Item13848: Implement DeprecateHTTPandHTTPS

foswiki · Nov 16, 2015 · f6967af · f6967af
1 parent cbbc048
commit f6967af
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 21 deletions.
diff --git a/core/data/System/VarHTTP.txt b/core/data/System/VarHTTP.txt
@@ -1,16 +1,21 @@
-%META:TOPICINFO{author="ProjectContributor" date="1434650530" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" comment="" date="1447358768" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="Macros"}%
 ---+ HTTP -- get HTTP headers
-   * Called with the name of an HTTP header field, returns its value. Capitalization and the use of hyphens versus underscores are not significant.
+   * Called with the name of an HTTP request header field, returns its value. Capitalization and the use of hyphens versus underscores are not significant.
+   * Request headers are sent by the browser to the server. It is not possible to access the Response headers returned to the browser.
+   * Only returns headers permitted by site configuration. Returns '' if the header is not allowed.
+   * When called without a parameter, nothing is returned.  See VarHTTPS for other options.
+<div class="foswikiHelp">%X% The HTTP and HTTPS macros are deprecated as of Foswiki release 2.1. and will be removed in a future release.</div>
 ---++ Parameters
 | *Name* | *Description* |
 | ="name"= | Name of the header to get |
 ---++ Examples
-     | =%<nop>HTTP%= | %HTTP% |
-     | =%<nop>HTTP{"Accept-language"}%= | %HTTP{"Accept-language"}% |
-     | =%<nop>HTTP{"User-Agent"}%= | %HTTP{"User-Agent"}% |
+     | *Write* | *Returns* | *Notes* |
+     | =%<nop>HTTP%= | %HTTP% | Always returns '' |
+     | =%<nop>HTTP{"Accept-language"}%= | %HTTP{"Accept-language"}% | |
+     | =%<nop>HTTP{"User-Agent"}%= | %HTTP{"User-Agent"}% | |
+     | =%<nop>HTTP{"Cookie"}%= | %HTTP{"Cookie"}% | Not allowed by default. |
    <div class="foswikiHelp">%X% You can see the HTTP headers your browser sends to the server on a number of sites e.g. http://www.ericgiguere.com/tools/http-header-viewer.html</div>
 %STOPINCLUDE%
 ---++ Related
  [[VarHTTPS][HTTPS]], [[VarREMOTEADDR][REMOTE_ADDR]], [[VarREMOTEPORT][REMOTE_PORT]], [[VarREMOTEUSER][REMOTE_USER]]
-
diff --git a/core/data/System/VarHTTPS.txt b/core/data/System/VarHTTPS.txt
@@ -1,11 +1,26 @@
-%META:TOPICINFO{author="ProjectContributor" date="1434650530" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" comment="" date="1447358768" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="Macros"}%
 ---+ HTTPS -- get HTTPS headers
+
 The same as =%<nop>HTTP%= but operates on the HTTPS environment variables present when the SSL protocol is in effect. Can be used to determine whether SSL is turned on.
+   * Called with the name of an HTTP request header field, returns its value. Capitalization and the use of hyphens versus underscores are not significant.
+   * Request headers are sent by the browser to the server. It is not possible to access the Response headers returned to the browser.
+   * Only returns headers permitted by site configuration.
+   * When called without a parameter, nothing is returned. See VarHTTPS for other options.
+<div class='foswikiHelp'>%X% The HTTP and HTTPS macros are deprecated as of Foswiki release 2.1. and will be removed in a future release.</div>
+
 ---++ Parameters
-   | *Parameter* | *Description* | *Default* |
-   | ="name"= | Name of the header to get | required |
+| *Parameter* | *Description* | *Default* |
+| ="name"= | Name of the header to get | optional |
+---++ Examples
+
+| *Write* | *Returns* | *Notes* |
+| =%<nop>HTTPS%= | %HTTPS% | Returns '1' if HTTPS is active |
+| =%<nop>HTTPS{"Accept-language"}%= | %HTTPS{"Accept-language"}% | |
+| =%<nop>HTTPS{"User-Agent"}%= | %HTTPS{"User-Agent"}% | |
+| =%<nop>HTTPS{"Cookie"}%= | %HTTPS{"Cookie"}% | Not allowed by default. |
+<div class='foswikiHelp'>%X% You can see the HTTP headers your browser sends to the server on a number of sites e.g. http://www.ericgiguere.com/tools/http-header-viewer.html</div>
 %STOPINCLUDE%
 ---++ Related
- [[VarHTTP][HTTP]], [[VarREMOTEADDR][REMOTE_ADDR]], [[VarREMOTEPORT][REMOTE_PORT]], [[VarREMOTEUSER][REMOTE_USER]]
 
+[[VarHTTP][HTTP]], [[VarREMOTEADDR][REMOTE_ADDR]], [[VarREMOTEPORT][REMOTE_PORT]], [[VarREMOTEUSER][REMOTE_USER]]
diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -1037,6 +1037,11 @@ $Foswiki::cfg{UsePathForRedirectCache} = $FALSE;
 $Foswiki::cfg{AccessibleENV} =
 '^(HTTP_\w+|REMOTE_\w+|SERVER_\w+|REQUEST_\w+|MOD_PERL|FOSWIKI_ACTION|PATH_INFO)$';
 
+# **PERL LABEL="Accessible Headers" EXPERT**
+# Defines a list of headers that can be accessed by the HTTP and HTTPS macros.
+# Note: These macros are deprecated as of Release 2.1, and will be removed in a future release.
+$Foswiki::cfg{AccessibleHeaders} = ['Accept-Language', 'User-Agent'];
+
 #---++ Proxies
 # Some environments require outbound HTTP traffic to go through a proxy
 # server (for example http://proxy.your.company).

diff --git a/core/lib/Foswiki/Macros/HTTP.pm b/core/lib/Foswiki/Macros/HTTP.pm
@@ -11,21 +11,56 @@ BEGIN {
     }
 }
 
+# $https flag set when HTTPS macro is requested.
+
 sub HTTP {
-    my ( $this, $params ) = @_;
+    my ( $this, $params, $topicObject ) = @_;
     my $res;
-    if ( $params->{_DEFAULT} ) {
-        $res = $this->{request}->http( $params->{_DEFAULT} );
+    my $req = _validateRequest( $params->{_DEFAULT} );
+
+    my $https = ( substr( ( caller() )[1], -8 ) eq "HTTPS.pm" );
+
+    if ($https) {
+        return ''
+          unless (
+            !defined $req      # Requesting secure flag
+            || length($req)    # or requesting a specific header
+          );
+        $res = $this->{request}->https($req);
+    }
+    else {
+        return ''
+          unless (
+            defined $req       # Specifc header requested
+            && length($req)    # and passed validation
+          );
+        $res = $this->{request}->http($req);
     }
     $res = '' unless defined($res);
     return $res;
 }
 
+sub _validateRequest {
+
+    # Permit undef - used by HTTPS variant
+    return $_[0] unless defined $_[0];
+
+    # Nothing allowed if AccessibleHeaders is not defined
+    return '' unless ( scalar @{ $Foswiki::cfg{AccessibleHeaders} } );
+
+    foreach my $hdr ( @{ $Foswiki::cfg{AccessibleHeaders} } ) {
+        return $hdr if ( lc( $_[0] ) eq lc($hdr) );
+    }
+
+    # Nothing matched, return empty.
+    return '';
+}
+
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 
-Copyright (C) 2008-2009 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2015 Foswiki Contributors. Foswiki Contributors
 are listed in the AUTHORS file in the root of this distribution.
 NOTE: Please extend that file, not this notice.
 

diff --git a/core/lib/Foswiki/Macros/HTTPS.pm b/core/lib/Foswiki/Macros/HTTPS.pm
@@ -11,21 +11,18 @@ BEGIN {
     }
 }
 
+use Foswiki::Macros::HTTP;
+
 sub HTTPS {
     my ( $this, $params ) = @_;
-    my $res;
-    if ( $params->{_DEFAULT} ) {
-        $res = $this->{request}->https( $params->{_DEFAULT} );
-    }
-    $res = '' unless defined($res);
-    return $res;
+    return HTTP(@_);
 }
 
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 
-Copyright (C) 2008-2009 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2015 Foswiki Contributors. Foswiki Contributors
 are listed in the AUTHORS file in the root of this distribution.
 NOTE: Please extend that file, not this notice.