return gzinflate( substr( $data, 10, -8 ) );
}
}
+
+// hash_equals function only exists in PHP >= 5.6.0
+if ( !function_exists( 'hash_equals' ) ) {
+ /**
+ * Check whether a user-provided string is equal to a fixed-length secret without
+ * revealing bytes of the secret through timing differences.
+ *
+ * This timing guarantee -- that a partial match takes the same time as a complete
+ * mismatch -- is why this function is used in some security-sensitive parts of the code.
+ * For example, it shouldn't be possible to guess an HMAC signature one byte at a time.
+ *
+ * Longer explanation: http://www.emerose.com/timing-attacks-explained
+ *
+ * @codeCoverageIgnore
+ * @param string $known_string Fixed-length secret to compare against
+ * @param string $user_string User-provided string
+ * @return bool True if the strings are the same, false otherwise
+ */
+ function hash_equals( $known_string, $user_string ) {
+ // Strict type checking as in PHP's native implementation
+ if ( !is_string( $known_string ) ) {
+ trigger_error( 'hash_equals(): Expected known_string to be a string, ' .
+ gettype( $known_string ) . ' given', E_USER_WARNING );
+
+ return false;
+ }
+
+ if ( !is_string( $user_string ) ) {
+ trigger_error( 'hash_equals(): Expected user_string to be a string, ' .
+ gettype( $user_string ) . ' given', E_USER_WARNING );
+
+ return false;
+ }
+
+ // Note that we do one thing PHP doesn't: try to avoid leaking information about
+ // relative lengths of $known_string and $user_string, and of multiple $known_strings.
+ // However, lengths may still inevitably leak through, for example, CPU cache misses.
+ $known_string_len = strlen( $known_string );
+ $user_string_len = strlen( $user_string );
+ $result = $known_string_len ^ $user_string_len;
+ for ( $i = 0; $i < $user_string_len; $i++ ) {
+ $result |= ord( $known_string[$i % $known_string_len] ) ^ ord( $user_string[$i] );
+ }
+
+ return ( $result === 0 );
+ }
+}
/// @endcond
/**
/**
* Safety wrapper for debug_backtrace().
*
- * With Zend Optimizer 3.2.0 loaded, this causes segfaults under somewhat
- * murky circumstances, which may be triggered in part by stub objects
- * or other fancy talking'.
- *
- * Will return an empty array if Zend Optimizer is detected or if
- * debug_backtrace is disabled, otherwise the output from
- * debug_backtrace() (trimmed).
+ * Will return an empty array if debug_backtrace is disabled, otherwise
+ * the output from debug_backtrace() (trimmed).
*
* @param int $limit This parameter can be used to limit the number of stack frames returned
*
function wfDebugBacktrace( $limit = 0 ) {
static $disabled = null;
- if ( extension_loaded( 'Zend Optimizer' ) ) {
- wfDebug( "Zend Optimizer detected; skipping debug_backtrace for safety.\n" );
- return array();
- }
-
if ( is_null( $disabled ) ) {
- $disabled = false;
- $functions = explode( ',', ini_get( 'disable_functions' ) );
- $functions = array_map( 'trim', $functions );
- $functions = array_map( 'strtolower', $functions );
- if ( in_array( 'debug_backtrace', $functions ) ) {
- wfDebug( "debug_backtrace is in disabled_functions\n" );
- $disabled = true;
+ $disabled = !function_exists( 'debug_backtrace' );
+ if ( $disabled ) {
+ wfDebug( "debug_backtrace() is disabled\n" );
}
}
if ( $disabled ) {
* @param int $deflimit Default limit if none supplied
* @param string $optionname Name of a user preference to check against
* @return array
+ * @deprecated since 1.24, just call WebRequest::getLimitOffset() directly
*/
function wfCheckLimits( $deflimit = 50, $optionname = 'rclimit' ) {
global $wgRequest;
+ wfDeprecated( __METHOD__, '1.24' );
return $wgRequest->getLimitOffset( $deflimit, $optionname );
}
function wfShellExecDisabled() {
static $disabled = null;
if ( is_null( $disabled ) ) {
- $disabled = false;
if ( wfIniGetBool( 'safe_mode' ) ) {
wfDebug( "wfShellExec can't run in safe_mode, PHP's exec functions are too broken.\n" );
$disabled = 'safemode';
+ } elseif ( !function_exists( 'proc_open' ) ) {
+ wfDebug( "proc_open() is disabled\n" );
+ $disabled = 'disabled';
} else {
- $functions = explode( ',', ini_get( 'disable_functions' ) );
- $functions = array_map( 'trim', $functions );
- $functions = array_map( 'strtolower', $functions );
- if ( in_array( 'proc_open', $functions ) ) {
- wfDebug( "proc_open is in disabled_functions\n" );
- $disabled = 'disabled';
- }
+ $disabled = false;
}
}
return $disabled;
$cmd = $envcmd . $cmd;
$useLogPipe = false;
- if ( php_uname( 's' ) == 'Linux' ) {
+ if ( is_executable( '/bin/bash' ) ) {
$time = intval ( isset( $limits['time'] ) ? $limits['time'] : $wgMaxShellTime );
if ( isset( $limits['walltime'] ) ) {
$wallTime = intval( $limits['walltime'] );
* @param array $environ optional environment variables which should be
* added to the executed command environment.
* @param array $limits Optional array with limits(filesize, memory, time, walltime)
- * this overwrites the global wgShellMax* limits.
+ * this overwrites the global wgMaxShell* limits.
* @return string Collected stdout and stderr as a string
*/
function wfShellExecWithStderr( $cmd, &$retval = null, $environ = array(), $limits = array() ) {
* @since 1.23 Supports CIDR ranges in $wgSquidServersNoPurge
*/
function wfIsConfiguredProxy( $ip ) {
- return IP::isTrustedProxy( $ip );
+ return IP::isConfiguredProxy( $ip );
}