[feature/request-class] Add server(), header() and is_ajax() to request

Extend the request class with helpers for reading server vars (server())
and HTTP request headers (header()). Refactor the existing code base
to make use of these helpers, make $_SERVER a deactivated super global.

Also introduce an is_ajax() method, which checks the X-Requested-With
header for the value 'XMLHttpRequest', which is sent by JavaScript
libraries, such as jQuery.

PHPBB3-9716

tests/bbcode/url_bbcode_test.php

@@ -12,6 +12,7 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions_content.php';
 require_once dirname(__FILE__) . '/../../phpBB/includes/bbcode.php';
 require_once dirname(__FILE__) . '/../../phpBB/includes/message_parser.php';
 require_once dirname(__FILE__) . '/../mock_user.php';
+require_once dirname(__FILE__) . '/../mock/request.php';
 
 class phpbb_url_bbcode_test extends phpbb_test_case
 {
@@ -51,8 +52,9 @@ class phpbb_url_bbcode_test extends phpbb_test_case
 	*/
 	public function test_url($description, $message, $expected)
 	{
-		global $user;
+		global $user, $request;
 		$user = new phpbb_mock_user;
+		$request = new phpbb_mock_request;
 
 		$bbcode = new bbcode_firstpass();
 		$bbcode->message = $message;

tests/download/http_byte_range_test.php

@@ -8,23 +8,27 @@
 */
 
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions_download.php';
+require_once dirname(__FILE__) . '/../mock/request.php';
 
 class phpbb_download_http_byte_range_test extends phpbb_test_case
 {
 	public function test_find_range_request()
 	{
 		// Missing 'bytes=' prefix
-		$_SERVER['HTTP_RANGE'] = 'bztes=';
+		$GLOBALS['request'] = new phpbb_mock_request();
+		$GLOBALS['request']->set_header('Range', 'bztes=');
 		$this->assertEquals(false, phpbb_find_range_request());
-		unset($_SERVER['HTTP_RANGE']);
+		unset($GLOBALS['request']);
 
+		$GLOBALS['request'] = new phpbb_mock_request();
 		$_ENV['HTTP_RANGE'] = 'bztes=';
 		$this->assertEquals(false, phpbb_find_range_request());
 		unset($_ENV['HTTP_RANGE']);
 
-		$_SERVER['HTTP_RANGE'] = 'bytes=0-0,123-125';
+		$GLOBALS['request'] = new phpbb_mock_request();
+		$GLOBALS['request']->set_header('Range', 'bytes=0-0,123-125');
 		$this->assertEquals(array('0-0', '123-125'), phpbb_find_range_request());
-		unset($_SERVER['HTTP_RANGE']);
+		unset($GLOBALS['request']);
 	}
 
 	/**

tests/mock/request.php

@@ -11,12 +11,13 @@ class phpbb_mock_request implements phpbb_request_interface
 {
 	protected $data;
 
-	public function __construct($get = array(), $post = array(), $cookie = array(), $request = false)
+	public function __construct($get = array(), $post = array(), $cookie = array(), $server = array(), $request = false)
 	{
 		$this->data[phpbb_request_interface::GET] = $get;
 		$this->data[phpbb_request_interface::POST] = $post;
 		$this->data[phpbb_request_interface::COOKIE] = $cookie;
 		$this->data[phpbb_request_interface::REQUEST] = ($request === false) ? $post + $get : $request;
+		$this->data[phpbb_request_interface::SERVER] = $server;
 	}
 
 	public function overwrite($var_name, $value, $super_global = phpbb_request_interface::REQUEST)
@@ -24,11 +25,23 @@ class phpbb_mock_request implements phpbb_request_interface
 		$this->data[$super_global][$var_name] = $value;
 	}
 
-	public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST)
+	public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST, $html_encode = true)
 	{
 		return isset($this->data[$super_global][$var_name]) ? $this->data[$super_global][$var_name] : $default;
 	}
 
+	public function server($var_name, $default = '', $html_encode = false)
+	{
+		$super_global = phpbb_request_interface::SERVER;
+		return isset($this->data[$super_global][$var_name]) ? $this->data[$super_global][$var_name] : $default;
+	}
+
+	public function header($header_name, $default = '', $html_encode = false)
+	{
+		$var_name = 'HTTP_'.str_replace('-', '_', strtoupper($header_name));
+		return $this->server($var_name, $default, $html_encode);
+	}
+
 	public function is_set_post($name)
 	{
 		return $this->is_set($name, phpbb_request_interface::POST);
@@ -39,8 +52,26 @@ class phpbb_mock_request implements phpbb_request_interface
 		return isset($this->data[$super_global][$var]);
 	}
 
+	public function is_ajax()
+	{
+		return false;
+	}
+
 	public function variable_names($super_global = phpbb_request_interface::REQUEST)
 	{
 		return array_keys($this->data[$super_global]);
 	}
+
+	/* custom methods */
+
+	public function set_header($header_name, $value)
+	{
+		$var_name = 'HTTP_'.str_replace('-', '_', strtoupper($header_name));
+		$this->data[phpbb_request_interface::SERVER][$var_name] = $value;
+	}
+
+	public function merge($super_global = phpbb_request_interface::REQUEST, $values)
+	{
+		$this->data[$super_global] = array_merge($this->data[$super_global], $values);
+	}
 }

tests/request/request_test.php

@@ -23,7 +23,6 @@ class phpbb_request_test extends phpbb_test_case
 		$_GET['unset'] = '';
 
 		$this->type_cast_helper = $this->getMock('phpbb_request_type_cast_helper_interface');
-
 		$this->request = new phpbb_request($this->type_cast_helper);
 	}
 
@@ -60,6 +59,20 @@ class phpbb_request_test extends phpbb_test_case
 		$this->assertFalse($this->request->is_set_post('unset'));
 	}
 
+	public function test_is_ajax_without_ajax()
+	{
+		$this->assertFalse($this->request->is_ajax());
+	}
+
+	public function test_is_ajax_with_ajax()
+	{
+		$this->request->enable_super_globals();
+		$_SERVER['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest';
+		$this->request = new phpbb_request($this->type_cast_helper);
+
+		$this->assertTrue($this->request->is_ajax());
+	}
+
 	public function test_variable_names()
 	{
 		$expected = array('test', 'unset');

tests/request/type_cast_helper_test.php

@@ -48,4 +48,14 @@ class phpbb_type_cast_helper_test extends phpbb_test_case
 
 		$this->assertEquals($expected, $data);
 	}
+
+	public function test_simple_set_var_without_html_encoding()
+	{
+		$data = 'eviL<3';
+		$expected = 'eviL<3';
+
+		$this->type_cast_helper->recursive_set_var($data, '', true, false);
+
+		$this->assertEquals($expected, $data);
+	}
 }

tests/security/base.php

@@ -7,6 +7,8 @@
 *
 */
 
+require_once dirname(__FILE__) . '/../mock/request.php';
+
 abstract class phpbb_security_test_base extends phpbb_test_case
 {
 	/**
@@ -14,20 +16,20 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 	*/
 	protected function setUp()
 	{
-		global $user, $phpbb_root_path;
+		global $user, $phpbb_root_path, $request;
 
 		// Put this into a global function being run by every test to init a proper user session
-		$_SERVER['HTTP_HOST']		= 'localhost';
-		$_SERVER['SERVER_NAME']		= 'localhost';
-		$_SERVER['SERVER_ADDR']		= '127.0.0.1';
-		$_SERVER['SERVER_PORT']		= 80;
-		$_SERVER['REMOTE_ADDR']		= '127.0.0.1';
-		$_SERVER['QUERY_STRING']	= '';
-		$_SERVER['REQUEST_URI']		= '/tests/';
-		$_SERVER['SCRIPT_NAME']		= '/tests/index.php';
-		$_SERVER['PHP_SELF']		= '/tests/index.php';
-		$_SERVER['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
-		$_SERVER['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+		$server['HTTP_HOST']		= 'localhost';
+		$server['SERVER_NAME']		= 'localhost';
+		$server['SERVER_ADDR']		= '127.0.0.1';
+		$server['SERVER_PORT']		= 80;
+		$server['REMOTE_ADDR']		= '127.0.0.1';
+		$server['QUERY_STRING']	= '';
+		$server['REQUEST_URI']		= '/tests/';
+		$server['SCRIPT_NAME']		= '/tests/index.php';
+		$server['PHP_SELF']		= '/tests/index.php';
+		$server['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+		$server['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
 
 /*
 		[HTTP_ACCEPT_ENCODING] => gzip,deflate
@@ -36,13 +38,15 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 		[SCRIPT_FILENAME] => /var/www/tests/index.php
 */
 
+		$request = new phpbb_mock_request(array(), array(), array(), $server);
+
 		// Set no user and trick a bit to circumvent errors
 		$user = new user();
 		$user->lang = true;
-		$user->browser				= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
-		$user->referer				= (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
-		$user->forwarded_for		= (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-		$user->host					= (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$user->browser				= $server['HTTP_USER_AGENT'];
+		$user->referer				= '';
+		$user->forwarded_for		= '';
+		$user->host					= $server['HTTP_HOST'];
 		$user->page = session::extract_current_page($phpbb_root_path);
 	}
 

tests/security/extract_current_page_test.php

@@ -27,8 +27,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_php_self($url, $query_string, $expected)
 	{
-		$_SERVER['PHP_SELF'] = $url;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $request;
+
+		$request->merge(phpbb_request_interface::SERVER, array(
+			'PHP_SELF'	=> $url,
+			'QUERY_STRING'	=> $query_string,
+		));
 
 		$result = session::extract_current_page('./');
 
@@ -41,8 +45,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_request_uri($url, $query_string, $expected)
 	{
-		$_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
-		$_SERVER['QUERY_STRING'] = $query_string;
+		global $request;
+
+		$request->merge(phpbb_request_interface::SERVER, array(
+			'PHP_SELF'	=> $url,
+			'QUERY_STRING'	=> $query_string,
+		));
 
 		$result = session::extract_current_page('./');