration dialog + * will open but the downloaded file will have 0 bytes. + * + * <b>Example</b>: + * <pre> + * <?php + * Yii::app()->request->xSendFile('/home/user/Pictures/picture1.jpg',array( + * 'saveName'=>'image1.jpg', + * 'mimeType'=>'image/jpeg', + * 'terminate'=>false, + * )); + * ?> + * </pre> + * @param string $filePath file name with full path + * @param array $options additional options: + * <ul> + * <li>saveName: file name shown to the user, if not set real file name will be used</li> + * <li>mimeType: mime type of the file, if not set it will be guessed automatically based on the file name, if set to null no content-type header will be sent.</li> + * <li>xHeader: appropriate x-sendfile header, defaults to "X-Sendfile"</li> + * <li>terminate: whether to terminate the current application after calling this method, defaults to true</li> + * <li>forceDownload: specifies whether the file will be downloaded or shown inline, defaults to true. (Since version 1.1.9.)</li> + * <li>addHeaders: an array of additional http headers in header-value pairs (available since version 1.1.10)</li> + * </ul> + */ + public function xSendFile($filePath, $options=array()) + { + if(!isset($options['forceDownload']) || $options['forceDownload']) + $disposition='attachment'; + else + $disposition='inline'; + + if(!isset($options['saveName'])) + $options['saveName']=basename($filePath); + + if(!isset($options['mimeType'])) + { + if(($options['mimeType']=CFileHelper::getMimeTypeByExtension($filePath))===null) + $options['mimeType']='text/plain'; + } + + if(!isset($options['xHeader'])) + $options['xHeader']='X-Sendfile'; + + if($options['mimeType'] !== null) + header('Content-type: '.$options['mimeType']); + header('Content-Disposition: '.$disposition.'; filename="'.$options['saveName'].'"'); + if(isset($options['addHeaders'])) + { + foreach($options['addHeaders'] as $header=>$value) + header($header.': '.$value); + } + header(trim($options['xHeader']).': '.$filePath); + + if(!isset($options['terminate']) || $options['terminate']) + Yii::app()->end(); + } + + /** + * Returns the random token used to perform CSRF validation. + * The token will be read from cookie first. If not found, a new token + * will be generated. + * @return string the random token for CSRF validation. + * @see enableCsrfValidation + */ + public function getCsrfToken() + { + if($this->_csrfToken===null) + { + $cookie=$this->getCookies()->itemAt($this->csrfTokenName); + if(!$cookie || ($this->_csrfToken=$cookie->value)==null) + { + $cookie=$this->createCsrfCookie(); + $this->_csrfToken=$cookie->value; + $this->getCookies()->add($cookie->name,$cookie); + } + } + + return $this->_csrfToken; + } + + /** + * Creates a cookie with a randomly generated CSRF token. + * Initial values specified in {@link csrfCookie} will be applied + * to the generated cookie. + * @return CHttpCookie the generated cookie + * @see enableCsrfValidation + */ + protected function createCsrfCookie() + { + $cookie=new CHttpCookie($this->csrfTokenName,sha1(uniqid(mt_rand(),true))); + if(is_array($this->csrfCookie)) + { + foreach($this->csrfCookie as $name=>$value) + $cookie->$name=$value; + } + return $cookie; + } + + /** + * Performs the CSRF validation. + * This is the event handler responding to {@link CApplication::onBeginRequest}. + * The default implementation will compare the CSRF token obtained + * from a cookie and from a POST field. If they are different, a CSRF attack is detected. + * @param CEvent $event event parameter + * @throws CHttpException if the validation fails + */ + public function validateCsrfToken($event) + { + if($this->getIsPostRequest()) + { + // only validate POST requests + $cookies=$this->getCookies(); + if($cookies->contains($this->csrfTokenName) && isset($_POST[$this->csrfTokenName])) + { + $tokenFromCookie=$cookies->itemAt($this->csrfTokenName)->value; + $tokenFromPost=$_POST[$this->csrfTokenName]; + $valid=$tokenFromCookie===$tokenFromPost; + } + else + $valid=false; + if(!$valid) + throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.')); + } + } +} + + +/** + * CCookieCollection implements a collection class to store cookies. + * + * You normally access it via {@link CHttpRequest::getCookies()}. + * + * Since CCookieCollection extends from {@link CMap}, it can be used + * like an associative array as follows: + * <pre> + * $cookies[$name]=new CHttpCookie($name,$value); // sends a cookie + * $value=$cookies[$name]->value; // reads a cookie value + * unset($cookies[$name]); // removes a cookie + * </pre> + * + * @author Qiang Xue <qiang.xue@gmail.com> + * @version $Id: CHttpRequest.php 3560 2012-02-10 14:13:00Z mdomba $ + * @package system.web + * @since 1.0 + */ +class CCookieCollection extends CMap +{ + private $_request; + private $_initialized=false; + + /** + * Constructor. + * @param CHttpRequest $request owner of this collection. + */ + public function __construct(CHttpRequest $request) + { + $this->_request=$request; + $this->copyfrom($this->getCookies()); + $this->_initialized=true; + } + + /** + * @return CHttpRequest the request instance + */ + public function getRequest() + { + return $this->_request; + } + + /** + * @return array list of validated cookies + */ + protected function getCookies() + { + $cookies=array(); + if($this->_request->enableCookieValidation) + { + $sm=Yii::app()->getSecurityManager(); + foreach($_COOKIE as $name=>$value) + { + if(is_string($value) && ($value=$sm->validateData($value))!==false) + $cookies[$name]=new CHttpCookie($name,@unserialize($value)); + } + } + else + { + foreach($_COOKIE as $name=>$value) + $cookies[$name]=new CHttpCookie($name,$value); + } + return $cookies; + } + + /** + * Adds a cookie with the specified name. + * This overrides the parent implementation by performing additional + * operations for each newly added CHttpCookie object. + * @param mixed $name Cookie name. + * @param CHttpCookie $cookie Cookie object. + * @throws CException if the item to be inserted is not a CHttpCookie object. + */ + public function add($name,$cookie) + { + if($cookie instanceof CHttpCookie) + { + $this->remove($name); + parent::add($name,$cookie); + if($this->_initialized) + $this->addCookie($cookie); + } + else + throw new CException(Yii::t('yii','CHttpCookieCollection can only hold CHttpCookie objects.')); + } + + /** + * Removes a cookie with the specified name. + * This overrides the parent implementation by performing additional + * cleanup work when removing a CHttpCookie object. + * @param mixed $name Cookie name. + * @return CHttpCookie The removed cookie object. + */ + public function remove($name) + { + if(($cookie=parent::remove($name))!==null) + { + if($this->_initialized) + $this->removeCookie($cookie); + } + return $cookie; + } + + /** + * Sends a cookie. + * @param CHttpCookie $cookie cookie to be sent + */ + protected function addCookie($cookie) + { + $value=$cookie->value; + if($this->_request->enableCookieValidation) + $value=Yii::app()->getSecurityManager()->hashData(serialize($value)); + if(version_compare(PHP_VERSION,'5.2.0','>=')) + setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure,$cookie->httpOnly); + else + setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure); + } + + /** + * Deletes a cookie. + * @param CHttpCookie $cookie cookie to be deleted + */ + protected function removeCookie($cookie) + { + if(version_compare(PHP_VERSION,'5.2.0','>=')) + setcookie($cookie->name,null,0,$cookie->path,$cookie->domain,$cookie->secure,$cookie->httpOnly); + else + setcookie($cookie->name,null,0,$cookie->path,$cookie->domain,$cookie->secure); + } +} |