* Moved the main ob_start() from the default LocalSettings.php to WebStart.php.

The ob_start() section should preferably be removed from older 
  LocalSettings.php files.
* Give Content-Length header for HTTP/1.0 clients.
* Partial support for Flash cross-domain-policy filtering. Text entry points should be protected, but uploads are not.

RELEASE-NOTES

@@ -197,6 +197,11 @@ lighter making things easier to read.
 * Sort log types in Special:Log
 * Added a classname ("mw-toolbar-editbutton") and unique IDs to the edit
   toolbar buttons
+* Moved the main ob_start() from the default LocalSettings.php to WebStart.php. 
+  The ob_start() section should preferably be removed from older 
+  LocalSettings.php files.
+* Give Content-Length header for HTTP/1.0 clients.
+* Partial support for Flash cross-domain-policy filtering. 
 
 
 == Languages updated ==

config/index.php

@@ -245,7 +245,7 @@ class ConfigData {
 <?php
 $endl = "
 ";
-$wgNoOutputBuffer = true;
+define( 'MW_NO_OUTPUT_BUFFER', 1 );
 $conf = new ConfigData;
 
 install_version_checks();
@@ -390,13 +390,6 @@ if( empty( $memlimit ) || $memlimit == -1 ) {
 	print "</li>\n";
 }
 
-$conf->zlib = function_exists( "gzencode" );
-if( $conf->zlib ) {
-	print "<li>Have zlib support; enabling output compression.</li>\n";
-} else {
-	print "<li>No zlib support.</li>\n";
-}
-
 $conf->turck = function_exists( 'mmcache_get' );
 if ( $conf->turck ) {
 	print "<li><a href=\"http://turck-mmcache.sourceforge.net/\">Turck MMCache</a> installed</li>\n";
@@ -1286,7 +1279,6 @@ function escapePhpString( $string ) {
 function writeLocalSettings( $conf ) {
 	$conf->UseImageResize = $conf->UseImageResize ? 'true' : 'false';
 	$conf->PasswordSender = $conf->EmergencyContact;
-	$zlib = ($conf->zlib ? "" : "# ");
 	$magic = ($conf->ImageMagick ? "" : "# ");
 	$convert = ($conf->ImageMagick ? $conf->ImageMagick : "/usr/bin/convert" );
 	$rights = ($conf->RightsUrl) ? "" : "# ";
@@ -1381,10 +1373,9 @@ if ( \$wgCommandLineMode ) {
 	if ( isset( \$_SERVER ) && array_key_exists( 'REQUEST_METHOD', \$_SERVER ) ) {
 		die( \"This script must be run from the command line\\n\" );
 	}
-} elseif ( empty( \$wgNoOutputBuffer ) ) {
-	## Compress output if the browser supports it
-	{$zlib}if( !ini_get( 'zlib.output_compression' ) ) @ob_start( 'ob_gzhandler' );
 }
+## Uncomment this to disable output compression
+# \$wgDisableOutputCompression = true;
 
 \$wgSitename         = \"{$slconf['Sitename']}\";
 

img_auth.php

@@ -7,6 +7,7 @@
  * to an array of pages you want everyone to be able to access. Your server must
  * support PATH_INFO, CGI-based configurations generally don't.
  */
+define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
 require_once( './includes/WebStart.php' );
 wfProfileIn( 'img_auth.php' );
 require_once( './includes/StreamFile.php' );

includes/DefaultSettings.php

@@ -2464,4 +2464,9 @@ $wgDisableQueryPageUpdate = false;
  */
 $wgEnableCascadingProtection = true;
 
+/**
+ * Disable output compression (enabled by default if zlib is available)
+ */
+$wgDisableOutputCompression = false;
+
 ?>

includes/OutputHandler.php

@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * Standard output handler for use with ob_start
+ */
+function wfOutputHandler( $s ) {
+	global $wgDisableOutputCompression;
+	$s = wfMangleFlashPolicy( $s );
+	if ( !ini_get( 'zlib.output_compression' ) ) {
+		if ( $wgDisableOutputCompression || !defined( 'MW_NO_OUTPUT_COMPRESSION' ) ) {
+			$s = wfGzipHandler( $s );
+		}
+		if ( !ini_get( 'output_handler' ) ) {
+			wfDoContentLength( strlen( $s ) );
+		}
+	}
+	return $s;
+}
+
+/**
+ * Handler that compresses data with gzip if allowed by the Accept header.
+ * Unlike ob_gzhandler, it works for HEAD requests too.
+ */
+function wfGzipHandler( $s ) {
+	if ( $s !== '' && function_exists( 'gzencode' ) && !headers_sent() ) {
+		$tokens = preg_split( '/[,; ]/', $_SERVER['HTTP_ACCEPT_ENCODING'] );
+		if ( in_array( 'gzip', $tokens ) ) {
+			header( 'Content-Encoding: gzip' );
+			$s = gzencode( $s, 3 );
+
+			# Set vary header if it hasn't been set already
+			$headers = headers_list();
+			$foundVary = false;
+			foreach ( $headers as $header ) {
+				if ( substr( $header, 0, 5 ) == 'Vary:' ) {
+					$foundVary == true;
+					break;
+				}
+			}
+			if ( !$foundVary ) {
+				header( 'Vary: Accept-Encoding' );
+			}
+		}
+	}
+	return $s;
+}
+
+/**
+ * Mangle flash policy tags which open up the site to XSS attacks.
+ */
+function wfMangleFlashPolicy( $s ) {
+	return preg_replace( '/\<\s*cross-domain-policy\s*\>/i', '<NOT-cross-domain-policy>', $s );
+}
+
+/**
+ * Add a Content-Length header if possible. This makes it cooperate with squid better.
+ */
+function wfDoContentLength( $length ) {
+	if ( !headers_sent() && $_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0' ) {
+		header( "Content-Length: $length" );
+	}
+}
+
+?>

includes/WebStart.php

@@ -85,6 +85,16 @@ if( !file_exists( './LocalSettings.php' ) ) {
 # Include this site setttings
 require_once( './LocalSettings.php' );
 wfProfileOut( 'WebStart.php-conf' );
+wfProfileIn( 'WebStart.php-ob_start' );
+
+# Initialise output buffering
+if ( ob_get_level() ) {
+	# Someone's been mixing configuration data with code!
+	# How annoying.
+} elseif ( !defined( 'MW_NO_OUTPUT_BUFFER' ) ) {
+	require_once( './includes/OutputHandler.php' );
+	ob_start( 'wfOutputHandler' );
+}
 
 if ( !defined( 'MW_NO_SETUP' ) ) {
 	require_once( './includes/Setup.php' );

thumb.php

@@ -5,6 +5,7 @@
  * If the file exists, we make do with abridged MediaWiki initialisation.
  */
 define( 'MW_NO_SETUP', 1 );
+define( 'MW_NO_OUTPUT_COMPRESSION', 1 );
 require_once( './includes/WebStart.php' );
 wfProfileIn( 'thumb.php' );
 wfProfileIn( 'thumb.php-start' );