From 3ac385a0c39a622cf087e6b50e4b4371ca757123 Mon Sep 17 00:00:00 2001 From: Timo Tijhof Date: Sat, 31 Aug 2019 23:30:22 +0100 Subject: [PATCH] resourceloader: Drop support for low Suhosin 'max_value_length' values Move the default of 2000 to DefaultSettings.php, and promote the installer warning to a hard value. Recommend that the setting be disabled, or increased to 5000. Change-Id: Ifb0aadf8b52fd2d5c2a32f55e38eaa9c2600dfb5 --- includes/DefaultSettings.php | 19 ++++++++----------- includes/Setup.php | 11 ----------- includes/installer/Installer.php | 12 +++++++----- includes/installer/i18n/en.json | 2 +- includes/installer/i18n/qqq.json | 2 +- 5 files changed, 17 insertions(+), 29 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 739c10283e..fdf1b1b5cf 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3760,19 +3760,16 @@ $wgIncludeLegacyJavaScript = false; $wgLegacyJavaScriptGlobals = true; /** - * If set to a positive number, ResourceLoader will not generate URLs whose - * query string is more than this many characters long, and will instead use - * multiple requests with shorter query strings. This degrades performance, - * but may be needed if your web server has a low (less than, say 1024) - * query string length limit or a low value for suhosin.get.max_value_length - * that you can't increase. + * ResourceLoader will not generate URLs whose query string is more than + * this many characters long, and will instead use multiple requests with + * shorter query strings. This degrades performance, but may be needed based + * on the query string limit supported by your web server and/or your user's + * web browsers. * - * If set to a negative number, ResourceLoader will assume there is no query - * string length limit. - * - * Defaults to a value based on php configuration. + * @since 1.17 + * @var int */ -$wgResourceLoaderMaxQueryLength = false; +$wgResourceLoaderMaxQueryLength = 2000; /** * If set to true, JavaScript modules loaded from wiki pages will be parsed diff --git a/includes/Setup.php b/includes/Setup.php index 226780080d..4c673c20fb 100644 --- a/includes/Setup.php +++ b/includes/Setup.php @@ -438,17 +438,6 @@ if ( $wgMetaNamespace === false ) { $wgMetaNamespace = str_replace( ' ', '_', $wgSitename ); } -// Default value is 2000 or the suhosin limit if it is between 1 and 2000 -if ( $wgResourceLoaderMaxQueryLength === false ) { - $suhosinMaxValueLength = (int)ini_get( 'suhosin.get.max_value_length' ); - if ( $suhosinMaxValueLength > 0 && $suhosinMaxValueLength < 2000 ) { - $wgResourceLoaderMaxQueryLength = $suhosinMaxValueLength; - } else { - $wgResourceLoaderMaxQueryLength = 2000; - } - unset( $suhosinMaxValueLength ); -} - // Ensure the minimum chunk size is less than PHP upload limits or the maximum // upload size. $wgMinUploadChunkSize = min( diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php index de154561c4..0fe198e73b 100644 --- a/includes/installer/Installer.php +++ b/includes/installer/Installer.php @@ -1088,14 +1088,16 @@ abstract class Installer { /** * Checks if suhosin.get.max_value_length is set, and if so generate - * a warning because it decreases ResourceLoader performance. + * a warning because it is incompatible with ResourceLoader. * @return bool */ protected function envCheckSuhosinMaxValueLength() { - $maxValueLength = ini_get( 'suhosin.get.max_value_length' ); - if ( $maxValueLength > 0 && $maxValueLength < 1024 ) { - // Only warn if the value is below the sane 1024 - $this->showMessage( 'config-suhosin-max-value-length', $maxValueLength ); + $currentValue = ini_get( 'suhosin.get.max_value_length' ); + $minRequired = 2000; + $recommended = 5000; + if ( $currentValue > 0 && $currentValue < $minRequired ) { + $this->showError( 'config-suhosin-max-value-length', $currentValue, $minRequired, $recommended ); + return false; } return true; diff --git a/includes/installer/i18n/en.json b/includes/installer/i18n/en.json index 758221f2bb..ba525caac3 100644 --- a/includes/installer/i18n/en.json +++ b/includes/installer/i18n/en.json @@ -78,7 +78,7 @@ "config-uploads-not-safe": "Warning: Your default directory for uploads $1 is vulnerable to arbitrary scripts execution.\nAlthough MediaWiki checks all uploaded files for security threats, it is highly recommended to [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Security#Upload_security close this security vulnerability] before enabling uploads.", "config-no-cli-uploads-check": "Warning: Your default directory for uploads ($1) is not checked for vulnerability\nto arbitrary script execution during the CLI install.", "config-brokenlibxml": "Your system has a combination of PHP and libxml2 versions that is buggy and can cause hidden data corruption in MediaWiki and other web applications.\nUpgrade to libxml2 2.7.3 or later ([https://bugs.php.net/bug.php?id=45996 bug filed with PHP]).\nInstallation aborted.", - "config-suhosin-max-value-length": "Suhosin is installed and limits the GET parameter length to $1 bytes.\nMediaWiki's ResourceLoader component will work around this limit, but that will degrade performance.\nIf at all possible, you should set suhosin.get.max_value_length to 1024 or higher in php.ini, and set $wgResourceLoaderMaxQueryLength to the same value in LocalSettings.php.", + "config-suhosin-max-value-length": "Suhosin is installed and limits the GET parameter length to $1 bytes.\nMediaWiki requires suhosin.get.max_value_length to be at least $2. Disable this setting, or increase this value to $3 in php.ini.", "config-using-32bit": "Warning: your system appears to be running with 32-bit integers. This is [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:32-bit not advised].", "config-db-type": "Database type:", "config-db-host": "Database host:", diff --git a/includes/installer/i18n/qqq.json b/includes/installer/i18n/qqq.json index 42211b499f..1f8a3c648a 100644 --- a/includes/installer/i18n/qqq.json +++ b/includes/installer/i18n/qqq.json @@ -101,7 +101,7 @@ "config-uploads-not-safe": "Used as a part of environment check result. Parameters:\n* $1 - name of directory for images: $IP/images/", "config-no-cli-uploads-check": "CLI = [[w:Command-line interface|command-line interface]] (i.e. the installer runs as a command-line script, not using HTML interface via an internet browser)", "config-brokenlibxml": "Status message in the MediaWiki installer environment checks.", - "config-suhosin-max-value-length": "{{doc-important|Do not translate \"length\", \"suhosin.get.max_value_length\", \"php.ini\", \"$wgResourceLoaderMaxQueryLength\" and \"LocalSettings.php\".}}\nMessage shown when PHP parameter suhosin.get.max_value_length is between 0 and 1023 (that max value is hard set in MediaWiki software).", + "config-suhosin-max-value-length": "{{doc-important|Do not translate \"length\", \"suhosin.get.max_value_length\", and \"php.ini\".}}\nThis error message is shown when PHP configuration suhosin.get.max_value_length is not high enough.\n\n* $1 - The current value\n* $2 - The minimum required value\n* $3 - The recommended value\n", "config-using-32bit": "Warning message shown when installing on a 32-bit system.", "config-db-type": "Field label in the MediaWiki installer followed by possible database types.", "config-db-host": "Used as label.\n\nAlso used in {{msg-mw|Config-missing-db-host}}.", -- 2.20.1