From 3440234618097063f936dfa6fd5dc196dda7c880 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Tue, 7 Oct 2008 01:10:32 +0000 Subject: [PATCH] Cleanup for r41713 PHP 4 warning page: * Avoid register_globals XSS vulns hitting the template directly * Avoid register_globals XSS vulns when using funny URLs * Avoid horrible links when using funny URLs :) * Swapped REQUEST_URI for SCRIPT_NAME as primary in path check, since SCRIPT_NAME doesn't include the PATH_INFO bits so will work when hitting a URL like index.php/Foo/Bar, or hopefully a rewrite? * Don't spew errors if the file_get_contents() fails * Don't FATAL out if file_get_contents() doesn't exist -- new in 4.3.0 :) * Add a link to PHP download page --- includes/templates/PHP4.php | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/includes/templates/PHP4.php b/includes/templates/PHP4.php index bbdb875973..058351a006 100644 --- a/includes/templates/PHP4.php +++ b/includes/templates/PHP4.php @@ -4,11 +4,16 @@ * @ingroup Templates */ -if( isset( $_SERVER['REQUEST_URI'] ) ) { - $scriptUrl = $_SERVER['REQUEST_URI']; -} elseif( isset( $_SERVER['SCRIPT_NAME'] ) ) { +if( !defined( 'MW_PHP4' ) ) { + die( "Not an entry point."); +} + +if( isset( $_SERVER['SCRIPT_NAME'] ) ) { // Probably IIS; doesn't set REQUEST_URI $scriptUrl = $_SERVER['SCRIPT_NAME']; +} elseif( isset( $_SERVER['REQUEST_URI'] ) ) { + // We're trying SCRIPT_NAME first because it won't include PATH_INFO... hopefully + $scriptUrl = $_SERVER['REQUEST_URI']; } else { $scriptUrl = ''; } @@ -17,7 +22,7 @@ if ( preg_match( '!^(.*)/config/[^/]*.php$!', $scriptUrl, $m ) ) { } elseif ( preg_match( '!^(.*)/[^/]*.php$!', $scriptUrl, $m ) ) { $baseUrl = $m[1]; } else { - $baseUrl = dirname( $baseUrl ); + $baseUrl = dirname( $scriptUrl ); } ?> @@ -62,8 +67,15 @@ flush(); $downloadOther = true; if ( $baseUrl ) { $testUrl = "$wgServer$baseUrl/php5.php5"; - ini_set( 'allow_url_fopen', '1' ); - $s = file_get_contents( $testUrl ); + if( function_exists( 'file_get_contents' ) ) { + $errorLevel = error_reporting(); + error_reporting( $errorLevel & !E_WARNING ); + + ini_set( 'allow_url_fopen', '1' ); + $s = file_get_contents( $testUrl ); + + error_reporting( $errorLevel ); + } if ( strpos( $s, 'yes' ) !== false ) { $encUrl = htmlspecialchars( str_replace( '.php', '.php5', $scriptUrl ) ); @@ -73,8 +85,9 @@ if ( $baseUrl ) { } if ( $downloadOther ) { ?> -

Please consider upgrading your copy of PHP. PHP 4 is at the end of its -lifecycle and will not receive further security updates.

+

Please consider +upgrading your copy of PHP. +PHP 4 is at the end of its lifecycle and will not receive further security updates.

If for some reason you really really need to run MediaWiki on PHP 4, you will need to download version 1.6.x from our website.

-- 2.20.1