Improve error message for Conduit path problems

Summary:
A few people in IRC have been having issues here recently. If you misconfigure
the IRC bot, e.g., you get a 200 response back with a bunch of login HTML in it.
This is unhelpful.

Try to detect that a conduit request is going to the wrong path and raise a
concise, explicit error which is comprehensible from the CLI.

Also created a "PlainText" response and moved the IE nosniff header to the base
response object.

Test Plan: As a logged-out user, hit various nonsense with "?__conduit__=true"
in the URI. Got good error messages. Hit nonsense without it, got login screens.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T775

Differential Revision: https://secure.phabricator.com/D1407

src/__phutil_library_map__.php

@@ -58,6 +58,7 @@ phutil_register_library_map(array(
     'AphrontPageView' => 'view/page/base',
     'AphrontPagerView' => 'view/control/pager',
     'AphrontPanelView' => 'view/layout/panel',
+    'AphrontPlainTextResponse' => 'aphront/response/plaintext',
     'AphrontQueryAccessDeniedException' => 'storage/exception/accessdenied',
     'AphrontQueryConnectionException' => 'storage/exception/connection',
     'AphrontQueryConnectionLostException' => 'storage/exception/connectionlost',
@@ -830,6 +831,7 @@ phutil_register_library_map(array(
     'AphrontPageView' => 'AphrontView',
     'AphrontPagerView' => 'AphrontView',
     'AphrontPanelView' => 'AphrontView',
+    'AphrontPlainTextResponse' => 'AphrontResponse',
     'AphrontQueryAccessDeniedException' => 'AphrontQueryRecoverableException',
     'AphrontQueryConnectionException' => 'AphrontQueryException',
     'AphrontQueryConnectionLostException' => 'AphrontQueryRecoverableException',

src/aphront/request/AphrontRequest.php

@@ -26,6 +26,7 @@ class AphrontRequest {
 
   const TYPE_AJAX = '__ajax__';
   const TYPE_FORM = '__form__';
+  const TYPE_CONDUIT = '__conduit__';
 
   private $host;
   private $path;
@@ -170,6 +171,10 @@ class AphrontRequest {
     return $this->getExists(self::TYPE_AJAX);
   }
 
+  final public function isConduit() {
+    return $this->getExists(self::TYPE_CONDUIT);
+  }
+
   public static function getCSRFTokenName() {
     return '__csrf__';
   }

src/aphront/response/base/AphrontResponse.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,6 +91,14 @@ abstract class AphrontResponse {
         $this->formatEpochTimestampForHTTPHeader($this->lastModified));
     }
 
+    $headers[] = array(
+      // IE has a feature where it may override an explicit Content-Type
+      // declaration by inferring a content type. This can be a security risk
+      // and we always explicitly transmit the correct Content-Type header, so
+      // prevent IE from using inferred content types.
+      array('X-Content-Type-Options', 'nosniff'),
+    );
+
     return $headers;
   }
 

src/aphront/response/file/AphrontFileResponse.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright 2011 Facebook, Inc.
+ * Copyright 2012 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -59,11 +59,6 @@ class AphrontFileResponse extends AphrontResponse {
   public function getHeaders() {
     $headers = array(
       array('Content-Type', $this->getMimeType()),
-      // Without this, IE can decide that we surely meant "text/html" when
-      // delivering another content type since, you know, it looks like it's
-      // probably an HTML document. This closes the security hole that policy
-      // creates.
-      array('X-Content-Type-Options', 'nosniff'),
     );
 
     if (strlen($this->getDownload())) {

src/aphront/response/plaintext/AphrontPlainTextResponse.php

@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * Copyright 2012 Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @group aphront
+ */
+class AphrontPlainTextResponse extends AphrontResponse {
+
+  public function setContent($content) {
+    $this->content = $content;
+    return $this;
+  }
+
+  public function buildResponseString() {
+    return $this->content;
+  }
+
+  public function getHeaders() {
+    $headers = array(
+      array('Content-Type', 'text/plain'),
+    );
+
+    return array_merge(parent::getHeaders(), $headers);
+  }
+
+}

src/aphront/response/plaintext/__init__.php

@@ -0,0 +1,12 @@
+<?php
+/**
+ * This file is automatically generated. Lint this module to rebuild it.
+ * @generated
+ */
+
+
+
+phutil_require_module('phabricator', 'aphront/response/base');
+
+
+phutil_require_source('AphrontPlainTextResponse.php');

src/applications/auth/controller/login/PhabricatorLoginController.php

@@ -30,6 +30,25 @@ class PhabricatorLoginController extends PhabricatorAuthController {
       return id(new AphrontRedirectResponse())->setURI('/');
     }
 
+    if ($request->isConduit()) {
+
+      // A common source of errors in Conduit client configuration is getting
+      // the request path wrong. The client will end up here, so make some
+      // effort to give them a comprehensible error message.
+
+      $request_path = $this->getRequest()->getPath();
+      $conduit_path = '/api/<method>';
+      $example_path = '/api/conduit.ping';
+
+      $message =
+        "ERROR: You are making a Conduit API request to '{$request_path}', ".
+        "but the correct HTTP request path to use in order to access a ".
+        "Conduit method is '{$conduit_path}' (for example, ".
+        "'{$example_path}'). Check your configuration.";
+
+      return id(new AphrontPlainTextResponse())->setContent($message);
+    }
+
     $next_uri = $this->getRequest()->getPath();
     if ($next_uri == '/login/') {
       $next_uri = '/';

src/applications/auth/controller/login/__init__.php

@@ -6,6 +6,7 @@
 
 
 
+phutil_require_module('phabricator', 'aphront/response/plaintext');
 phutil_require_module('phabricator', 'aphront/response/redirect');
 phutil_require_module('phabricator', 'applications/auth/controller/base');
 phutil_require_module('phabricator', 'applications/auth/oauth/provider/base');