Active protection against register_globals vulnerabilities. Unset all globals which have been set by $_REQUEST, in WebStart.php. All entry points must assume that a user can unset any arbitrary global set before WebStart.php is invoked. This is not usually a problem since most entry points do not set globals before WebStart.php, Yuri's APIs apparently being the only exceptions.
This commit is contained in:
Tim Starling
parent
633ef7923c
commit
558487ceac
2 changed files with 15 additions and 16 deletions
16
api.php
16
api.php
|
|
@ -22,7 +22,8 @@
|
|||
* http://www.gnu.org/copyleft/gpl.html
|
||||
*/
|
||||
|
||||
$wgApiStartTime = microtime(true);
|
||||
// Initialise common code
|
||||
require (dirname(__FILE__) . '/includes/WebStart.php');
|
||||
|
||||
/**
|
||||
* When no format parameter is given, this format will be used
|
||||
|
|
@ -88,15 +89,10 @@ $wgApiFormats = array (
|
|||
'yamlfm' => 'ApiFormatYaml'
|
||||
);
|
||||
|
||||
// Initialise common code
|
||||
require (dirname(__FILE__) . '/includes/WebStart.php');
|
||||
wfProfileIn('api.php');
|
||||
|
||||
// Verify that the API has not been disabled
|
||||
// The next line should be
|
||||
// if (isset ($wgEnableAPI) && !$wgEnableAPI) {
|
||||
// but will be in a safe mode until api is stabler
|
||||
if (!isset ($wgEnableAPI) || !$wgEnableAPI) {
|
||||
if (!$wgEnableAPI) {
|
||||
echo 'MediaWiki API is not enabled for this site. Add the following line to your LocalSettings.php';
|
||||
echo '<pre><b>$wgEnableAPI=true;</b></pre>';
|
||||
die(-1);
|
||||
|
|
@ -104,13 +100,9 @@ if (!isset ($wgEnableAPI) || !$wgEnableAPI) {
|
|||
|
||||
$wgAutoloadClasses = array_merge($wgAutoloadClasses, $wgApiAutoloadClasses);
|
||||
|
||||
if (!isset($wgEnableWriteAPI))
|
||||
$wgEnableWriteAPI = false; // This should be 'true' later, once the api is stable.
|
||||
|
||||
$processor = new ApiMain($wgApiStartTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI);
|
||||
$processor = new ApiMain($wgRequestTime, $wgApiModules, $wgApiFormats, $wgEnableWriteAPI);
|
||||
$processor->execute();
|
||||
|
||||
wfProfileOut('api.php');
|
||||
wfLogProfilingData();
|
||||
exit; // Done!
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -4,6 +4,17 @@
|
|||
# starts the profiler and loads the configuration, and optionally loads
|
||||
# Setup.php depending on whether MW_NO_SETUP is defined.
|
||||
|
||||
# Protect against register_globals
|
||||
# This must be done before any globals are set by the code
|
||||
if ( ini_get( 'register_globals' ) ) {
|
||||
if ( isset( $_REQUEST['GLOBALS'] ) ) {
|
||||
die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
|
||||
}
|
||||
foreach ( $_REQUEST as $name => $value ) {
|
||||
unset( $GLOBALS[$name] );
|
||||
}
|
||||
}
|
||||
|
||||
$wgRequestTime = microtime(true);
|
||||
# getrusage() does not exist on the Microsoft Windows platforms, catching this
|
||||
if ( function_exists ( 'getrusage' ) ) {
|
||||
|
|
@ -14,10 +25,6 @@ if ( function_exists ( 'getrusage' ) ) {
|
|||
unset( $IP );
|
||||
@ini_set( 'allow_url_fopen', 0 ); # For security
|
||||
|
||||
if ( isset( $_REQUEST['GLOBALS'] ) ) {
|
||||
die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
|
||||
}
|
||||
|
||||
# Valid web server entry point, enable includes.
|
||||
# Please don't move this line to includes/Defines.php. This line essentially
|
||||
# defines a valid entry point. If you put it in includes/Defines.php, then
|
||||
|
|
|
|||
Loading…
Reference in a new issue