From: Platonides <platonides@gmail.com>
Date: Mon, 25 Feb 2013 15:07:43 +0000 (+0100)
Subject: (Bug 45355) Read of arbitrary files through mwdoc-filter.php
X-Git-Tag: 1.31.0-rc.0~20490^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/comptes/journal.php?a=commitdiff_plain;h=892329cfba8569586ee7bb81d7964a60ca1a12a2;p=lhc%2Fweb%2Fwiklou.git

(Bug 45355) Read of arbitrary files through mwdoc-filter.php

The file maintenance/mwdoc-filter.php can be abused under certain server
configurations to read the contents of arbitrary files.

In case you
 - you have deleted the maintenance folder or
 - you have that folder denied in the server configuration or
 - the server is processing .htaccess overrides or
 - you are using PHP 5.4.0 (or later) or
 - you have register_globals disabled
it is believed that you are not vulnerable.

See https://bugzilla.wikimedia.org/45355 for details.

Change-Id: I3c49439b25896a6100ce415629353bccfc84490a
---

diff --git a/maintenance/mwdoc-filter.php b/maintenance/mwdoc-filter.php
index ab05a3e24c..6eeb48d38c 100644
--- a/maintenance/mwdoc-filter.php
+++ b/maintenance/mwdoc-filter.php
@@ -11,6 +11,10 @@
  * @file
  */
 
+if ( PHP_SAPI != 'cli' ) {
+	die( "This filter can only be run from the command line.\n" );
+}
+
 $source = file_get_contents( $argv[1] );
 $regexp = '#\@var\s+([^\s]+)([^/]+)/\s+(var|public|protected|private)\s+(\$[^\s;=]+)#';
 $replac = '${2} */ ${3} ${1} ${4}';