From 558487ceacffc448f077c62f535f80dbf0c4bcbf Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Wed, 11 Oct 2006 03:44:49 +0000 Subject: [PATCH] Active protection against register_globals vulnerabilities. Unset all globals which have been set by $_REQUEST, in WebStart.php. All entry points must assume that a user can unset any arbitrary global set before WebStart.php is invoked. This is not usually a problem since most entry points do not set globals before WebStart.php, Yuri's APIs apparently being the only exceptions. --- api.php | 16 ++++------------ includes/WebStart.php | 15 +++++++++++---- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/api.php b/api.php index fd56db4ff3..63802c50e4 100644 --- a/api.php +++ b/api.php @@ -22,7 +22,8 @@ * http://www.gnu.org/copyleft/gpl.html */ -$wgApiStartTime = microtime(true); +// Initialise common code +require (dirname(__FILE__) . '/includes/WebStart.php'); /** * When no format parameter is given, this format will be used @@ -88,15 +89,10 @@ $wgApiFormats = array ( 'yamlfm' => 'ApiFormatYaml' ); -// Initialise common code -require (dirname(__FILE__) . '/includes/WebStart.php'); wfProfileIn('api.php'); // Verify that the API has not been disabled -// The next line should be -// if (isset ($wgEnableAPI) && !$wgEnableAPI) { -// but will be in a safe mode until api is stabler -if (!isset ($wgEnableAPI) || !$wgEnableAPI) { +if (!$wgEnableAPI) { echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php'; echo '
$wgEnableAPI=true;
'; die(-1); @@ -104,13 +100,9 @@ if (!isset ($wgEnableAPI) || !$wgEnableAPI) { $wgAutoloadClasses = array_merge($wgAutoloadClasses, $wgApiAutoloadClasses); -if (!isset($wgEnableWriteAPI)) - $wgEnableWriteAPI = false; // This should be 'true' later, once the api is stable. - -$processor = new ApiMain($wgApiStartTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI); +$processor = new ApiMain($wgRequestTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI); $processor->execute(); wfProfileOut('api.php'); wfLogProfilingData(); -exit; // Done! ?> diff --git a/includes/WebStart.php b/includes/WebStart.php index fc6d9695c3..9e45714a19 100644 --- a/includes/WebStart.php +++ b/includes/WebStart.php @@ -4,6 +4,17 @@ # starts the profiler and loads the configuration, and optionally loads # Setup.php depending on whether MW_NO_SETUP is defined. +# Protect against register_globals +# This must be done before any globals are set by the code +if ( ini_get( 'register_globals' ) ) { + if ( isset( $_REQUEST['GLOBALS'] ) ) { + die( '$GLOBALS overwrite vulnerability'); + } + foreach ( $_REQUEST as $name => $value ) { + unset( $GLOBALS[$name] ); + } +} + $wgRequestTime = microtime(true); # getrusage() does not exist on the Microsoft Windows platforms, catching this if ( function_exists ( 'getrusage' ) ) { @@ -14,10 +25,6 @@ if ( function_exists ( 'getrusage' ) ) { unset( $IP ); @ini_set( 'allow_url_fopen', 0 ); # For security -if ( isset( $_REQUEST['GLOBALS'] ) ) { - die( '$GLOBALS overwrite vulnerability'); -} - # Valid web server entry point, enable includes. # Please don't move this line to includes/Defines.php. This line essentially # defines a valid entry point. If you put it in includes/Defines.php, then -- 2.20.1