X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2FGlobalFunctions.php;h=7667a9e52a88652351af5289279ca8affa319fd5;hp=513f59346c8c8fdc121b9f1b3726008380698bcf;hb=aec80a1fb774715e43430ab583c190b79e468fce;hpb=c9e10a4d1a91487a963bd8c67f392bc73494254d diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 513f59346c..7667a9e52a 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -32,75 +32,6 @@ use MediaWiki\Shell\Shell; use Wikimedia\ScopedCallback; use Wikimedia\Rdbms\DBReplicationWaitError; -// Hide compatibility functions from Doxygen -/// @cond -/** - * Compatibility functions - * - * We support PHP 5.5.9 and up. - * Re-implementations of newer functions or functions in non-standard - * PHP extensions may be included here. - */ - -// hash_equals function only exists in PHP >= 5.6.0 -// https://secure.php.net/hash_equals -if ( !function_exists( 'hash_equals' ) ) { - /** - * Check whether a user-provided string is equal to a fixed-length secret string - * without revealing bytes of the secret string through timing differences. - * - * The usual way to compare strings (PHP's === operator or the underlying memcmp() - * function in C) is to compare corresponding bytes and stop at the first difference, - * which would take longer for a partial match than for a complete mismatch. This - * is not secure when one of the strings (e.g. an HMAC or token) must remain secret - * and the other may come from an attacker. Statistical analysis of timing measurements - * over many requests may allow the attacker to guess the string's bytes one at a time - * (and check his guesses) even if the timing differences are extremely small. - * - * When making such a security-sensitive comparison, it is essential that the sequence - * in which instructions are executed and memory locations are accessed not depend on - * the secret string's value. HOWEVER, for simplicity, we do not attempt to minimize - * the inevitable leakage of the string's length. That is generally known anyway as - * a chararacteristic of the hash function used to compute the secret value. - * - * Longer explanation: http://www.emerose.com/timing-attacks-explained - * - * @codeCoverageIgnore - * @param string $known_string Fixed-length secret string to compare against - * @param string $user_string User-provided string - * @return bool True if the strings are the same, false otherwise - */ - function hash_equals( $known_string, $user_string ) { - // Strict type checking as in PHP's native implementation - if ( !is_string( $known_string ) ) { - trigger_error( 'hash_equals(): Expected known_string to be a string, ' . - gettype( $known_string ) . ' given', E_USER_WARNING ); - - return false; - } - - if ( !is_string( $user_string ) ) { - trigger_error( 'hash_equals(): Expected user_string to be a string, ' . - gettype( $user_string ) . ' given', E_USER_WARNING ); - - return false; - } - - $known_string_len = strlen( $known_string ); - if ( $known_string_len !== strlen( $user_string ) ) { - return false; - } - - $result = 0; - for ( $i = 0; $i < $known_string_len; $i++ ) { - $result |= ord( $known_string[$i] ) ^ ord( $user_string[$i] ); - } - - return ( $result === 0 ); - } -} -/// @endcond - /** * Load an extension * @@ -2327,6 +2258,8 @@ function wfShellExec( $cmd, &$retval = null, $environ = [], ->limits( $limits ) ->includeStderr( $includeStderr ) ->profileMethod( $profileMethod ) + // For b/c + ->restrict( Shell::RESTRICT_NONE ) ->execute(); } catch ( ProcOpenError $ex ) { $retval = -1; @@ -2377,6 +2310,8 @@ function wfInitShellLocale() { * Note that $parameters should be a flat array and an option with an argument * should consist of two consecutive items in the array (do not use "--option value"). * + * @deprecated since 1.31, use Shell::makeScriptCommand() + * * @param string $script MediaWiki cli script path * @param array $parameters Arguments and options to the script * @param array $options Associative array of options: