From 6cf18f93246020636604868727339beb06a080eb Mon Sep 17 00:00:00 2001 From: "Mark A. Hershberger" Date: Wed, 3 Aug 2011 15:46:06 +0000 Subject: [PATCH] * Make envCheckPath() specific to each installer, web vs cli * Add warning during the CLI install that the uploads directory isn't being checked for arbitrary script execution --- includes/installer/CliInstaller.php | 17 ++++++++++++ includes/installer/Installer.i18n.php | 3 +++ includes/installer/Installer.php | 4 --- includes/installer/WebInstaller.php | 37 +++++++++++++++++---------- 4 files changed, 43 insertions(+), 18 deletions(-) diff --git a/includes/installer/CliInstaller.php b/includes/installer/CliInstaller.php index ccabedb586..b579a7767d 100644 --- a/includes/installer/CliInstaller.php +++ b/includes/installer/CliInstaller.php @@ -13,6 +13,7 @@ * @since 1.17 */ class CliInstaller extends Installer { + private $specifiedScriptPath = false; private $optionMap = array( 'dbtype' => 'wgDBtype', @@ -45,6 +46,10 @@ class CliInstaller extends Installer { parent::__construct(); + if ( isset( $option['scriptpath'] ) ) { + $this->specifiedScriptPath = true; + } + foreach ( $this->optionMap as $opt => $global ) { if ( isset( $option[$opt] ) ) { $GLOBALS[$global] = $option[$opt]; @@ -170,4 +175,16 @@ class CliInstaller extends Installer { exit; } } + + public function envCheckPath( ) { + if ( !$this->specifiedScriptPath ) { + $this->showMessage( 'config-no-cli-uri', $this->getVar("wgScriptPath") ); + } + return parent::envCheckPath(); + } + + public function dirIsExecutable( $dir, $url ) { + $this->showMessage( 'config-no-cli-uploads-check', $dir ); + return false; + } } diff --git a/includes/installer/Installer.i18n.php b/includes/installer/Installer.i18n.php index afcc8f692a..a58bf75ed7 100644 --- a/includes/installer/Installer.i18n.php +++ b/includes/installer/Installer.i18n.php @@ -147,10 +147,13 @@ Image thumbnailing will be enabled if you enable uploads.', Image thumbnailing will be disabled.', 'config-no-uri' => "'''Error:''' Could not determine the current URI. Installation aborted.", + 'config-no-cli-uri' => "'''Warning''': No --scriptpath specified, using default: $1.", 'config-using-server' => 'Using server name "$1".', 'config-using-uri' => 'Using server URL "$1$2".', 'config-uploads-not-safe' => "'''Warning:''' Your default directory for uploads $1 is vulnerable to arbitrary scripts execution. Although MediaWiki checks all uploaded files for security threats, it is highly recommended to [http://www.mediawiki.org/wiki/Manual:Security#Upload_security close this security vulnerability] before enabling uploads.", + 'config-no-cli-uploads-check' => "'''Warning:''' Your default directory for uploads ($1) is not checked for vulnerability +to arbitrary script execution during the CLI install.", 'config-brokenlibxml' => 'Your system has a combination of PHP and libxml2 versions which is buggy and can cause hidden data corruption in MediaWiki and other web applications. Upgrade to PHP 5.2.9 or later and libxml2 2.7.3 or later ([http://bugs.php.net/bug.php?id=45996 bug filed with PHP]). Installation aborted.', diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php index 729825da5c..8a142c0dfc 100644 --- a/includes/installer/Installer.php +++ b/includes/installer/Installer.php @@ -859,10 +859,6 @@ abstract class Installer { $IP = dirname( dirname( dirname( __FILE__ ) ) ); $this->setVar( 'IP', $IP ); - if( !$this->getVar( 'wgScriptPath' ) ) { - $this->showError( 'config-no-uri' ); - return false; - } $this->showMessage( 'config-using-uri', $this->getVar( 'wgServer' ), $this->getVar( 'wgScriptPath' ) ); return true; } diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php index 9b6c7da3fa..407264378c 100644 --- a/includes/installer/WebInstaller.php +++ b/includes/installer/WebInstaller.php @@ -1007,20 +1007,6 @@ class WebInstaller extends Installer { } } - // PHP_SELF isn't available sometimes, such as when PHP is CGI but - // cgi.fix_pathinfo is disabled. In that case, fall back to SCRIPT_NAME - // to get the path to the current script... hopefully it's reliable. SIGH - $path = false; - if ( !empty( $_SERVER['PHP_SELF'] ) ) { - $path = $_SERVER['PHP_SELF']; - } elseif ( !empty( $_SERVER['SCRIPT_NAME'] ) ) { - $path = $_SERVER['SCRIPT_NAME']; - } - if ($path !== false) { - $uri = preg_replace( '{^(.*)/(mw-)?config.*$}', '$1', $path ); - $this->setVar( 'wgScriptPath', $uri ); - } - return $newValues; } @@ -1067,4 +1053,27 @@ class WebInstaller extends Installer { $img . ' ' . wfMsgHtml( 'config-download-localsettings' ) ); return Html::rawElement( 'div', array( 'class' => 'config-download-link' ), $anchor ); } + + public function envCheckPath( ) { + // PHP_SELF isn't available sometimes, such as when PHP is CGI but + // cgi.fix_pathinfo is disabled. In that case, fall back to SCRIPT_NAME + // to get the path to the current script... hopefully it's reliable. SIGH + $path = false; + if ( !empty( $_SERVER['PHP_SELF'] ) ) { + $path = $_SERVER['PHP_SELF']; + } elseif ( !empty( $_SERVER['SCRIPT_NAME'] ) ) { + $path = $_SERVER['SCRIPT_NAME']; + } + if ($path !== false) { + $uri = preg_replace( '{^(.*)/(mw-)?config.*$}', '$1', $path ); + $this->setVar( 'wgScriptPath', $uri ); + } else { + $this->showError( 'config-no-uri' ); + return false; + } + + + return parent::envCheckPath(); + } + } -- 2.20.1