-Security reminder: If you have PHP's register_globals option set, you should
-turn it off. Although MediaWiki will work with it enabled, it exposes your
-server to potential security vulnerabilities.
+Security reminder: If you have PHP's register_globals option set, you must
+turn it off. MediaWiki will no longer work with it enabled.
== MediaWiki 1.24 ==
production.
=== Configuration changes in 1.24 ===
+* MediaWiki will no longer run if register_globals is enabled. It has been
+ deprecated for 5 years now, and was removed in PHP 5.4. For more information
+ about why, see <https://www.mediawiki.org/wiki/register_globals>.
* The server's canonical hostname is available as $wgServerName, which is
exposed in both mw.config and ApiQuerySiteInfo.
* Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
* @file
*/
-# Protect against register_globals
+# Die if register_globals is enabled (PHP <=5.3)
# This must be done before any globals are set by the code
if ( ini_get( 'register_globals' ) ) {
- if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] ) ) {
- die( '<a href="http://www.hardened-php.net/globals-problem">'
- . '$GLOBALS overwrite vulnerability</a>' );
- }
-
- $verboten = array(
- 'GLOBALS',
- '_SERVER',
- 'HTTP_SERVER_VARS',
- '_GET',
- 'HTTP_GET_VARS',
- '_POST',
- 'HTTP_POST_VARS',
- '_COOKIE',
- 'HTTP_COOKIE_VARS',
- '_FILES',
- 'HTTP_POST_FILES',
- '_ENV',
- 'HTTP_ENV_VARS',
- '_REQUEST',
- '_SESSION',
- 'HTTP_SESSION_VARS'
- );
-
- foreach ( $_REQUEST as $name => $value ) {
- if ( in_array( $name, $verboten ) ) {
- header( "HTTP/1.1 500 Internal Server Error" );
- echo "register_globals security paranoia: trying to overwrite superglobals, aborting.";
- die( -1 );
- }
- unset( $GLOBALS[$name] );
- }
+ die( 'MediaWiki does not support installations where register_globals is enabled. '
+ . 'Please see <a href="https://www.mediawiki.org/wiki/register_globals">mediawiki.org</a> '
+ . 'for help on how to disable it.' );
}
# bug 15461: Make IE8 turn off content sniffing. Everybody else should ignore this
/**
* Environment check for register_globals.
+ * Prevent installation if enabled
*/
protected function envCheckRegisterGlobals() {
if ( wfIniGetBool( 'register_globals' ) ) {
- $this->showMessage( 'config-register-globals' );
+ $this->showMessage( 'config-register-globals-error' );
+ return false;
}
+
+ return true;
}
/**
"config-no-db": "Could not find a suitable database driver! You need to install a database driver for PHP.\nThe following database types are supported: $1.\n\nIf you compiled PHP yourself, reconfigure it with a database client enabled, for example, using <code>./configure --with-mysqli</code>.\nIf you installed PHP from a Debian or Ubuntu package, then you also need to install, for example, the <code>php5-mysql</code> package.",
"config-outdated-sqlite": "<strong>Warning:</strong> you have SQLite $1, which is lower than minimum required version $2. SQLite will be unavailable.",
"config-no-fts3": "<strong>Warning:</strong> SQLite is compiled without the [//sqlite.org/fts3.html FTS3 module], search features will be unavailable on this backend.",
- "config-register-globals": "<strong>Warning: PHP's <code>[http://php.net/register_globals register_globals]</code> option is enabled.\nDisable it if you can.</strong>\nMediaWiki will work, but your server is exposed to potential security vulnerabilities.",
+ "config-register-globals-error": "<strong>Error: PHP's <code>[http://php.net/register_globals register_globals]</code> option is enabled.\nIt must be disabled to continue with installation.</strong>\nSee [https://www.mediawiki.org/wiki/register_globals https://www.mediawiki.org/wiki/register_globals] for help on how to do so.",
"config-magic-quotes-runtime": "<strong>Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime magic_quotes_runtime] is active!'</strong>\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
"config-magic-quotes-sybase": "<strong>Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-sybase magic_quotes_sybase] is active!</strong>\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
"config-mbstring": "<strong>Fatal: [http://www.php.net/manual/en/ref.mbstring.php#mbstring.overload mbstring.func_overload] is active!</strong>\nThis option causes errors and may corrupt data unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
"config-no-db": "{{doc-important|Do not translate \"<code>./configure --with-mysqli</code>\" and \"<code>php5-mysql</code>\".}}\nParameters:\n* $1 is comma separated list of database types supported by MediaWiki.",
"config-outdated-sqlite": "Used as warning. Parameters:\n* $1 - the version of SQLite that has been installed\n* $2 - minimum version",
"config-no-fts3": "A \"[[:wikipedia:Front and back ends|backend]]\" is a system or component that ordinary users don't interact with directly and don't need to know about, and that is responsible for a distinct task or service - for example, a storage back-end is a generic system for storing data which other applications can use. Possible alternatives for back-end are \"system\" or \"service\", or (depending on context and language) even leave it untranslated.",
- "config-register-globals": "Status message in the MediaWiki installer environment checks.",
+ "config-register-globals-error": "Error message in the MediaWiki installer environment checks.",
"config-magic-quotes-runtime": "{{Related|Config-fatal}}",
"config-magic-quotes-sybase": "{{Related|Config-fatal}}",
"config-mbstring": "{{Related|Config-fatal}}",
dépôts / lhc / web / wiklou.git / commitdiff