X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FGlobalFunctions.php;h=6f49a141e1822f617d6fe8370f7def1b5ea13937;hb=ade631c612cc9c86c133005f5e898041b9240084;hp=9569bc1fb4d1fb2dd5a58487ff89c925c70212f9;hpb=02415cb826b8eb9a699fd1381f7faeea246cc477;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 9569bc1fb4..6f49a141e1 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -32,75 +32,6 @@ use MediaWiki\Shell\Shell; use Wikimedia\ScopedCallback; use Wikimedia\Rdbms\DBReplicationWaitError; -// Hide compatibility functions from Doxygen -/// @cond -/** - * Compatibility functions - * - * We support PHP 5.5.9 and up. - * Re-implementations of newer functions or functions in non-standard - * PHP extensions may be included here. - */ - -// hash_equals function only exists in PHP >= 5.6.0 -// https://secure.php.net/hash_equals -if ( !function_exists( 'hash_equals' ) ) { - /** - * Check whether a user-provided string is equal to a fixed-length secret string - * without revealing bytes of the secret string through timing differences. - * - * The usual way to compare strings (PHP's === operator or the underlying memcmp() - * function in C) is to compare corresponding bytes and stop at the first difference, - * which would take longer for a partial match than for a complete mismatch. This - * is not secure when one of the strings (e.g. an HMAC or token) must remain secret - * and the other may come from an attacker. Statistical analysis of timing measurements - * over many requests may allow the attacker to guess the string's bytes one at a time - * (and check his guesses) even if the timing differences are extremely small. - * - * When making such a security-sensitive comparison, it is essential that the sequence - * in which instructions are executed and memory locations are accessed not depend on - * the secret string's value. HOWEVER, for simplicity, we do not attempt to minimize - * the inevitable leakage of the string's length. That is generally known anyway as - * a chararacteristic of the hash function used to compute the secret value. - * - * Longer explanation: http://www.emerose.com/timing-attacks-explained - * - * @codeCoverageIgnore - * @param string $known_string Fixed-length secret string to compare against - * @param string $user_string User-provided string - * @return bool True if the strings are the same, false otherwise - */ - function hash_equals( $known_string, $user_string ) { - // Strict type checking as in PHP's native implementation - if ( !is_string( $known_string ) ) { - trigger_error( 'hash_equals(): Expected known_string to be a string, ' . - gettype( $known_string ) . ' given', E_USER_WARNING ); - - return false; - } - - if ( !is_string( $user_string ) ) { - trigger_error( 'hash_equals(): Expected user_string to be a string, ' . - gettype( $user_string ) . ' given', E_USER_WARNING ); - - return false; - } - - $known_string_len = strlen( $known_string ); - if ( $known_string_len !== strlen( $user_string ) ) { - return false; - } - - $result = 0; - for ( $i = 0; $i < $known_string_len; $i++ ) { - $result |= ord( $known_string[$i] ) ^ ord( $user_string[$i] ); - } - - return ( $result === 0 ); - } -} -/// @endcond - /** * Load an extension * @@ -1089,7 +1020,8 @@ function wfIsDebugRawPage() { if ( $cache !== null ) { return $cache; } - # Check for raw action using $_GET not $wgRequest, since the latter might not be initialised yet + // Check for raw action using $_GET not $wgRequest, since the latter might not be initialised yet + // phpcs:ignore MediaWiki.Usage.SuperGlobalsUsage.SuperGlobals if ( ( isset( $_GET['action'] ) && $_GET['action'] == 'raw' ) || ( isset( $_SERVER['SCRIPT_NAME'] ) @@ -1513,9 +1445,10 @@ function wfHostname() { * If $wgShowHostnames is true, the script will also set 'wgHostname' to the * hostname of the server handling the request. * - * @return string + * @param string $nonce Value from OutputPage::getCSPNonce + * @return string|WrappedString HTML */ -function wfReportTime() { +function wfReportTime( $nonce = null ) { global $wgShowHostnames; $elapsed = ( microtime( true ) - $_SERVER['REQUEST_TIME_FLOAT'] ); @@ -1525,7 +1458,7 @@ function wfReportTime() { if ( $wgShowHostnames ) { $reportVars['wgHostname'] = wfHostname(); } - return Skin::makeVariablesScript( $reportVars ); + return Skin::makeVariablesScript( $reportVars, $nonce ); } /** @@ -2737,6 +2670,28 @@ function wfGetPrecompiledData( $name ) { return false; } +/** + * @since 1.32 + * @param string[] $data Array with string keys/values to export + * @param string $header + * @return string PHP code + */ +function wfMakeStaticArrayFile( array $data, $header = 'Automatically generated' ) { + $format = "\t%s => %s,\n"; + $code = " $value ) { + $code .= sprintf( + $format, + var_export( $key, true ), + var_export( $value, true ) + ); + } + $code .= "];\n"; + return $code; +} + /** * Make a cache key for the local wiki. * @@ -3227,7 +3182,7 @@ function wfRunHooks( $event, array $args = [], $deprecatedVersion = null ) { * @param string $format The format string (See php's docs) * @param string $data A binary string of binary data * @param int|bool $length The minimum length of $data or false. This is to - * prevent reading beyond the end of $data. false to disable the check. + * prevent reading beyond the end of $data. false to disable the check. * * Also be careful when using this function to read unsigned 32 bit integer * because php might make it negative.