From 5a4a33a8ff7241c4b4e12c169195080c1fe417ee Mon Sep 17 00:00:00 2001 From: Chad Horohoe Date: Wed, 9 Jul 2014 08:36:55 -0700 Subject: [PATCH] Remove support for magic_quotes_gpc This "feature" of PHP has been disabled by default for quite some time, deprecated in 5.3 and removed entirely in 5.4. See for information on why this practice is bad and how to disable it. For MediaWiki, the removed todo comment says it all. Doing this messes with all of the super globals and makes embedding MediaWiki inside another application problematic. It also increases our memory footprint for every single request even when the data might not be used. Finally, it makes it possible to instantiate new WebRequest objects pretty much whenever you want, so there's no reason for $wgRequest to exist anymore. Bug: 11558 Change-Id: I4bc0392276f454ceb966547c7fbd7c8190ebbc7c --- RELEASE-NOTES-1.24 | 2 ++ includes/WebRequest.php | 56 +++----------------------------- includes/installer/Installer.php | 29 +++++------------ includes/installer/i18n/en.json | 1 + includes/installer/i18n/qqq.json | 1 + 5 files changed, 17 insertions(+), 72 deletions(-) diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24 index 6d13c91576..5abb457299 100644 --- a/RELEASE-NOTES-1.24 +++ b/RELEASE-NOTES-1.24 @@ -15,6 +15,8 @@ production. * MediaWiki now requires PHP's iconv extension. openSUSE users may need to install the php5-iconv package. Users of other systems may need to add extension=iconv.so to php.ini or recompile PHP without --without-iconv. +* MediaWiki will no longer function if magic quotes are enabled. It has + been deprecated for 5 years now, and was removed in PHP 5.4. * The server's canonical hostname is available as $wgServerName, which is exposed in both mw.config and ApiQuerySiteInfo. * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch, diff --git a/includes/WebRequest.php b/includes/WebRequest.php index ce9fecd692..4e5fb7a01d 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -25,8 +25,8 @@ /** * The WebRequest class encapsulates getting at data passed in the - * URL or via a POSTed form, handling remove of "magic quotes" slashes, - * stripping illegal input characters and normalizing Unicode sequences. + * URL or via a POSTed form stripping illegal input characters and + * normalizing Unicode sequences. * * Usually this is used via a global singleton, $wgRequest. You should * not create a second WebRequest object; make a FauxRequest object if @@ -57,10 +57,9 @@ class WebRequest { protected $protocol; public function __construct() { - /// @todo FIXME: This preemptive de-quoting can interfere with other web libraries - /// and increases our memory footprint. It would be cleaner to do on - /// demand; but currently we have no wrapper for $_SERVER etc. - $this->checkMagicQuotes(); + if ( function_exists( 'get_magic_quotes_gpc' ) && get_magic_quotes_gpc() ) { + throw new MWException( "MediaWiki does not function when magic quotes are enabled." ); + } // POST overrides GET data // We don't use $_REQUEST here to avoid interference from cookies... @@ -271,51 +270,6 @@ class WebRequest { return array(); } - /** - * Recursively strips slashes from the given array; - * used for undoing the evil that is magic_quotes_gpc. - * - * @param array $arr will be modified - * @param bool $topLevel Specifies if the array passed is from the top - * level of the source. In PHP5 magic_quotes only escapes the first level - * of keys that belong to an array. - * @return array The original array - * @see http://www.php.net/manual/en/function.get-magic-quotes-gpc.php#49612 - */ - private function &fix_magic_quotes( &$arr, $topLevel = true ) { - $clean = array(); - foreach ( $arr as $key => $val ) { - if ( is_array( $val ) ) { - $cleanKey = $topLevel ? stripslashes( $key ) : $key; - $clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], false ); - } else { - $cleanKey = stripslashes( $key ); - $clean[$cleanKey] = stripslashes( $val ); - } - } - $arr = $clean; - return $arr; - } - - /** - * If magic_quotes_gpc option is on, run the global arrays - * through fix_magic_quotes to strip out the stupid slashes. - * WARNING: This should only be done once! Running a second - * time could damage the values. - */ - private function checkMagicQuotes() { - $mustFixQuotes = function_exists( 'get_magic_quotes_gpc' ) - && get_magic_quotes_gpc(); - if ( $mustFixQuotes ) { - $this->fix_magic_quotes( $_COOKIE ); - $this->fix_magic_quotes( $_ENV ); - $this->fix_magic_quotes( $_GET ); - $this->fix_magic_quotes( $_POST ); - $this->fix_magic_quotes( $_REQUEST ); - $this->fix_magic_quotes( $_SERVER ); - } - } - /** * Recursively normalizes UTF-8 strings in the given array. * diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php index 1fdd6fb4f8..0294c4281e 100644 --- a/includes/installer/Installer.php +++ b/includes/installer/Installer.php @@ -119,7 +119,6 @@ abstract class Installer { 'envCheckRegisterGlobals', 'envCheckBrokenXML', 'envCheckMagicQuotes', - 'envCheckMagicSybase', 'envCheckMbstring', 'envCheckSafeMode', 'envCheckXML', @@ -762,31 +761,19 @@ abstract class Installer { } /** - * Environment check for magic_quotes_runtime. + * Environment check for magic_quotes_(gpc|runtime|sybase). * @return bool */ protected function envCheckMagicQuotes() { - if ( wfIniGetBool( "magic_quotes_runtime" ) ) { - $this->showError( 'config-magic-quotes-runtime' ); - - return false; - } - - return true; - } - - /** - * Environment check for magic_quotes_sybase. - * @return bool - */ - protected function envCheckMagicSybase() { - if ( wfIniGetBool( 'magic_quotes_sybase' ) ) { - $this->showError( 'config-magic-quotes-sybase' ); - - return false; + $status = true; + foreach ( array( 'gpc', 'runtime', 'sybase' ) as $magicJunk ) { + if ( wfIniGetBool( "magic_quotes_$magicJunk" ) ) { + $this->showError( "config-magic-quotes-$magicJunk" ); + $status = false; + } } - return true; + return $status; } /** diff --git a/includes/installer/i18n/en.json b/includes/installer/i18n/en.json index da8117b3c2..bd76ada1cd 100644 --- a/includes/installer/i18n/en.json +++ b/includes/installer/i18n/en.json @@ -52,6 +52,7 @@ "config-outdated-sqlite": "Warning: you have SQLite $1, which is lower than minimum required version $2. SQLite will be unavailable.", "config-no-fts3": "Warning: SQLite is compiled without the [//sqlite.org/fts3.html FTS3 module], search features will be unavailable on this backend.", "config-register-globals-error": "Error: PHP's [http://php.net/register_globals register_globals] option is enabled.\nIt must be disabled to continue with the installation.\nSee [https://www.mediawiki.org/wiki/register_globals https://www.mediawiki.org/wiki/register_globals] for help on how to do so.", + "config-magic-quotes-gpc": "Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc magic_quotes_gpc] is active!\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", "config-magic-quotes-runtime": "Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime magic_quotes_runtime] is active!'\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", "config-magic-quotes-sybase": "Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-sybase magic_quotes_sybase] is active!\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", "config-mbstring": "Fatal: [http://www.php.net/manual/en/ref.mbstring.php#mbstring.overload mbstring.func_overload] is active!\nThis option causes errors and may corrupt data unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", diff --git a/includes/installer/i18n/qqq.json b/includes/installer/i18n/qqq.json index 1ea0e634fb..0735574d64 100644 --- a/includes/installer/i18n/qqq.json +++ b/includes/installer/i18n/qqq.json @@ -70,6 +70,7 @@ "config-outdated-sqlite": "Used as warning. Parameters:\n* $1 - the version of SQLite that has been installed\n* $2 - minimum version", "config-no-fts3": "A \"[[:wikipedia:Front and back ends|backend]]\" is a system or component that ordinary users don't interact with directly and don't need to know about, and that is responsible for a distinct task or service - for example, a storage back-end is a generic system for storing data which other applications can use. Possible alternatives for back-end are \"system\" or \"service\", or (depending on context and language) even leave it untranslated.", "config-register-globals-error": "Error message in the MediaWiki installer environment checks.", + "config-magic-quotes-gpc": "{{Related|Config-fatal}}", "config-magic-quotes-runtime": "{{Related|Config-fatal}}", "config-magic-quotes-sybase": "{{Related|Config-fatal}}", "config-mbstring": "{{Related|Config-fatal}}", -- 2.20.1