From 56047c36cb183311fe0a3940d5c6100536d68ffc Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 8 Jul 2014 15:46:36 -0700 Subject: [PATCH] No longer support installs where register_globals is enabled register_globals has been deprecated since PHP 5.3, which was released 5 years ago. There's absolutely no reason anyone should have this turned on, and if they do, well, they probably have bigger issues than this. Due to changes in WebStart.php, the web installer will now fail to start, just showing an error message stating that register_globals must be disabled beforehand. The command-line installer will display the "config-register-globals-error" message before exiting. Change-Id: If951d15293c5f6aa8a92e91fefcb00f04e6c13b3 --- RELEASE-NOTES-1.24 | 8 ++++--- includes/WebStart.php | 37 ++++---------------------------- includes/installer/Installer.php | 6 +++++- includes/installer/i18n/en.json | 2 +- includes/installer/i18n/qqq.json | 2 +- 5 files changed, 16 insertions(+), 39 deletions(-) diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24 index ed1b02e31a..bb003f1168 100644 --- a/RELEASE-NOTES-1.24 +++ b/RELEASE-NOTES-1.24 @@ -1,6 +1,5 @@ -Security reminder: If you have PHP's register_globals option set, you should -turn it off. Although MediaWiki will work with it enabled, it exposes your -server to potential security vulnerabilities. +Security reminder: If you have PHP's register_globals option set, you must +turn it off. MediaWiki will no longer work with it enabled. == MediaWiki 1.24 == @@ -10,6 +9,9 @@ MediaWiki 1.24 is an alpha-quality branch and is not recommended for use in production. === Configuration changes in 1.24 === +* MediaWiki will no longer run if register_globals is enabled. It has been + deprecated for 5 years now, and was removed in PHP 5.4. For more information + about why, see . * The server's canonical hostname is available as $wgServerName, which is exposed in both mw.config and ApiQuerySiteInfo. * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch, diff --git a/includes/WebStart.php b/includes/WebStart.php index 09f01c008b..71454f0456 100644 --- a/includes/WebStart.php +++ b/includes/WebStart.php @@ -26,41 +26,12 @@ * @file */ -# Protect against register_globals +# Die if register_globals is enabled (PHP <=5.3) # This must be done before any globals are set by the code if ( ini_get( 'register_globals' ) ) { - if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] ) ) { - die( '' - . '$GLOBALS overwrite vulnerability' ); - } - - $verboten = array( - 'GLOBALS', - '_SERVER', - 'HTTP_SERVER_VARS', - '_GET', - 'HTTP_GET_VARS', - '_POST', - 'HTTP_POST_VARS', - '_COOKIE', - 'HTTP_COOKIE_VARS', - '_FILES', - 'HTTP_POST_FILES', - '_ENV', - 'HTTP_ENV_VARS', - '_REQUEST', - '_SESSION', - 'HTTP_SESSION_VARS' - ); - - foreach ( $_REQUEST as $name => $value ) { - if ( in_array( $name, $verboten ) ) { - header( "HTTP/1.1 500 Internal Server Error" ); - echo "register_globals security paranoia: trying to overwrite superglobals, aborting."; - die( -1 ); - } - unset( $GLOBALS[$name] ); - } + die( 'MediaWiki does not support installations where register_globals is enabled. ' + . 'Please see mediawiki.org ' + . 'for help on how to disable it.' ); } # bug 15461: Make IE8 turn off content sniffing. Everybody else should ignore this diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php index 540b647dac..c84128c584 100644 --- a/includes/installer/Installer.php +++ b/includes/installer/Installer.php @@ -726,11 +726,15 @@ abstract class Installer { /** * Environment check for register_globals. + * Prevent installation if enabled */ protected function envCheckRegisterGlobals() { if ( wfIniGetBool( 'register_globals' ) ) { - $this->showMessage( 'config-register-globals' ); + $this->showMessage( 'config-register-globals-error' ); + return false; } + + return true; } /** diff --git a/includes/installer/i18n/en.json b/includes/installer/i18n/en.json index b19bdc0c6a..0d1f90e679 100644 --- a/includes/installer/i18n/en.json +++ b/includes/installer/i18n/en.json @@ -52,7 +52,7 @@ "config-no-db": "Could not find a suitable database driver! You need to install a database driver for PHP.\nThe following database types are supported: $1.\n\nIf you compiled PHP yourself, reconfigure it with a database client enabled, for example, using ./configure --with-mysqli.\nIf you installed PHP from a Debian or Ubuntu package, then you also need to install, for example, the php5-mysql package.", "config-outdated-sqlite": "Warning: you have SQLite $1, which is lower than minimum required version $2. SQLite will be unavailable.", "config-no-fts3": "Warning: SQLite is compiled without the [//sqlite.org/fts3.html FTS3 module], search features will be unavailable on this backend.", - "config-register-globals": "Warning: PHP's [http://php.net/register_globals register_globals] option is enabled.\nDisable it if you can.\nMediaWiki will work, but your server is exposed to potential security vulnerabilities.", + "config-register-globals-error": "Error: PHP's [http://php.net/register_globals register_globals] option is enabled.\nIt must be disabled to continue with installation.\nSee [https://www.mediawiki.org/wiki/register_globals https://www.mediawiki.org/wiki/register_globals] for help on how to do so.", "config-magic-quotes-runtime": "Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime magic_quotes_runtime] is active!'\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", "config-magic-quotes-sybase": "Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-sybase magic_quotes_sybase] is active!\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", "config-mbstring": "Fatal: [http://www.php.net/manual/en/ref.mbstring.php#mbstring.overload mbstring.func_overload] is active!\nThis option causes errors and may corrupt data unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.", diff --git a/includes/installer/i18n/qqq.json b/includes/installer/i18n/qqq.json index 3a160793a3..b57ebf9f4f 100644 --- a/includes/installer/i18n/qqq.json +++ b/includes/installer/i18n/qqq.json @@ -70,7 +70,7 @@ "config-no-db": "{{doc-important|Do not translate \"./configure --with-mysqli\" and \"php5-mysql\".}}\nParameters:\n* $1 is comma separated list of database types supported by MediaWiki.", "config-outdated-sqlite": "Used as warning. Parameters:\n* $1 - the version of SQLite that has been installed\n* $2 - minimum version", "config-no-fts3": "A \"[[:wikipedia:Front and back ends|backend]]\" is a system or component that ordinary users don't interact with directly and don't need to know about, and that is responsible for a distinct task or service - for example, a storage back-end is a generic system for storing data which other applications can use. Possible alternatives for back-end are \"system\" or \"service\", or (depending on context and language) even leave it untranslated.", - "config-register-globals": "Status message in the MediaWiki installer environment checks.", + "config-register-globals-error": "Error message in the MediaWiki installer environment checks.", "config-magic-quotes-runtime": "{{Related|Config-fatal}}", "config-magic-quotes-sybase": "{{Related|Config-fatal}}", "config-mbstring": "{{Related|Config-fatal}}", -- 2.20.1