Active protection against register_globals vulnerabilities. Unset all globals which...

diff --git a/api.php b/api.php
index fd56db4..63802c5 100644 (file)
--- a/api.php
+++ b/api.php
@@ -22,7 +22,8 @@
 * http://www.gnu.org/copyleft/gpl.html
 */
 
-$wgApiStartTime = microtime(true);
+// Initialise common code
+require (dirname(__FILE__) . '/includes/WebStart.php');
 
 /**
  * When no format parameter is given, this format will be used
@@ -88,15 +89,10 @@ $wgApiFormats = array (
        'yamlfm' => 'ApiFormatYaml'
 );
 
-// Initialise common code
-require (dirname(__FILE__) . '/includes/WebStart.php');
 wfProfileIn('api.php');
 
 // Verify that the API has not been disabled
-// The next line should be 
-//      if (isset ($wgEnableAPI) && !$wgEnableAPI) {
-// but will be in a safe mode until api is stabler
-if (!isset ($wgEnableAPI) || !$wgEnableAPI) {
+if (!$wgEnableAPI) {
        echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
        echo '<pre><b>$wgEnableAPI=true;</b></pre>';
        die(-1);
@@ -104,13 +100,9 @@ if (!isset ($wgEnableAPI) || !$wgEnableAPI) {
 
 $wgAutoloadClasses = array_merge($wgAutoloadClasses, $wgApiAutoloadClasses);
 
-if (!isset($wgEnableWriteAPI))
-       $wgEnableWriteAPI = false;      // This should be 'true' later, once the api is stable. 
-       
-$processor = new ApiMain($wgApiStartTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI);
+$processor = new ApiMain($wgRequestTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI);
 $processor->execute();
 
 wfProfileOut('api.php');
 wfLogProfilingData();
-exit; // Done!
 ?>

diff --git a/includes/WebStart.php b/includes/WebStart.php
index fc6d969..9e45714 100644 (file)
--- a/includes/WebStart.php
+++ b/includes/WebStart.php
@@ -4,6 +4,17 @@
 # starts the profiler and loads the configuration, and optionally loads 
 # Setup.php depending on whether MW_NO_SETUP is defined.
 
+# Protect against register_globals
+# This must be done before any globals are set by the code
+if ( ini_get( 'register_globals' ) ) {
+       if ( isset( $_REQUEST['GLOBALS'] ) ) {
+               die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
+       }
+       foreach ( $_REQUEST as $name => $value ) {
+               unset( $GLOBALS[$name] );
+       }
+}
+
 $wgRequestTime = microtime(true);
 # getrusage() does not exist on the Microsoft Windows platforms, catching this
 if ( function_exists ( 'getrusage' ) ) {
@@ -14,10 +25,6 @@ if ( function_exists ( 'getrusage' ) ) {
 unset( $IP );
 @ini_set( 'allow_url_fopen', 0 ); # For security
 
-if ( isset( $_REQUEST['GLOBALS'] ) ) {
-       die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
-}
-
 # Valid web server entry point, enable includes.
 # Please don't move this line to includes/Defines.php. This line essentially
 # defines a valid entry point. If you put it in includes/Defines.php, then