includes/WebStart.php

   1 <?php
   2
   3 # This does the initial setup for a web request. It does some security checks,
   4 # starts the profiler and loads the configuration, and optionally loads
   5 # Setup.php depending on whether MW_NO_SETUP is defined.
   6
   7 # Protect against register_globals
   8 # This must be done before any globals are set by the code
   9 if ( ini_get( 'register_globals' ) ) {
  10         if ( isset( $_REQUEST['GLOBALS'] ) ) {
  11                 die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
  12         }
  13         $verboten = array(
  14                 'GLOBALS',
  15                 '_SERVER',
  16                 'HTTP_SERVER_VARS',
  17                 '_GET',
  18                 'HTTP_GET_VARS',
  19                 '_POST',
  20                 'HTTP_POST_VARS',
  21                 '_COOKIE',
  22                 'HTTP_COOKIE_VARS',
  23                 '_FILES',
  24                 'HTTP_POST_FILES',
  25                 '_ENV',
  26                 'HTTP_ENV_VARS',
  27                 '_REQUEST',
  28                 '_SESSION',
  29                 'HTTP_SESSION_VARS'
  30         );
  31         foreach ( $_REQUEST as $name => $value ) {
  32                 if( in_array( $name, $verboten ) ) {
  33                         header( "HTTP/1.x 500 Internal Server Error" );
  34                         echo "register_globals security paranoia: trying to overwrite superglobals, aborting.";
  35                         die( -1 );
  36                 }
  37                 unset( $GLOBALS[$name] );
  38         }
  39 }
  40
  41 $wgRequestTime = microtime(true);
  42 # getrusage() does not exist on the Microsoft Windows platforms, catching this
  43 if ( function_exists ( 'getrusage' ) ) {
  44         $wgRUstart = getrusage();
  45 } else {
  46         $wgRUstart = array();
  47 }
  48 unset( $IP );
  49
  50 # Valid web server entry point, enable includes.
  51 # Please don't move this line to includes/Defines.php. This line essentially
  52 # defines a valid entry point. If you put it in includes/Defines.php, then
  53 # any script that includes it becomes an entry point, thereby defeating
  54 # its purpose.
  55 define( 'MEDIAWIKI', true );
  56
  57 # Full path to working directory.
  58 # Makes it possible to for example to have effective exclude path in apc.
  59 # Also doesn't break installations using symlinked includes, like
  60 # dirname( __FILE__ ) would do.
  61 $IP = getenv( 'MW_INSTALL_PATH' );
  62 if ( $IP === false ) {
  63         $IP = realpath( '.' );
  64 }
  65
  66
  67 # Start profiler
  68 require_once( "$IP/StartProfiler.php" );
  69 wfProfileIn( 'WebStart.php-conf' );
  70
  71 # Load up some global defines.
  72 require_once( "$IP/includes/Defines.php" );
  73
  74 # Check for PHP 5
  75 if ( !function_exists( 'version_compare' )
  76         || version_compare( phpversion(), '5.0.0' ) < 0
  77 ) {
  78         define( 'MW_PHP4', '1' );
  79         require( "$IP/includes/DefaultSettings.php" );
  80         require( "$IP/includes/templates/PHP4.php" );
  81         exit;
  82 }
  83
  84 # Test for PHP bug which breaks PHP 5.0.x on 64-bit...
  85 # As of 1.8 this breaks lots of common operations instead
  86 # of just some rare ones like export.
  87 $borked = str_replace( 'a', 'b', array( -1 => -1 ) );
  88 if( !isset( $borked[-1] ) ) {
  89         echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" .
  90              "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n";
  91         exit;
  92 }
  93
  94 # Start the autoloader, so that extensions can derive classes from core files
  95 require_once( "$IP/includes/AutoLoader.php" );
  96
  97 if ( defined( 'MW_CONFIG_CALLBACK' ) ) {
  98         # Use a callback function to configure MediaWiki
  99         require_once( "$IP/includes/DefaultSettings.php" );
 100         call_user_func( MW_CONFIG_CALLBACK );
 101 } else {
 102         # LocalSettings.php is the per site customization file. If it does not exit
 103         # the wiki installer need to be launched or the generated file moved from
 104         # ./config/ to ./
 105         if( !file_exists( "$IP/LocalSettings.php" ) ) {
 106                 require_once( "$IP/includes/DefaultSettings.php" ); # used for printing the version
 107                 require_once( "$IP/includes/templates/NoLocalSettings.php" );
 108                 die();
 109         }
 110
 111         # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked)
 112         require_once( "$IP/LocalSettings.php" );
 113 }
 114 wfProfileOut( 'WebStart.php-conf' );
 115
 116 wfProfileIn( 'WebStart.php-ob_start' );
 117 # Initialise output buffering
 118 if ( ob_get_level() ) {
 119         # Someone's been mixing configuration data with code!
 120         # How annoying.
 121 } elseif ( !defined( 'MW_NO_OUTPUT_BUFFER' ) ) {
 122         require_once( "$IP/includes/OutputHandler.php" );
 123         ob_start( 'wfOutputHandler' );
 124 }
 125 wfProfileOut( 'WebStart.php-ob_start' );
 126
 127 if ( !defined( 'MW_NO_SETUP' ) ) {
 128         require_once( "$IP/includes/Setup.php" );
 129 }