resourceloader: Drop support for low Suhosin 'max_value_length' values
Move the default of 2000 to DefaultSettings.php, and promote the installer warning to a hard value. Recommend that the setting be disabled, or increased to 5000. Change-Id: Ifb0aadf8b52fd2d5c2a32f55e38eaa9c2600dfb5
This commit is contained in:
Timo Tijhof
Roan Kattouw
parent
b0c56c7050
commit
3ac385a0c3
5 changed files with 17 additions and 29 deletions
|
|
@ -3760,19 +3760,16 @@ $wgIncludeLegacyJavaScript = false;
|
|||
$wgLegacyJavaScriptGlobals = true;
|
||||
|
||||
/**
|
||||
* If set to a positive number, ResourceLoader will not generate URLs whose
|
||||
* query string is more than this many characters long, and will instead use
|
||||
* multiple requests with shorter query strings. This degrades performance,
|
||||
* but may be needed if your web server has a low (less than, say 1024)
|
||||
* query string length limit or a low value for suhosin.get.max_value_length
|
||||
* that you can't increase.
|
||||
* ResourceLoader will not generate URLs whose query string is more than
|
||||
* this many characters long, and will instead use multiple requests with
|
||||
* shorter query strings. This degrades performance, but may be needed based
|
||||
* on the query string limit supported by your web server and/or your user's
|
||||
* web browsers.
|
||||
*
|
||||
* If set to a negative number, ResourceLoader will assume there is no query
|
||||
* string length limit.
|
||||
*
|
||||
* Defaults to a value based on php configuration.
|
||||
* @since 1.17
|
||||
* @var int
|
||||
*/
|
||||
$wgResourceLoaderMaxQueryLength = false;
|
||||
$wgResourceLoaderMaxQueryLength = 2000;
|
||||
|
||||
/**
|
||||
* If set to true, JavaScript modules loaded from wiki pages will be parsed
|
||||
|
|
|
|||
|
|
@ -438,17 +438,6 @@ if ( $wgMetaNamespace === false ) {
|
|||
$wgMetaNamespace = str_replace( ' ', '_', $wgSitename );
|
||||
}
|
||||
|
||||
// Default value is 2000 or the suhosin limit if it is between 1 and 2000
|
||||
if ( $wgResourceLoaderMaxQueryLength === false ) {
|
||||
$suhosinMaxValueLength = (int)ini_get( 'suhosin.get.max_value_length' );
|
||||
if ( $suhosinMaxValueLength > 0 && $suhosinMaxValueLength < 2000 ) {
|
||||
$wgResourceLoaderMaxQueryLength = $suhosinMaxValueLength;
|
||||
} else {
|
||||
$wgResourceLoaderMaxQueryLength = 2000;
|
||||
}
|
||||
unset( $suhosinMaxValueLength );
|
||||
}
|
||||
|
||||
// Ensure the minimum chunk size is less than PHP upload limits or the maximum
|
||||
// upload size.
|
||||
$wgMinUploadChunkSize = min(
|
||||
|
|
|
|||
|
|
@ -1088,14 +1088,16 @@ abstract class Installer {
|
|||
|
||||
/**
|
||||
* Checks if suhosin.get.max_value_length is set, and if so generate
|
||||
* a warning because it decreases ResourceLoader performance.
|
||||
* a warning because it is incompatible with ResourceLoader.
|
||||
* @return bool
|
||||
*/
|
||||
protected function envCheckSuhosinMaxValueLength() {
|
||||
$maxValueLength = ini_get( 'suhosin.get.max_value_length' );
|
||||
if ( $maxValueLength > 0 && $maxValueLength < 1024 ) {
|
||||
// Only warn if the value is below the sane 1024
|
||||
$this->showMessage( 'config-suhosin-max-value-length', $maxValueLength );
|
||||
$currentValue = ini_get( 'suhosin.get.max_value_length' );
|
||||
$minRequired = 2000;
|
||||
$recommended = 5000;
|
||||
if ( $currentValue > 0 && $currentValue < $minRequired ) {
|
||||
$this->showError( 'config-suhosin-max-value-length', $currentValue, $minRequired, $recommended );
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@
|
|||
"config-uploads-not-safe": "<strong>Warning:</strong> Your default directory for uploads <code>$1</code> is vulnerable to arbitrary scripts execution.\nAlthough MediaWiki checks all uploaded files for security threats, it is highly recommended to [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Security#Upload_security close this security vulnerability] before enabling uploads.",
|
||||
"config-no-cli-uploads-check": "<strong>Warning:</strong> Your default directory for uploads (<code>$1</code>) is not checked for vulnerability\nto arbitrary script execution during the CLI install.",
|
||||
"config-brokenlibxml": "Your system has a combination of PHP and libxml2 versions that is buggy and can cause hidden data corruption in MediaWiki and other web applications.\nUpgrade to libxml2 2.7.3 or later ([https://bugs.php.net/bug.php?id=45996 bug filed with PHP]).\nInstallation aborted.",
|
||||
"config-suhosin-max-value-length": "Suhosin is installed and limits the GET parameter <code>length</code> to $1 bytes.\nMediaWiki's ResourceLoader component will work around this limit, but that will degrade performance.\nIf at all possible, you should set <code>suhosin.get.max_value_length</code> to 1024 or higher in <code>php.ini</code>, and set <code>$wgResourceLoaderMaxQueryLength</code> to the same value in <code>LocalSettings.php</code>.",
|
||||
"config-suhosin-max-value-length": "Suhosin is installed and limits the GET parameter <code>length</code> to $1 bytes.\nMediaWiki requires <code>suhosin.get.max_value_length</code> to be at least $2. Disable this setting, or increase this value to $3 in <code>php.ini</code>.",
|
||||
"config-using-32bit": "<strong>Warning:</strong> your system appears to be running with 32-bit integers. This is [https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:32-bit not advised].",
|
||||
"config-db-type": "Database type:",
|
||||
"config-db-host": "Database host:",
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@
|
|||
"config-uploads-not-safe": "Used as a part of environment check result. Parameters:\n* $1 - name of directory for images: <code>$IP/images/</code>",
|
||||
"config-no-cli-uploads-check": "CLI = [[w:Command-line interface|command-line interface]] (i.e. the installer runs as a command-line script, not using HTML interface via an internet browser)",
|
||||
"config-brokenlibxml": "Status message in the MediaWiki installer environment checks.",
|
||||
"config-suhosin-max-value-length": "{{doc-important|Do not translate \"length\", \"suhosin.get.max_value_length\", \"php.ini\", \"$wgResourceLoaderMaxQueryLength\" and \"LocalSettings.php\".}}\nMessage shown when PHP parameter <code>suhosin.get.max_value_length</code> is between 0 and 1023 (that max value is hard set in MediaWiki software).",
|
||||
"config-suhosin-max-value-length": "{{doc-important|Do not translate \"length\", \"suhosin.get.max_value_length\", and \"php.ini\".}}\nThis error message is shown when PHP configuration <code>suhosin.get.max_value_length</code> is not high enough.\n\n* $1 - The current value\n* $2 - The minimum required value\n* $3 - The recommended value\n",
|
||||
"config-using-32bit": "Warning message shown when installing on a 32-bit system.",
|
||||
"config-db-type": "Field label in the MediaWiki installer followed by possible database types.",
|
||||
"config-db-host": "Used as label.\n\nAlso used in {{msg-mw|Config-missing-db-host}}.",
|
||||
|
|
|
|||
Loading…
Reference in a new issue