Merge remote-tracking branch 'github-igorw/feature/request-class' into develop

* github-igorw/feature/request-class: [feature/request-class] Fix session_testable_factory [feature/request-class] Adjust code base to do html decoding manually [feature/request-class] Remove $html_encode arg, force manual decoding [feature/request-class] Do not html escape user agent in header_filename [feature/request-class] Make use of the is_secure() method [feature/request-class] Add is_secure method to request for HTTPS [feature/request-class] Make server() use the $html_encode parameter [feature/request-class] Remove useless condition [feature/request-class] Minor spacing CS adjustments [feature/request-class] Add server(), header() and is_ajax() to request
2025-06-17 16:58:51 +00:00 · 2011-08-18 19:15:00 -04:00 · 2011-08-18 19:15:00 -04:00 · 052e33823b
commit 052e33823b
parent d06dcd69e6 b05382d226
23 changed files with 363 additions and 144 deletions
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@ -63,7 +63,7 @@ if (isset($_GET['avatar']))
 	unset($dbpasswd);
 	// worst-case default
-	$browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : 'msie 6.0';
+	$browser = strtolower($request->header('User-Agent', 'msie 6.0'));
 	$config = new phpbb_config_db($db, $cache->get_driver(), CONFIG_TABLE);
 	set_config(null, null, null, $config);
--- a/phpBB/includes/acp/acp_database.php
+++ b/phpBB/includes/acp/acp_database.php
@ -486,6 +486,8 @@ class base_extractor
 	function base_extractor($download = false, $store = false, $format, $filename, $time)
 	{
 		global $request;
 		$this->download = $download;
 		$this->store = $store;
 		$this->time = $time;
@ -530,7 +532,7 @@ class base_extractor
 				break;
 				case 'gzip':
-					if ((isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== false) && strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'msie') === false)
+					if (strpos($request->header('Accept-Encoding'), 'gzip') !== false && strpos(strtolower($request->header('User-Agent')), 'msie') === false)
 					{
 						ob_start('ob_gzhandler');
 					}
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@ -28,9 +28,9 @@ if (!defined('IN_PHPBB'))
 */
 function init_apache()
 {
-	global $user;
+	global $user, $request;
-	if (!isset($_SERVER['PHP_AUTH_USER']) || $user->data['username'] !== $_SERVER['PHP_AUTH_USER'])
+	if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER')))
 	{
 		return $user->lang['APACHE_SETUP_BEFORE_USE'];
 	}
@ -42,7 +42,7 @@ function init_apache()
 */
 function login_apache(&$username, &$password)
 {
-	global $db;
+	global $db, $request;
 	// do not allow empty password
 	if (!$password)
@ -63,7 +63,7 @@ function login_apache(&$username, &$password)
 		);
 	}
-	if (!isset($_SERVER['PHP_AUTH_USER']))
+	if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
 	{
 		return array(
 			'status'		=> LOGIN_ERROR_EXTERNAL_AUTH,
@ -72,8 +72,8 @@ function login_apache(&$username, &$password)
 		);
 	}
-	$php_auth_user = $_SERVER['PHP_AUTH_USER'];
+	$php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
-	$php_auth_pw = $_SERVER['PHP_AUTH_PW'];
+	$php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
 	if (!empty($php_auth_user) && !empty($php_auth_pw))
 	{
@ -136,15 +136,15 @@ function login_apache(&$username, &$password)
 */
 function autologin_apache()
 {
-	global $db;
+	global $db, $request;
-	if (!isset($_SERVER['PHP_AUTH_USER']))
+	if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
 	{
 		return array();
 	}
-	$php_auth_user = $_SERVER['PHP_AUTH_USER'];
+	$php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
-	$php_auth_pw = $_SERVER['PHP_AUTH_PW'];
+	$php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
 	if (!empty($php_auth_user) && !empty($php_auth_pw))
 	{
@ -228,11 +228,12 @@ function user_row_apache($username, $password)
 */
 function validate_session_apache(&$user)
 {
 	global $request;
 	// Check if PHP_AUTH_USER is set and handle this case
-	if (isset($_SERVER['PHP_AUTH_USER']))
+	if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
 	{
-		$php_auth_user = '';
+		$php_auth_user = $request->server('PHP_AUTH_USER');
 		set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true);
 		return ($php_auth_user === $user['username']) ? true : false;
 	}
--- a/phpBB/includes/captcha/plugins/phpbb_recaptcha_plugin.php
+++ b/phpBB/includes/captcha/plugins/phpbb_recaptcha_plugin.php
@ -41,7 +41,8 @@ class phpbb_recaptcha extends phpbb_default_captcha
 	// PHP4 Constructor
 	function phpbb_recaptcha()
 	{
-		$this->recaptcha_server = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? $this->recaptcha_server_secure : $this->recaptcha_server;
+		global $request;
 		$this->recaptcha_server = $request->is_secure() ? $this->recaptcha_server_secure : $this->recaptcha_server;
 	}
 	function init($type)
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -830,6 +830,8 @@ function phpbb_is_absolute($path)
 */
 function phpbb_own_realpath($path)
 {
 	global $request;
 	// Now to perform funky shizzle
 	// Switch to use UNIX slashes
@ -873,11 +875,12 @@ function phpbb_own_realpath($path)
 				$path_prefix = '';
 			}
 		}
-		else if (isset($_SERVER['SCRIPT_FILENAME']) && !empty($_SERVER['SCRIPT_FILENAME']))
+		else if ($request->server('SCRIPT_FILENAME'))
 		{
 			// Warning: If chdir() has been used this will lie!
 			// Warning: This has some problems sometime (CLI can create them easily)
-			$path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($_SERVER['SCRIPT_FILENAME'])) . '/' . $path;
+			$filename = htmlspecialchars_decode($request->server('SCRIPT_FILENAME'));
 			$path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($filename)) . '/' . $path;
 			$absolute = true;
 			$path_prefix = '';
 		}
@ -2097,10 +2100,10 @@ function append_sid($url, $params = false, $is_amp = true, $session_id = false)
 */
 function generate_board_url($without_script_path = false)
 {
-	global $config, $user;
+	global $config, $user, $request;
 	$server_name = $user->host;
-	$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
+	$server_port = $request->server('SERVER_PORT', 0);
 	// Forcing server vars is the only way to specify/override the protocol
 	if ($config['force_server_vars'] || !$server_name)
@ -2116,7 +2119,7 @@ function generate_board_url($without_script_path = false)
 	else
 	{
 		// Do not rely on cookie_secure, users seem to think that it means a secured cookie instead of an encrypted connection
-		$cookie_secure = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 1 : 0;
+		$cookie_secure = $request->is_secure() ? 1 : 0;
 		$url = (($cookie_secure) ? 'https://' : 'http://') . $server_name;
 		$script_path = $user->page['root_script_path'];
@ -2468,6 +2471,8 @@ function meta_refresh($time, $url, $disable_cd_check = false)
 */
 function send_status_line($code, $message)
 {
 	global $request;
 	if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi')
 	{
 		// in theory, we shouldn't need that due to php doing it. Reality offers a differing opinion, though
@ -2475,9 +2480,9 @@ function send_status_line($code, $message)
 	}
 	else
 	{
-		if (!empty($_SERVER['SERVER_PROTOCOL']))
+		if ($request->server('SERVER_PROTOCOL'))
 		{
-			$version = $_SERVER['SERVER_PROTOCOL'];
+			$version = $request->server('SERVER_PROTOCOL');
 		}
 		else
 		{
@ -4196,7 +4201,7 @@ function phpbb_optionset($bit, $set, $data)
 */
 function phpbb_http_login($param)
 {
-	global $auth, $user;
+	global $auth, $user, $request;
 	global $config;
 	$param_defaults = array(
@ -4236,9 +4241,9 @@ function phpbb_http_login($param)
 	$username = null;
 	foreach ($username_keys as $k)
 	{
-		if (isset($_SERVER[$k]))
+		if ($request->is_set($k, phpbb_request_interface::SERVER))
 		{
-			$username = $_SERVER[$k];
+			$username = htmlspecialchars_decode($request->server($k));
 			break;
 		}
 	}
@ -4246,9 +4251,9 @@ function phpbb_http_login($param)
 	$password = null;
 	foreach ($password_keys as $k)
 	{
-		if (isset($_SERVER[$k]))
+		if ($request->is_set($k, phpbb_request_interface::SERVER))
 		{
-			$password = $_SERVER[$k];
+			$password = htmlspecialchars_decode($request->server($k));
 			break;
 		}
 	}
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@ -274,7 +274,9 @@ function send_file_to_browser($attachment, $upload_dir, $category)
 */
 function header_filename($file)
 {
-	$user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
+	global $request;
 	$user_agent = $request->header('User-Agent');
 	// There be dragons here.
 	// Not many follows the RFC...
@ -292,14 +294,14 @@ function header_filename($file)
 */
 function download_allowed()
 {
-	global $config, $user, $db;
+	global $config, $user, $db, $request;
 	if (!$config['secure_downloads'])
 	{
 		return true;
 	}
-	$url = (!empty($_SERVER['HTTP_REFERER'])) ? trim($_SERVER['HTTP_REFERER']) : trim(getenv('HTTP_REFERER'));
+	$url = htmlspecialchars_decode($request->header('Referer'));
 	if (!$url)
 	{
@ -404,8 +406,10 @@ function download_allowed()
 */
 function set_modified_headers($stamp, $browser)
 {
 	global $request;
 	// let's see if we have to send the file at all
-	$last_load 	=  isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime(trim($_SERVER['HTTP_IF_MODIFIED_SINCE'])) : false;
+	$last_load 	=  $request->header('Modified-Since') ? strtotime(trim($request->header('Modified-Since'))) : false;
 	if ((strpos(strtolower($browser), 'msie 6.0') === false) && (strpos(strtolower($browser), 'msie 8.0') === false))
 	{
 		if ($last_load !== false && $last_load >= $stamp)
@ -478,7 +482,7 @@ function phpbb_http_byte_range($filesize)
 }
 /**
-* Searches for HTTP range request in super globals.
+* Searches for HTTP range request in request headers.
 *
 * @return mixed		false if no request found
 *					array of strings containing the requested ranges otherwise
@ -486,23 +490,16 @@ function phpbb_http_byte_range($filesize)
 */
 function phpbb_find_range_request()
 {
-	$globals = array(
+	global $request;
 		array('_SERVER',	'HTTP_RANGE'),
 		array('_ENV',		'HTTP_RANGE'),
 	);
-	foreach ($globals as $array)
+	$value = $request->header('Range');
 	{
 		$global	= $array[0];
 		$key	= $array[1];
 	// Make sure range request starts with "bytes="
-		if (isset($GLOBALS[$global][$key]) && strpos($GLOBALS[$global][$key], 'bytes=') === 0)
+	if (strpos($value, 'bytes=') === 0)
 	{
 		// Strip leading 'bytes='
 		// Multiple ranges can be separated by a comma
-			return explode(',', substr($GLOBALS[$global][$key], 6));
+		return explode(',', substr($value, 6));
 		}
 	}
 	return false;
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@ -334,7 +334,7 @@ class messenger
 	*/
 	function error($type, $msg)
 	{
-		global $user, $phpEx, $phpbb_root_path, $config;
+		global $user, $phpEx, $phpbb_root_path, $config, $request;
 		// Session doesn't exist, create it
 		if (!isset($user->session_id) || $user->session_id === '')
@ -342,7 +342,7 @@ class messenger
 			$user->session_begin();
 		}
-		$calling_page = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : $_ENV['PHP_SELF'];
+		$calling_page = htmlspecialchars_decode($request->server('PHP_SELF'));
 		$message = '';
 		switch ($type)
--- a/phpBB/includes/questionnaire/questionnaire.php
+++ b/phpBB/includes/questionnaire/questionnaire.php
@ -148,23 +148,15 @@ class phpbb_questionnaire_system_data_provider
 	*/
 	function get_data()
 	{
 		global $request;
 		// Start discovering the IPV4 server address, if available
-		$server_address = '0.0.0.0';
+		// Try apache, IIS, fall back to 0.0.0.0
-
+		$server_address = htmlspecialchars_decode($request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0')));
 		if (!empty($_SERVER['SERVER_ADDR']))
 		{
 			$server_address = $_SERVER['SERVER_ADDR'];
 		}
 		// Running on IIS?
 		if (!empty($_SERVER['LOCAL_ADDR']))
 		{
 			$server_address = $_SERVER['LOCAL_ADDR'];
 		}
 		return array(
 			'os'	=> PHP_OS,
-			'httpd'	=> $_SERVER['SERVER_SOFTWARE'],
+			'httpd'	=> htmlspecialchars_decode($request->server('SERVER_SOFTWARE')),
 			// we don't want the real IP address (for privacy policy reasons) but only
 			// a network address to see whether your installation is running on a private or public network.
 			'private_ip'	=> $this->is_private_ip($server_address),
@ -482,7 +474,7 @@ class phpbb_questionnaire_phpbb_data_provider
 			}
 		}
-		global $db;
+		global $db, $request;
 		$result['dbms'] = $dbms;
 		$result['acm_type'] = $acm_type;
@ -492,7 +484,7 @@ class phpbb_questionnaire_phpbb_data_provider
 		// Try to get user agent vendor and version
 		$match = array();
-		$user_agent = (!empty($_SERVER['HTTP_USER_AGENT'])) ? (string) $_SERVER['HTTP_USER_AGENT'] : '';
+		$user_agent = $request->header('User-Agent');
 		$agents = array('firefox', 'msie', 'opera', 'chrome', 'safari', 'mozilla', 'seamonkey', 'konqueror', 'netscape', 'gecko', 'navigator', 'mosaic', 'lynx', 'amaya', 'omniweb', 'avant', 'camino', 'flock', 'aol');
 		// We check here 1 by 1 because some strings occur after others (for example Mozilla [...] Firefox/)
--- a/phpBB/includes/request/interface.php
+++ b/phpBB/includes/request/interface.php
@ -29,6 +29,7 @@ interface phpbb_request_interface
 	const GET = 1;
 	const REQUEST = 2;
 	const COOKIE = 3;
 	const SERVER = 4;
 	/**#@-*/
 	/**
@ -66,6 +67,26 @@ interface phpbb_request_interface
 	*/
 	public function variable($var_name, $default, $multibyte = false, $super_global = phpbb_request_interface::REQUEST);
 	/**
 	* Shortcut method to retrieve SERVER variables.
 	*
 	* @param	string|array	$var_name		See phpbb_request_interface::variable
 	* @param	mixed			$default		See phpbb_request_interface::variable
 	*
 	* @return	mixed	The server variable value.
 	*/
 	public function server($var_name, $default = '');
 	/**
 	* Shortcut method to retrieve the value of client HTTP headers.
 	*
 	* @param	string|array	$header_name	The name of the header to retrieve.
 	* @param	mixed			$default		See phpbb_request_interface::variable
 	*
 	* @return	mixed	The header value.
 	*/
 	public function header($var_name, $default = '');
 	/**
 	* Checks whether a certain variable was sent via POST.
 	* To make sure that a request was sent using POST you should call this function
@ -90,6 +111,20 @@ interface phpbb_request_interface
 	*/
 	public function is_set($var, $super_global = phpbb_request_interface::REQUEST);
 	/**
 	* Checks whether the current request is an AJAX request (XMLHttpRequest)
 	*
 	* @return	bool			True if the current request is an ajax request
 	*/
 	public function is_ajax();
 	/**
 	* Checks if the current request is happening over HTTPS.
 	*
 	* @return	bool			True if the request is secure.
 	*/
 	public function is_secure();
 	/**
 	* Returns all variable names for a given super global
 	*
--- a/phpBB/includes/request/request.php
+++ b/phpBB/includes/request/request.php
@ -32,7 +32,8 @@ class phpbb_request implements phpbb_request_interface
 		phpbb_request_interface::POST => '_POST',
 		phpbb_request_interface::GET => '_GET',
 		phpbb_request_interface::REQUEST => '_REQUEST',
-		phpbb_request_interface::COOKIE => '_COOKIE'
+		phpbb_request_interface::COOKIE => '_COOKIE',
 		phpbb_request_interface::SERVER => '_SERVER',
 	);
 	/**
@ -241,6 +242,47 @@ class phpbb_request implements phpbb_request_interface
 		return $var;
 	}
 	/**
 	* Shortcut method to retrieve SERVER variables.
 	*
 	* Also fall back to getenv(), some CGI setups may need it (probably not, but
 	* whatever).
 	*
 	* @param	string|array	$var_name		See phpbb_request_interface::variable
 	* @param	mixed			$Default		See phpbb_request_interface::variable
 	*
 	* @return	mixed	The server variable value.
 	*/
 	public function server($var_name, $default = '')
 	{
 		$multibyte = true;
 		if ($this->is_set($var_name, phpbb_request_interface::SERVER))
 		{
 			return $this->variable($var_name, $default, $multibyte, phpbb_request_interface::SERVER);
 		}
 		else
 		{
 			$var = getenv($var_name);
 			$this->type_cast_helper->recursive_set_var($var, $default, $multibyte);
 			return $var;
 		}
 	}
 	/**
 	* Shortcut method to retrieve the value of client HTTP headers.
 	*
 	* @param	string|array	$header_name	The name of the header to retrieve.
 	* @param	mixed			$default		See phpbb_request_interface::variable
 	*
 	* @return	mixed	The header value.
 	*/
 	public function header($header_name, $default = '')
 	{
 		$var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
 		return $this->server($var_name, $default);
 	}
 	/**
 	* Checks whether a certain variable was sent via POST.
 	* To make sure that a request was sent using POST you should call this function
@ -271,6 +313,26 @@ class phpbb_request implements phpbb_request_interface
 		return isset($this->input[$super_global][$var]);
 	}
 	/**
 	* Checks whether the current request is an AJAX request (XMLHttpRequest)
 	*
 	* @return	bool			True if the current request is an ajax request
 	*/
 	public function is_ajax()
 	{
 		return $this->header('X-Requested-With') == 'XMLHttpRequest';
 	}
 	/**
 	* Checks if the current request is happening over HTTPS.
 	*
 	* @return	bool			True if the request is secure.
 	*/
 	public function is_secure()
 	{
 		return $this->server('HTTPS') == 'on';
 	}
 	/**
 	* Returns all variable names for a given super global
 	*
--- a/phpBB/includes/request/type_cast_helper.php
+++ b/phpBB/includes/request/type_cast_helper.php
@ -101,7 +101,8 @@ class phpbb_request_type_cast_helper implements phpbb_request_type_cast_helper_i
 		if ($type == 'string')
 		{
-			$result = trim(htmlspecialchars(str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result), ENT_COMPAT, 'UTF-8'));
+			$result = trim(str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result));
 			$result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8');
 			if ($multibyte)
 			{
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@ -41,16 +41,18 @@ class session
 	*/
 	static function extract_current_page($root_path)
 	{
 		global $request;
 		$page_array = array();
 		// First of all, get the request uri...
-		$script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
+		$script_name = htmlspecialchars_decode($request->server('PHP_SELF'));
-		$args = (!empty($_SERVER['QUERY_STRING'])) ? explode('&', $_SERVER['QUERY_STRING']) : explode('&', getenv('QUERY_STRING'));
+		$args = explode('&', htmlspecialchars_decode($request->server('QUERY_STRING')));
 		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
 		if (!$script_name)
 		{
-			$script_name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');
+			$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
 			$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
 			$page_array['failover'] = 1;
 		}
@ -141,10 +143,10 @@ class session
 	*/
 	function extract_current_hostname()
 	{
-		global $config;
+		global $config, $request;
 		// Get hostname
-		$host = (!empty($_SERVER['HTTP_HOST'])) ? $_SERVER['HTTP_HOST'] : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')));
 		// Should be a string and lowered
 		$host = (string) strtolower($host);
@ -212,9 +214,9 @@ class session
 		$this->time_now				= time();
 		$this->cookie_data			= array('u' => 0, 'k' => '');
 		$this->update_session_page	= $update_session_page;
-		$this->browser				= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
+		$this->browser				= $request->header('User-Agent');
-		$this->referer				= (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
+		$this->referer				= $request->header('Referer');
-		$this->forwarded_for		= (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? htmlspecialchars((string) $_SERVER['HTTP_X_FORWARDED_FOR']) : '';
+		$this->forwarded_for		= $request->header('X-Forwarded-For');
 		$this->host					= $this->extract_current_hostname();
 		$this->page					= $this->extract_current_page($phpbb_root_path);
@ -268,7 +270,7 @@ class session
 		// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
 		// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
-		$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : '';
+		$this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
 		$this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip));
 		// split the list of IPs
@ -382,7 +384,7 @@ class session
 				$referer_valid = true;
 				// we assume HEAD and TRACE to be foul play and thus only whitelist GET
-				if (@$config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get')
+				if (@$config['referer_validation'] && strtolower($request->server('REQUEST_METHOD')) !== 'get')
 				{
 					$referer_valid = $this->validate_referer($check_referer_path);
 				}
@ -1449,7 +1451,7 @@ class session
 	*/
 	function validate_referer($check_script_path = false)
 	{
-		global $config;
+		global $config, $request;
 		// no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
 		if (empty($this->referer) || empty($this->host))
@ -1467,7 +1469,7 @@ class session
 		else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
 		{
 			$ref = substr($ref, strlen($host));
-			$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
+			$server_port = $request->server('SERVER_PORT', 0);
 			if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
 			{
@ -1592,9 +1594,9 @@ class user extends session
 			* If re-enabled we need to make sure only those languages installed are checked
 			* Commented out so we do not loose the code.
-			if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']))
+			if ($request->header('Accept-Language'))
 			{
-				$accept_lang_ary = explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']);
+				$accept_lang_ary = explode(',', $request->header('Accept-Language'));
 				foreach ($accept_lang_ary as $accept_lang)
 				{
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@ -143,9 +143,9 @@ $db->sql_connect($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false, false);
 unset($dbpasswd);
 $user->ip = '';
-if (!empty($_SERVER['REMOTE_ADDR']))
+if ($request->server('REMOTE_ADDR'))
 {
-	$user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($_SERVER['REMOTE_ADDR']) : htmlspecialchars($_SERVER['REMOTE_ADDR']);
+	$user->ip = (function_exists('phpbb_ip_normalise')) ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : $request->server('REMOTE_ADDR');
 }
 $sql = "SELECT config_value
--- a/phpBB/install/index.php
+++ b/phpBB/install/index.php
@ -98,9 +98,9 @@ request_var('', 0, false, false, $request); // "dependency injection" for a func
 // Try and load an appropriate language if required
 $language = basename(request_var('language', ''));
-if (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) && !$language)
+if ($request->header('Accept-Language') && !$language)
 {
-	$accept_lang_ary = explode(',', strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']));
+	$accept_lang_ary = explode(',', strtolower($request->header('Accept-Language')));
 	foreach ($accept_lang_ary as $accept_lang)
 	{
 		// Set correct format ... guess full xx_yy form
@ -427,15 +427,17 @@ class module
 	*/
 	function redirect($page)
 	{
-		// HTTP_HOST is having the correct browser url in most cases...
+		global $request;
 		$server_name = (!empty($_SERVER['HTTP_HOST'])) ? strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
 		$server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
 		$secure = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 1 : 0;
-		$script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
+		// HTTP_HOST is having the correct browser url in most cases...
 		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
 		$server_port = $request->server('SERVER_PORT', 0);
 		$secure = $request->is_secure() ? 1 : 0;
 		$script_name = htmlspecialchars_decode($request->server('PHP_SELF'));
 		if (!$script_name)
 		{
-			$script_name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');
+			$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'));
 		}
 		// Replace backslashes and doubled slashes (could happen on some proxy setups)
--- a/phpBB/install/install_install.php
+++ b/phpBB/install/install_install.php
@ -999,7 +999,7 @@ class install_install extends module
 	*/
 	function obtain_advanced_settings($mode, $sub)
 	{
-		global $lang, $template, $phpEx;
+		global $lang, $template, $phpEx, $request;
 		$this->page_title = $lang['STAGE_ADVANCED'];
@ -1017,7 +1017,7 @@ class install_install extends module
 		$s_hidden_fields .= '<input type="hidden" name="language" value="' . $data['language'] . '" />';
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = (!empty($_SERVER['HTTP_HOST'])) ? strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
 		// HTTP HOST can carry a port number...
 		if (strpos($server_name, ':') !== false)
@ -1027,16 +1027,16 @@ class install_install extends module
 		$data['email_enable'] = ($data['email_enable'] !== '') ? $data['email_enable'] : true;
 		$data['server_name'] = ($data['server_name'] !== '') ? $data['server_name'] : $server_name;
-		$data['server_port'] = ($data['server_port'] !== '') ? $data['server_port'] : ((!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT'));
+		$data['server_port'] = ($data['server_port'] !== '') ? $data['server_port'] : $request->server('SERVER_PORT', 0);
-		$data['server_protocol'] = ($data['server_protocol'] !== '') ? $data['server_protocol'] : ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://');
+		$data['server_protocol'] = ($data['server_protocol'] !== '') ? $data['server_protocol'] : ($request->is_secure() ? 'https://' : 'http://');
-		$data['cookie_secure'] = ($data['cookie_secure'] !== '') ? $data['cookie_secure'] : ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? true : false);
+		$data['cookie_secure'] = ($data['cookie_secure'] !== '') ? $data['cookie_secure'] : $request->is_secure();
 		if ($data['script_path'] === '')
 		{
-			$name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
+			$name = htmlspecialchars_decode($request->server('PHP_SELF'));
 			if (!$name)
 			{
-				$name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');
+				$name = htmlspecialchars_decode($request->server('REQUEST_URI'));
 			}
 			// Replace backslashes and doubled slashes (could happen on some proxy setups)
@ -1101,7 +1101,7 @@ class install_install extends module
 	*/
 	function load_schema($mode, $sub)
 	{
-		global $db, $lang, $template, $phpbb_root_path, $phpEx;
+		global $db, $lang, $template, $phpbb_root_path, $phpEx, $request;
 		$this->page_title = $lang['STAGE_CREATE_TABLE'];
 		$s_hidden_fields = '';
@ -1117,8 +1117,8 @@ class install_install extends module
 		}
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = (!empty($_SERVER['HTTP_HOST'])) ? strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$server_name = strtolower(htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME'))));
-		$referer = (!empty($_SERVER['HTTP_REFERER'])) ? strtolower($_SERVER['HTTP_REFERER']) : getenv('HTTP_REFERER');
+		$referer = strtolower($request->header('Referer'));
 		// HTTP HOST can carry a port number...
 		if (strpos($server_name, ':') !== false)
@ -1235,7 +1235,7 @@ class install_install extends module
 		$current_time = time();
-		$user_ip = (!empty($_SERVER['REMOTE_ADDR'])) ? phpbb_ip_normalise($_SERVER['REMOTE_ADDR']) : '';
+		$user_ip = $request->server('REMOTE_ADDR') ? phpbb_ip_normalise($request->server('REMOTE_ADDR')) : '';
 		if ($data['script_path'] !== '/')
 		{
--- a/phpBB/style.php
+++ b/phpBB/style.php
@ -152,7 +152,7 @@ if ($id)
 	if ($config['gzip_compress'])
 	{
 		// IE6 is not able to compress the style (do not ask us why!)
-		$browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? strtolower(htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT'])) : '';
+		$browser = strtolower($request->header('User-Agent'));
 		if ($browser && strpos($browser, 'msie 6.0') === false && @extension_loaded('zlib') && !headers_sent())
 		{
--- a/tests/bbcode/url_bbcode_test.php
+++ b/tests/bbcode/url_bbcode_test.php
@ -12,6 +12,7 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions_content.php';
 require_once dirname(__FILE__) . '/../../phpBB/includes/bbcode.php';
 require_once dirname(__FILE__) . '/../../phpBB/includes/message_parser.php';
 require_once dirname(__FILE__) . '/../mock_user.php';
 require_once dirname(__FILE__) . '/../mock/request.php';
 class phpbb_url_bbcode_test extends phpbb_test_case
 {
@ -51,8 +52,9 @@ class phpbb_url_bbcode_test extends phpbb_test_case
 	*/
 	public function test_url($description, $message, $expected)
 	{
-		global $user;
+		global $user, $request;
 		$user = new phpbb_mock_user;
 		$request = new phpbb_mock_request;
 		$bbcode = new bbcode_firstpass();
 		$bbcode->message = $message;
--- a/tests/download/http_byte_range_test.php
+++ b/tests/download/http_byte_range_test.php
@ -8,23 +8,27 @@
 */
 require_once dirname(__FILE__) . '/../../phpBB/includes/functions_download.php';
 require_once dirname(__FILE__) . '/../mock/request.php';
 class phpbb_download_http_byte_range_test extends phpbb_test_case
 {
 	public function test_find_range_request()
 	{
 		// Missing 'bytes=' prefix
-		$_SERVER['HTTP_RANGE'] = 'bztes=';
+		$GLOBALS['request'] = new phpbb_mock_request();
 		$GLOBALS['request']->set_header('Range', 'bztes=');
 		$this->assertEquals(false, phpbb_find_range_request());
-		unset($_SERVER['HTTP_RANGE']);
+		unset($GLOBALS['request']);
 		$GLOBALS['request'] = new phpbb_mock_request();
 		$_ENV['HTTP_RANGE'] = 'bztes=';
 		$this->assertEquals(false, phpbb_find_range_request());
 		unset($_ENV['HTTP_RANGE']);
-		$_SERVER['HTTP_RANGE'] = 'bytes=0-0,123-125';
+		$GLOBALS['request'] = new phpbb_mock_request();
 		$GLOBALS['request']->set_header('Range', 'bytes=0-0,123-125');
 		$this->assertEquals(array('0-0', '123-125'), phpbb_find_range_request());
-		unset($_SERVER['HTTP_RANGE']);
+		unset($GLOBALS['request']);
 	}
 	/**
--- a/tests/mock/request.php
+++ b/tests/mock/request.php
@ -11,12 +11,13 @@ class phpbb_mock_request implements phpbb_request_interface
 {
 	protected $data;
-	public function __construct($get = array(), $post = array(), $cookie = array(), $request = false)
+	public function __construct($get = array(), $post = array(), $cookie = array(), $server = array(), $request = false)
 	{
 		$this->data[phpbb_request_interface::GET] = $get;
 		$this->data[phpbb_request_interface::POST] = $post;
 		$this->data[phpbb_request_interface::COOKIE] = $cookie;
 		$this->data[phpbb_request_interface::REQUEST] = ($request === false) ? $post + $get : $request;
 		$this->data[phpbb_request_interface::SERVER] = $server;
 	}
 	public function overwrite($var_name, $value, $super_global = phpbb_request_interface::REQUEST)
@ -29,6 +30,18 @@ class phpbb_mock_request implements phpbb_request_interface
 		return isset($this->data[$super_global][$var_name]) ? $this->data[$super_global][$var_name] : $default;
 	}
 	public function server($var_name, $default = '')
 	{
 		$super_global = phpbb_request_interface::SERVER;
 		return isset($this->data[$super_global][$var_name]) ? $this->data[$super_global][$var_name] : $default;
 	}
 	public function header($header_name, $default = '')
 	{
 		$var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
 		return $this->server($var_name, $default);
 	}
 	public function is_set_post($name)
 	{
 		return $this->is_set($name, phpbb_request_interface::POST);
@ -39,8 +52,31 @@ class phpbb_mock_request implements phpbb_request_interface
 		return isset($this->data[$super_global][$var]);
 	}
 	public function is_ajax()
 	{
 		return false;
 	}
 	public function is_secure()
 	{
 		return false;
 	}
 	public function variable_names($super_global = phpbb_request_interface::REQUEST)
 	{
 		return array_keys($this->data[$super_global]);
 	}
 	/* custom methods */
 	public function set_header($header_name, $value)
 	{
 		$var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
 		$this->data[phpbb_request_interface::SERVER][$var_name] = $value;
 	}
 	public function merge($super_global = phpbb_request_interface::REQUEST, $values)
 	{
 		$this->data[$super_global] = array_merge($this->data[$super_global], $values);
 	}
 }
--- a/tests/request/request_test.php
+++ b/tests/request/request_test.php
@ -22,8 +22,11 @@ class phpbb_request_test extends phpbb_test_case
 		$_REQUEST['test'] = 3;
 		$_GET['unset'] = '';
-		$this->type_cast_helper = $this->getMock('phpbb_request_type_cast_helper_interface');
+		$_SERVER['HTTP_HOST'] = 'example.com';
 		$_SERVER['HTTP_ACCEPT'] = 'application/json';
 		$_SERVER['HTTP_SOMEVAR'] = '<value>';
 		$this->type_cast_helper = $this->getMock('phpbb_request_type_cast_helper_interface');
 		$this->request = new phpbb_request($this->type_cast_helper);
 	}
@ -44,6 +47,44 @@ class phpbb_request_test extends phpbb_test_case
 		$this->assertEquals($_POST, $GLOBALS['_POST'], 'Checking whether $_POST can still be accessed via $GLOBALS[\'_POST\']');
 	}
 	public function test_server()
 	{
 		$this->assertEquals('example.com', $this->request->server('HTTP_HOST'));
 	}
 	public function test_server_escaping()
 	{
 		$this->type_cast_helper
 			->expects($this->once())
 			->method('recursive_set_var')
 			->with(
 				$this->anything(),
 				'',
 				true
 			);
 		$this->request->server('HTTP_SOMEVAR');
 	}
 	public function test_header()
 	{
 		$this->assertEquals('application/json', $this->request->header('Accept'));
 	}
 	public function test_header_escaping()
 	{
 		$this->type_cast_helper
 			->expects($this->once())
 			->method('recursive_set_var')
 			->with(
 				$this->anything(),
 				'',
 				true
 			);
 		$this->request->header('SOMEVAR');
 	}
 	/**
 	* Checks that directly accessing $_POST will trigger
 	* an error.
@ -60,6 +101,31 @@ class phpbb_request_test extends phpbb_test_case
 		$this->assertFalse($this->request->is_set_post('unset'));
 	}
 	public function test_is_ajax_without_ajax()
 	{
 		$this->assertFalse($this->request->is_ajax());
 	}
 	public function test_is_ajax_with_ajax()
 	{
 		$this->request->enable_super_globals();
 		$_SERVER['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest';
 		$this->request = new phpbb_request($this->type_cast_helper);
 		$this->assertTrue($this->request->is_ajax());
 	}
 	public function test_is_secure()
 	{
 		$this->assertFalse($this->request->is_secure());
 		$this->request->enable_super_globals();
 		$_SERVER['HTTPS'] = 'on';
 		$this->request = new phpbb_request($this->type_cast_helper);
 		$this->assertTrue($this->request->is_secure());
 	}
 	public function test_variable_names()
 	{
 		$expected = array('test', 'unset');
--- a/tests/security/base.php
+++ b/tests/security/base.php
@ -7,6 +7,8 @@
 *
 */
 require_once dirname(__FILE__) . '/../mock/request.php';
 abstract class phpbb_security_test_base extends phpbb_test_case
 {
 	/**
@ -14,20 +16,20 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 	*/
 	protected function setUp()
 	{
-		global $user, $phpbb_root_path;
+		global $user, $phpbb_root_path, $request;
 		// Put this into a global function being run by every test to init a proper user session
-		$_SERVER['HTTP_HOST']		= 'localhost';
+		$server['HTTP_HOST']		= 'localhost';
-		$_SERVER['SERVER_NAME']		= 'localhost';
+		$server['SERVER_NAME']		= 'localhost';
-		$_SERVER['SERVER_ADDR']		= '127.0.0.1';
+		$server['SERVER_ADDR']		= '127.0.0.1';
-		$_SERVER['SERVER_PORT']		= 80;
+		$server['SERVER_PORT']		= 80;
-		$_SERVER['REMOTE_ADDR']		= '127.0.0.1';
+		$server['REMOTE_ADDR']		= '127.0.0.1';
-		$_SERVER['QUERY_STRING']	= '';
+		$server['QUERY_STRING']	= '';
-		$_SERVER['REQUEST_URI']		= '/tests/';
+		$server['REQUEST_URI']		= '/tests/';
-		$_SERVER['SCRIPT_NAME']		= '/tests/index.php';
+		$server['SCRIPT_NAME']		= '/tests/index.php';
-		$_SERVER['PHP_SELF']		= '/tests/index.php';
+		$server['PHP_SELF']		= '/tests/index.php';
-		$_SERVER['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
+		$server['HTTP_USER_AGENT']	= 'Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
-		$_SERVER['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
+		$server['HTTP_ACCEPT_LANGUAGE']	= 'de-de,de;q=0.8,en-us;q=0.5,en;q=0.3';
 /*
 		[HTTP_ACCEPT_ENCODING] => gzip,deflate
@ -36,13 +38,15 @@ abstract class phpbb_security_test_base extends phpbb_test_case
 		[SCRIPT_FILENAME] => /var/www/tests/index.php
 */
 		$request = new phpbb_mock_request(array(), array(), array(), $server);
 		// Set no user and trick a bit to circumvent errors
 		$user = new user();
 		$user->lang = true;
-		$user->browser				= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
+		$user->browser				= $server['HTTP_USER_AGENT'];
-		$user->referer				= (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
+		$user->referer				= '';
-		$user->forwarded_for		= (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
+		$user->forwarded_for		= '';
-		$user->host					= (!empty($_SERVER['HTTP_HOST'])) ? (string) strtolower($_SERVER['HTTP_HOST']) : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
+		$user->host					= $server['HTTP_HOST'];
 		$user->page = session::extract_current_page($phpbb_root_path);
 	}
--- a/tests/security/extract_current_page_test.php
+++ b/tests/security/extract_current_page_test.php
@ -27,8 +27,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_php_self($url, $query_string, $expected)
 	{
-		$_SERVER['PHP_SELF'] = $url;
+		global $request;
-		$_SERVER['QUERY_STRING'] = $query_string;
+
 		$request->merge(phpbb_request_interface::SERVER, array(
 			'PHP_SELF'	=> $url,
 			'QUERY_STRING'	=> $query_string,
 		));
 		$result = session::extract_current_page('./');
@ -41,8 +45,12 @@ class phpbb_security_extract_current_page_test extends phpbb_security_test_base
 	*/
 	public function test_query_string_request_uri($url, $query_string, $expected)
 	{
-		$_SERVER['REQUEST_URI'] = $url . '?' . $query_string;
+		global $request;
-		$_SERVER['QUERY_STRING'] = $query_string;
+
 		$request->merge(phpbb_request_interface::SERVER, array(
 			'PHP_SELF'	=> $url,
 			'QUERY_STRING'	=> $query_string,
 		));
 		$result = session::extract_current_page('./');
--- a/tests/session/testable_factory.php
+++ b/tests/session/testable_factory.php
@ -73,7 +73,8 @@ class phpbb_session_testable_factory
 		$request = $this->request = new phpbb_mock_request(
 			array(),
 			array(),
-			$this->cookies
+			$this->cookies,
 			$this->server_data
 		);
 		request_var(null, null, null, null, $request);
@ -85,8 +86,6 @@ class phpbb_session_testable_factory
 		$cache = $this->cache = new phpbb_mock_cache($this->get_cache_data());
 		$SID = $_SID = null;
 		$_SERVER = $this->server_data;
 		$session = new phpbb_mock_session_testable;
 		return $session;
 	}