preRequest($request); if ($output === false) { return new HTTPResponse(_t(__CLASS__.'.INVALID_REQUEST', 'Invalid request'), 400); } // Generate output $result = static::handleRequest($request); // Save session data. Note that save() will start/resume the session if required. $request->getSession()->save(); // Post-request handling $postRequest = RequestProcessor::singleton()->postRequest($request, $result); if ($postRequest === false) { return new HTTPResponse(_t(__CLASS__ . '.REQUEST_ABORTED', 'Request aborted'), 500); } // Return return $result; } /** * Test a URL request, returning a response object. This method is the counterpart of * Director::direct() that is used in functional testing. It will execute the URL given, and * return the result as an HTTPResponse object. * * @uses TestController::handleRequest() Handles the page logic for a Director::direct() call. * * @param string $url The URL to visit. * @param array $postVars The $_POST & $_FILES variables. * @param array|Session $session The {@link Session} object representing the current session. * By passing the same object to multiple calls of Director::test(), you can simulate a persisted * session. * @param string $httpMethod The HTTP method, such as GET or POST. It will default to POST if * postVars is set, GET otherwise. Overwritten by $postVars['_method'] if present. * @param string $body The HTTP body. * @param array $headers HTTP headers with key-value pairs. * @param array|Cookie_Backend $cookies to populate $_COOKIE. * @param HTTPRequest $request The {@see SS_HTTP_Request} object generated as a part of this request. * * @return HTTPResponse * * @throws HTTPResponse_Exception */ public static function test( $url, $postVars = [], $session = array(), $httpMethod = null, $body = null, $headers = array(), $cookies = array(), &$request = null ) { return static::mockRequest( function (HTTPRequest $request) { return static::direct($request); }, $url, $postVars, $session, $httpMethod, $body, $headers, $cookies, $request ); } /** * Mock a request, passing this to the given callback, before resetting. * * @param callable $callback Action to pass the HTTPRequst object * @param string $url The URL to build * @param array $postVars The $_POST & $_FILES variables. * @param array|Session $session The {@link Session} object representing the current session. * By passing the same object to multiple calls of Director::test(), you can simulate a persisted * session. * @param string $httpMethod The HTTP method, such as GET or POST. It will default to POST if * postVars is set, GET otherwise. Overwritten by $postVars['_method'] if present. * @param string $body The HTTP body. * @param array $headers HTTP headers with key-value pairs. * @param array|Cookie_Backend $cookies to populate $_COOKIE. * @param HTTPRequest $request The {@see SS_HTTP_Request} object generated as a part of this request. * @return mixed Result of callback */ public static function mockRequest( $callback, $url, $postVars = [], $session = [], $httpMethod = null, $body = null, $headers = [], $cookies = [], &$request = null ) { // Build list of cleanup promises $finally = []; /** @var Kernel $kernel */ $kernel = Injector::inst()->get(Kernel::class); $kernel->nest(); $finally[] = function () use ($kernel) { $kernel->activate(); }; // backup existing vars, and create new vars $existingVars = Environment::getVariables(); $finally[] = function () use ($existingVars) { Environment::setVariables($existingVars); }; $newVars = $existingVars; // These are needed so that calling Director::test() does not muck with whoever is calling it. // Really, it's some inappropriate coupling and should be resolved by making less use of statics. if (class_exists(Versioned::class)) { $oldReadingMode = Versioned::get_reading_mode(); $finally[] = function () use ($oldReadingMode) { Versioned::set_reading_mode($oldReadingMode); }; } // Default httpMethod $newVars['_SERVER']['REQUEST_METHOD'] = $httpMethod ?: ($postVars ? "POST" : "GET"); $newVars['_POST'] = (array)$postVars; // Setup session if ($session instanceof Session) { // Note: If passing $session as object, ensure that changes are written back // This is important for classes such as FunctionalTest which emulate cross-request persistence $newVars['_SESSION'] = $session->getAll(); $finally[] = function () use ($session) { if (isset($_SESSION)) { foreach ($_SESSION as $key => $value) { $session->set($key, $value); } } }; } else { $newVars['_SESSION'] = $session ?: []; } // Setup cookies $cookieJar = $cookies instanceof Cookie_Backend ? $cookies : Injector::inst()->createWithArgs(Cookie_Backend::class, array($cookies ?: [])); $newVars['_COOKIE'] = $cookieJar->getAll(false); Cookie::config()->update('report_errors', false); Injector::inst()->registerService($cookieJar, Cookie_Backend::class); // Backup requirements $existingRequirementsBackend = Requirements::backend(); Requirements::set_backend(Requirements_Backend::create()); $finally[] = function () use ($existingRequirementsBackend) { Requirements::set_backend($existingRequirementsBackend); }; // Strip any hash $url = strtok($url, '#'); // Handle absolute URLs if (parse_url($url, PHP_URL_HOST)) { $bits = parse_url($url); // If a port is mentioned in the absolute URL, be sure to add that into the HTTP host $newVars['_SERVER']['HTTP_HOST'] = isset($bits['port']) ? $bits['host'].':'.$bits['port'] : $bits['host']; } // Ensure URL is properly made relative. // Example: url passed is "/ss31/my-page" (prefixed with BASE_URL), this should be changed to "my-page" $url = self::makeRelative($url); if (strpos($url, '?') !== false) { list($url, $getVarsEncoded) = explode('?', $url, 2); parse_str($getVarsEncoded, $newVars['_GET']); } else { $newVars['_GET'] = []; } $newVars['_SERVER']['REQUEST_URI'] = Director::baseURL() . $url; $newVars['_REQUEST'] = array_merge($newVars['_GET'], $newVars['_POST']); // Normalise vars $newVars = HTTPRequestBuilder::cleanEnvironment($newVars); // Create new request $request = HTTPRequestBuilder::createFromVariables($newVars, $body); if ($headers) { foreach ($headers as $k => $v) { $request->addHeader($k, $v); } } // Apply new vars to environment Environment::setVariables($newVars); try { // Normal request handling return call_user_func($callback, $request); } finally { // Restore state in reverse order to assignment foreach (array_reverse($finally) as $callback) { call_user_func($callback); } } } /** * Handle an HTTP request, defined with a HTTPRequest object. * * @skipUpgrade * @param HTTPRequest $request * @return HTTPResponse */ protected static function handleRequest(HTTPRequest $request) { $rules = Director::config()->uninherited('rules'); foreach ($rules as $pattern => $controllerOptions) { // Normalise route rule if (is_string($controllerOptions)) { if (substr($controllerOptions, 0, 2) == '->') { $controllerOptions = array('Redirect' => substr($controllerOptions, 2)); } else { $controllerOptions = array('Controller' => $controllerOptions); } } // Match pattern $arguments = $request->match($pattern, true); if ($arguments !== false) { $request->setRouteParams($controllerOptions); // controllerOptions provide some default arguments $arguments = array_merge($controllerOptions, $arguments); // Pop additional tokens from the tokenizer if necessary if (isset($controllerOptions['_PopTokeniser'])) { $request->shift($controllerOptions['_PopTokeniser']); } // Handle redirection if (isset($arguments['Redirect'])) { // Redirection $response = new HTTPResponse(); $response->redirect(static::absoluteURL($arguments['Redirect'])); return $response; } // Find the controller name $controller = $arguments['Controller']; $controllerObj = Injector::inst()->create($controller); try { return $controllerObj->handleRequest($request); } catch (HTTPResponse_Exception $responseException) { return $responseException->getResponse(); } } } // No URL rules matched, so return a 404 error. return new HTTPResponse('No URL rule was matched', 404); } /** * Return the {@link SiteTree} object that is currently being viewed. If there is no SiteTree * object to return, then this will return the current controller. * * @return SiteTree|Controller */ public static function get_current_page() { return self::$current_page ? self::$current_page : Controller::curr(); } /** * Set the currently active {@link SiteTree} object that is being used to respond to the request. * * @param SiteTree $page */ public static function set_current_page($page) { self::$current_page = $page; } /** * Turns the given URL into an absolute URL. By default non-site root relative urls will be * evaluated relative to the current base_url. * * @param string $url URL To transform to absolute. * @param string $relativeParent Method to use for evaluating relative urls. * Either one of BASE (baseurl), ROOT (site root), or REQUEST (requested page). * Defaults to BASE, which is the same behaviour as template url resolution. * Ignored if the url is absolute or site root. * * @return string */ public static function absoluteURL($url, $relativeParent = self::BASE) { if (is_bool($relativeParent)) { // Deprecate old boolean second parameter Deprecation::notice('5.0', 'Director::absoluteURL takes an explicit parent for relative url'); $relativeParent = $relativeParent ? self::BASE : self::REQUEST; } // Check if there is already a protocol given if (preg_match('/^http(s?):\/\//', $url)) { return $url; } // Absolute urls without protocol are added // E.g. //google.com -> http://google.com if (strpos($url, '//') === 0) { return self::protocol() . substr($url, 2); } // Determine method for mapping the parent to this relative url if ($relativeParent === self::ROOT || self::is_root_relative_url($url)) { // Root relative urls always should be evaluated relative to the root $parent = self::protocolAndHost(); } elseif ($relativeParent === self::REQUEST) { // Request relative urls rely on the REQUEST_URI param (old default behaviour) if (!isset($_SERVER['REQUEST_URI'])) { return false; } $parent = dirname($_SERVER['REQUEST_URI'] . 'x'); } else { // Default to respecting site base_url $parent = self::absoluteBaseURL(); } // Map empty urls to relative slash and join to base if (empty($url) || $url === '.' || $url === './') { $url = '/'; } return Controller::join_links($parent, $url); } /** * A helper to determine the current hostname used to access the site. * The following are used to determine the host (in order) * - Director.alternate_base_url (if it contains a domain name) * - Trusted proxy headers * - HTTP Host header * - SS_BASE_URL env var * - SERVER_NAME * - gethostname() * * @return string */ public static function host() { // Check if overridden by alternate_base_url if ($baseURL = self::config()->get('alternate_base_url')) { $baseURL = Injector::inst()->convertServiceProperty($baseURL); $host = parse_url($baseURL, PHP_URL_HOST); if ($host) { return $host; } } // Validate proxy-specific headers if (TRUSTED_PROXY) { // Check headers to validate $headers = getenv('SS_TRUSTED_PROXY_HOST_HEADER') ? explode(',', getenv('SS_TRUSTED_PROXY_HOST_HEADER')) : ['HTTP_X_FORWARDED_HOST']; // Backwards compatible defaults foreach ($headers as $header) { if (!empty($_SERVER[$header])) { // Get the first host, in case there's multiple separated through commas return strtok($_SERVER[$header], ','); } } } // Check given header if (isset($_SERVER['HTTP_HOST'])) { return $_SERVER['HTTP_HOST']; } // Check base url if ($baseURL = self::config()->uninherited('default_base_url')) { $baseURL = Injector::inst()->convertServiceProperty($baseURL); $host = parse_url($baseURL, PHP_URL_HOST); if ($host) { return $host; } } // Fail over to server_name (least reliable) return isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : gethostname(); } /** * Returns the domain part of the URL 'http://www.mysite.com'. Returns FALSE is this environment * variable isn't set. * * @return bool|string */ public static function protocolAndHost() { return static::protocol() . static::host(); } /** * Return the current protocol that the site is running under. * * @return string */ public static function protocol() { return (self::is_https()) ? 'https://' : 'http://'; } /** * Return whether the site is running as under HTTPS. * * @return bool */ public static function is_https() { // Check override from alternate_base_url if ($baseURL = self::config()->uninherited('alternate_base_url')) { $baseURL = Injector::inst()->convertServiceProperty($baseURL); $protocol = parse_url($baseURL, PHP_URL_SCHEME); if ($protocol) { return $protocol === 'https'; } } // See https://en.wikipedia.org/wiki/List_of_HTTP_header_fields // See https://support.microsoft.com/en-us/kb/307347 if (TRUSTED_PROXY) { $headers = getenv('SS_TRUSTED_PROXY_PROTOCOL_HEADER') ? explode(',', getenv('SS_TRUSTED_PROXY_PROTOCOL_HEADER')) : ['HTTP_X_FORWARDED_PROTO', 'HTTP_X_FORWARDED_PROTOCOL', 'HTTP_FRONT_END_HTTPS']; foreach ($headers as $header) { $headerCompareVal = ($header === 'HTTP_FRONT_END_HTTPS' ? 'on' : 'https'); if (!empty($_SERVER[$header]) && strtolower($_SERVER[$header]) == $headerCompareVal) { return true; } } } // Check common $_SERVER if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) { return true; } if (isset($_SERVER['SSL'])) { return true; } // Check default_base_url if ($baseURL = self::config()->uninherited('default_base_url')) { $baseURL = Injector::inst()->convertServiceProperty($baseURL); $protocol = parse_url($baseURL, PHP_URL_SCHEME); if ($protocol) { return $protocol === 'https'; } } return false; } /** * Return the root-relative url for the baseurl * * @return string Root-relative url with trailing slash. */ public static function baseURL() { // Check override base_url $alternate = self::config()->get('alternate_base_url'); if ($alternate) { $alternate = Injector::inst()->convertServiceProperty($alternate); return rtrim(parse_url($alternate, PHP_URL_PATH), '/') . '/'; } // Get env base url $baseURL = rtrim(BASE_URL, '/') . '/'; // Check if BASE_SCRIPT_URL is defined // e.g. `index.php/` if (defined('BASE_SCRIPT_URL')) { return $baseURL . BASE_SCRIPT_URL; } return $baseURL; } /** * Returns the root filesystem folder for the site. It will be automatically calculated unless * it is overridden with {@link setBaseFolder()}. * * @return string */ public static function baseFolder() { $alternate = Director::config()->uninherited('alternate_base_folder'); return ($alternate) ? $alternate : BASE_PATH; } /** * Turns an absolute URL or folder into one that's relative to the root of the site. This is useful * when turning a URL into a filesystem reference, or vice versa. * * @param string $url Accepts both a URL or a filesystem path. * * @return string */ public static function makeRelative($url) { // Allow for the accidental inclusion whitespace and // in the URL $url = trim(preg_replace('#([^:])//#', '\\1/', $url)); $base1 = self::absoluteBaseURL(); $baseDomain = substr($base1, strlen(self::protocol())); // Only bother comparing the URL to the absolute version if $url looks like a URL. if (preg_match('/^https?[^:]*:\/\//', $url, $matches)) { $urlProtocol = $matches[0]; $urlWithoutProtocol = substr($url, strlen($urlProtocol)); // If we are already looking at baseURL, return '' (substr will return false) if ($url == $base1) { return ''; } elseif (substr($url, 0, strlen($base1)) == $base1) { return substr($url, strlen($base1)); } elseif (substr($base1, -1) == "/" && $url == substr($base1, 0, -1)) { // Convert http://www.mydomain.com/mysitedir to '' return ""; } if (substr($urlWithoutProtocol, 0, strlen($baseDomain)) == $baseDomain) { return substr($urlWithoutProtocol, strlen($baseDomain)); } } // test for base folder, e.g. /var/www $base2 = self::baseFolder(); if (substr($url, 0, strlen($base2)) == $base2) { return substr($url, strlen($base2)); } // Test for relative base url, e.g. mywebsite/ if the full URL is http://localhost/mywebsite/ $base3 = self::baseURL(); if (substr($url, 0, strlen($base3)) == $base3) { return substr($url, strlen($base3)); } // Test for relative base url, e.g mywebsite/ if the full url is localhost/myswebsite if (substr($url, 0, strlen($baseDomain)) == $baseDomain) { return substr($url, strlen($baseDomain)); } // Nothing matched, fall back to returning the original URL return $url; } /** * Returns true if a given path is absolute. Works under both *nix and windows systems. * * @param string $path * * @return bool */ public static function is_absolute($path) { if (empty($path)) { return false; } if ($path[0] == '/' || $path[0] == '\\') { return true; } return preg_match('/^[a-zA-Z]:[\\\\\/]/', $path) == 1; } /** * Determine if the url is root relative (i.e. starts with /, but not with //) SilverStripe * considers root relative urls as a subset of relative urls. * * @param string $url * * @return bool */ public static function is_root_relative_url($url) { return strpos($url, '/') === 0 && strpos($url, '//') !== 0; } /** * Checks if a given URL is absolute (e.g. starts with 'http://' etc.). URLs beginning with "//" * are treated as absolute, as browsers take this to mean the same protocol as currently being used. * * Useful to check before redirecting based on a URL from user submissions through $_GET or $_POST, * and avoid phishing attacks by redirecting to an attackers server. * * Note: Can't solely rely on PHP's parse_url() , since it is not intended to work with relative URLs * or for security purposes. filter_var($url, FILTER_VALIDATE_URL) has similar problems. * * @param string $url * * @return bool */ public static function is_absolute_url($url) { // Strip off the query and fragment parts of the URL before checking if (($queryPosition = strpos($url, '?')) !== false) { $url = substr($url, 0, $queryPosition-1); } if (($hashPosition = strpos($url, '#')) !== false) { $url = substr($url, 0, $hashPosition-1); } $colonPosition = strpos($url, ':'); $slashPosition = strpos($url, '/'); return ( // Base check for existence of a host on a compliant URL parse_url($url, PHP_URL_HOST) // Check for more than one leading slash without a protocol. // While not a RFC compliant absolute URL, it is completed to a valid URL by some browsers, // and hence a potential security risk. Single leading slashes are not an issue though. || preg_match('%^\s*/{2,}%', $url) || ( // If a colon is found, check if it's part of a valid scheme definition // (meaning its not preceded by a slash). $colonPosition !== false && ($slashPosition === false || $colonPosition < $slashPosition) ) ); } /** * Checks if a given URL is relative (or root relative) by checking {@link is_absolute_url()}. * * @param string $url * * @return bool */ public static function is_relative_url($url) { return !static::is_absolute_url($url); } /** * Checks if the given URL is belonging to this "site" (not an external link). That's the case if * the URL is relative, as defined by {@link is_relative_url()}, or if the host matches * {@link protocolAndHost()}. * * Useful to check before redirecting based on a URL from user submissions through $_GET or $_POST, * and avoid phishing attacks by redirecting to an attackers server. * * @param string $url * * @return bool */ public static function is_site_url($url) { $urlHost = parse_url($url, PHP_URL_HOST); $actualHost = parse_url(self::protocolAndHost(), PHP_URL_HOST); if ($urlHost && $actualHost && $urlHost == $actualHost) { return true; } else { return self::is_relative_url($url); } } /** * Given a filesystem reference relative to the site root, return the full file-system path. * * @param string $file * * @return string */ public static function getAbsFile($file) { return self::is_absolute($file) ? $file : Director::baseFolder() . '/' . $file; } /** * Returns true if the given file exists. Filename should be relative to the site root. * * @param $file * * @return bool */ public static function fileExists($file) { // replace any appended query-strings, e.g. /path/to/foo.php?bar=1 to /path/to/foo.php $file = preg_replace('/([^\?]*)?.*/', '$1', $file); return file_exists(Director::getAbsFile($file)); } /** * Returns the Absolute URL of the site root. * * @return string */ public static function absoluteBaseURL() { return self::absoluteURL( self::baseURL(), self::ROOT ); } /** * Returns the Absolute URL of the site root, embedding the current basic-auth credentials into * the URL. * * @return string */ public static function absoluteBaseURLWithAuth() { $login = ""; if (isset($_SERVER['PHP_AUTH_USER'])) { $login = "$_SERVER[PHP_AUTH_USER]:$_SERVER[PHP_AUTH_PW]@"; } return Director::protocol() . $login . static::host() . Director::baseURL(); } /** * Skip any further processing and immediately respond with a redirect to the passed URL. * * @param string $destURL * @throws HTTPResponse_Exception */ protected static function force_redirect($destURL) { // Redirect to installer $response = new HTTPResponse(); $response->redirect($destURL, 301); HTTP::add_cache_headers($response); throw new HTTPResponse_Exception($response); } /** * Force the site to run on SSL. * * To use, call from _config.php. For example: * * if (Director::isLive()) Director::forceSSL(); * * * If you don't want your entire site to be on SSL, you can pass an array of PCRE regular expression * patterns for matching relative URLs. For example: * * if (Director::isLive()) Director::forceSSL(array('/^admin/', '/^Security/')); * * * If you want certain parts of your site protected under a different domain, you can specify * the domain as an argument: * * if (Director::isLive()) Director::forceSSL(array('/^admin/', '/^Security/'), 'secure.mysite.com'); * * * Note that the session data will be lost when moving from HTTP to HTTPS. It is your responsibility * to ensure that this won't cause usability problems. * * CAUTION: This does not respect the site environment mode. You should check this * as per the above examples using Director::isLive() or Director::isTest() for example. * * @param array $patterns Array of regex patterns to match URLs that should be HTTPS. * @param string $secureDomain Secure domain to redirect to. Defaults to the current domain. * @return bool true if already on SSL, false if doesn't match patterns (or cannot redirect) * @throws HTTPResponse_Exception Throws exception with redirect, if successful */ public static function forceSSL($patterns = null, $secureDomain = null) { // Already on SSL if (static::is_https()) { return true; } // Can't redirect without a url if (!isset($_SERVER['REQUEST_URI'])) { return false; } if ($patterns) { $matched = false; $relativeURL = self::makeRelative(Director::absoluteURL($_SERVER['REQUEST_URI'])); // protect portions of the site based on the pattern foreach ($patterns as $pattern) { if (preg_match($pattern, $relativeURL)) { $matched = true; break; } } if (!$matched) { return false; } } // if an domain is specified, redirect to that instead of the current domain if (!$secureDomain) { $secureDomain = static::host(); } $url = 'https://' . $secureDomain . $_SERVER['REQUEST_URI']; // Force redirect self::force_redirect($url); return true; } /** * Force a redirect to a domain starting with "www." */ public static function forceWWW() { if (!Director::isDev() && !Director::isTest() && strpos(static::host(), 'www') !== 0) { $destURL = str_replace( Director::protocol(), Director::protocol() . 'www.', Director::absoluteURL($_SERVER['REQUEST_URI']) ); self::force_redirect($destURL); } } /** * Checks if the current HTTP-Request is an "Ajax-Request" by checking for a custom header set by * jQuery or whether a manually set request-parameter 'ajax' is present. * * @return bool */ public static function is_ajax() { if (Controller::has_curr()) { return Controller::curr()->getRequest()->isAjax(); } else { return ( isset($_REQUEST['ajax']) || (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == "XMLHttpRequest") ); } } /** * Returns true if this script is being run from the command line rather than the web server. * * @return bool */ public static function is_cli() { return php_sapi_name() === "cli"; } /** * Can also be checked with {@link Director::isDev()}, {@link Director::isTest()}, and * {@link Director::isLive()}. * * @return bool */ public static function get_environment_type() { /** @var Kernel $kernel */ $kernel = Injector::inst()->get(Kernel::class); return $kernel->getEnvironment(); } /** * This function will return true if the site is in a live environment. For information about * environment types, see {@link Director::set_environment_type()}. * * @return bool */ public static function isLive() { return self::get_environment_type() === 'live'; } /** * This function will return true if the site is in a development environment. For information about * environment types, see {@link Director::set_environment_type()}. * * @return bool */ public static function isDev() { return self::get_environment_type() === 'dev'; } /** * This function will return true if the site is in a test environment. For information about * environment types, see {@link Director::set_environment_type()}. * * @return bool */ public static function isTest() { return self::get_environment_type() === 'test'; } /** * Returns an array of strings of the method names of methods on the call that should be exposed * as global variables in the templates. * * @return array */ public static function get_template_global_variables() { return array( 'absoluteBaseURL', 'baseURL', 'is_ajax', 'isAjax' => 'is_ajax', 'BaseHref' => 'absoluteBaseURL', //@deprecated 3.0 ); } }