X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FWebStart.php;h=55c96488afa7f1c22b9d36fa0c58f02a74452c05;hb=be1bfe4d5a41fe9068cdfa91e92a529872a17a78;hp=9e45714a198ac8c200835b0a6949806ac7cd5ca7;hpb=558487ceacffc448f077c62f535f80dbf0c4bcbf;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/WebStart.php b/includes/WebStart.php index 9e45714a19..55c96488af 100644 --- a/includes/WebStart.php +++ b/includes/WebStart.php @@ -4,13 +4,46 @@ # starts the profiler and loads the configuration, and optionally loads # Setup.php depending on whether MW_NO_SETUP is defined. +# Test for PHP bug which breaks PHP 5.0.x on 64-bit... +# As of 1.8 this breaks lots of common operations instead +# of just some rare ones like export. +$borked = str_replace( 'a', 'b', array( -1 => -1 ) ); +if( !isset( $borked[-1] ) ) { + echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" . + "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n"; + die( -1 ); +} + # Protect against register_globals # This must be done before any globals are set by the code if ( ini_get( 'register_globals' ) ) { if ( isset( $_REQUEST['GLOBALS'] ) ) { die( '$GLOBALS overwrite vulnerability'); } + $verboten = array( + 'GLOBALS', + '_SERVER', + 'HTTP_SERVER_VARS', + '_GET', + 'HTTP_GET_VARS', + '_POST', + 'HTTP_POST_VARS', + '_COOKIE', + 'HTTP_COOKIE_VARS', + '_FILES', + 'HTTP_POST_FILES', + '_ENV', + 'HTTP_ENV_VARS', + '_REQUEST', + '_SESSION', + 'HTTP_SESSION_VARS' + ); foreach ( $_REQUEST as $name => $value ) { + if( in_array( $name, $verboten ) ) { + header( "HTTP/1.x 500 Internal Server Error" ); + echo "register_globals security paranoia: trying to overwrite superglobals, aborting."; + die( -1 ); + } unset( $GLOBALS[$name] ); } } @@ -52,6 +85,18 @@ if( !file_exists( './LocalSettings.php' ) ) { # Include this site setttings require_once( './LocalSettings.php' ); wfProfileOut( 'WebStart.php-conf' ); +wfProfileIn( 'WebStart.php-ob_start' ); + +# Initialise output buffering +if ( ob_get_level() ) { + # Someone's been mixing configuration data with code! + # How annoying. +} elseif ( !defined( 'MW_NO_OUTPUT_BUFFER' ) ) { + require_once( './includes/OutputHandler.php' ); + ob_start( 'wfOutputHandler' ); +} + +wfProfileOut( 'WebStart.php-ob_start' ); if ( !defined( 'MW_NO_SETUP' ) ) { require_once( './includes/Setup.php' );