r41791 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r41790‎ \| r41791 \| r41792 >
Date:	01:10, 7 October 2008
Author:	brion
Status:	old
Tags:
Comment:	Cleanup for r41713 PHP 4 warning page: * Avoid register_globals XSS vulns hitting the template directly * Avoid register_globals XSS vulns when using funny URLs * Avoid horrible links when using funny URLs :) * Swapped REQUEST_URI for SCRIPT_NAME as primary in path check, since SCRIPT_NAME doesn't include the PATH_INFO bits so will work when hitting a URL like index.php/Foo/Bar, or hopefully a rewrite? * Don't spew errors if the file_get_contents() fails * Don't FATAL out if file_get_contents() doesn't exist -- new in 4.3.0 :) * Add a link to PHP download page
Modified paths:	/trunk/phase3/includes/templates/PHP4.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/templates/PHP4.php
—	—	@@ -4,11 +4,16 @@
5	5	* @ingroup Templates
6	6	*/
7	7
8		~~-if( isset( $_SERVER['REQUEST_URI'] ) ) {~~
9		~~- $scriptUrl = $_SERVER['REQUEST_URI'];~~
10		~~-} elseif( isset( $_SERVER['SCRIPT_NAME'] ) ) {~~
	8	+if( !defined( 'MW_PHP4' ) ) {
	9	+ die( "Not an entry point.");
	10	+}
	11	+
	12	+if( isset( $_SERVER['SCRIPT_NAME'] ) ) {
11	13	// Probably IIS; doesn't set REQUEST_URI
12	14	$scriptUrl = $_SERVER['SCRIPT_NAME'];
	15	+} elseif( isset( $_SERVER['REQUEST_URI'] ) ) {
	16	+ // We're trying SCRIPT_NAME first because it won't include PATH_INFO... hopefully
	17	+ $scriptUrl = $_SERVER['REQUEST_URI'];
13	18	} else {
14	19	$scriptUrl = '';
15	20	}
—	—	@@ -17,7 +22,7 @@
18	23	} elseif ( preg_match( '!^(.)/[^/].php$!', $scriptUrl, $m ) ) {
19	24	$baseUrl = $m[1];
20	25	} else {
21		~~- $baseUrl = dirname( $baseUrl );~~
	26	+ $baseUrl = dirname( $scriptUrl );
22	27	}
23	28
24	29	?>
—	—	@@ -62,8 +67,15 @@
63	68	$downloadOther = true;
64	69	if ( $baseUrl ) {
65	70	$testUrl = "$wgServer$baseUrl/php5.php5";
66		~~- ini_set( 'allow_url_fopen', '1' );~~
67		~~- $s = file_get_contents( $testUrl );~~
	71	+ if( function_exists( 'file_get_contents' ) ) {
	72	+ $errorLevel = error_reporting();
	73	+ error_reporting( $errorLevel & !E_WARNING );
	74	+
	75	+ ini_set( 'allow_url_fopen', '1' );
	76	+ $s = file_get_contents( $testUrl );
	77	+
	78	+ error_reporting( $errorLevel );
	79	+ }
68	80
69	81	if ( strpos( $s, 'yes' ) !== false ) {
70	82	$encUrl = htmlspecialchars( str_replace( '.php', '.php5', $scriptUrl ) );
—	—	@@ -73,8 +85,9 @@
74	86	}
75	87	if ( $downloadOther ) {
76	88	?>
77		~~-<p>Please consider upgrading your copy of PHP. PHP 4 is at the end of its~~
78		~~-lifecycle and will not receive further security updates.</p>~~
	89	+<p>Please consider
	90	+<a href="http://www.php.net/downloads.php">upgrading your copy of PHP</a>.
	91	+PHP 4 is at the end of its lifecycle and will not receive further security updates.</p>
79	92	<p>If for some reason you really really need to run MediaWiki on PHP 4, you will need to
80	93	<a href="http://www.mediawiki.org/wiki/Download">download version 1.6.x</a>
81	94	from our website. </p>

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r41713	* Allow $wgDiff3=false...	tstarling	00:45, 6 October 2008

Status & tagging log

09:08, 18 January 2012 Siebrand (talk | contribs) changed the tags for r41791 [removed: security]
08:37, 18 January 2012 Siebrand (talk | contribs) changed the tags for r41791 [removed: cleanup]
01:11, 18 January 2012 Siebrand (talk | contribs) changed the tags for r41791 [removed: php4]
15:32, 12 September 2011 Meno25 (talk | contribs) changed the status of r41791 [removed: ok added: old]