Remove support for magic_quotes_gpc
This "feature" of PHP has been disabled by default for quite some time, deprecated in 5.3 and removed entirely in 5.4. See <http://www.php.net/manual/en/security.magicquotes.php> for information on why this practice is bad and how to disable it. For MediaWiki, the removed todo comment says it all. Doing this messes with all of the super globals and makes embedding MediaWiki inside another application problematic. It also increases our memory footprint for every single request even when the data might not be used. Finally, it makes it possible to instantiate new WebRequest objects pretty much whenever you want, so there's no reason for $wgRequest to exist anymore. Bug: 11558 Change-Id: I4bc0392276f454ceb966547c7fbd7c8190ebbc7c
This commit is contained in:
Chad Horohoe
Legoktm
parent
a0f0a090c2
commit
5a4a33a8ff
5 changed files with 17 additions and 72 deletions
|
|
@ -15,6 +15,8 @@ production.
|
|||
* MediaWiki now requires PHP's iconv extension. openSUSE users may need to
|
||||
install the php5-iconv package. Users of other systems may need to add
|
||||
extension=iconv.so to php.ini or recompile PHP without --without-iconv.
|
||||
* MediaWiki will no longer function if magic quotes are enabled. It has
|
||||
been deprecated for 5 years now, and was removed in PHP 5.4.
|
||||
* The server's canonical hostname is available as $wgServerName, which is
|
||||
exposed in both mw.config and ApiQuerySiteInfo.
|
||||
* Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@
|
|||
|
||||
/**
|
||||
* The WebRequest class encapsulates getting at data passed in the
|
||||
* URL or via a POSTed form, handling remove of "magic quotes" slashes,
|
||||
* stripping illegal input characters and normalizing Unicode sequences.
|
||||
* URL or via a POSTed form stripping illegal input characters and
|
||||
* normalizing Unicode sequences.
|
||||
*
|
||||
* Usually this is used via a global singleton, $wgRequest. You should
|
||||
* not create a second WebRequest object; make a FauxRequest object if
|
||||
|
|
@ -57,10 +57,9 @@ class WebRequest {
|
|||
protected $protocol;
|
||||
|
||||
public function __construct() {
|
||||
/// @todo FIXME: This preemptive de-quoting can interfere with other web libraries
|
||||
/// and increases our memory footprint. It would be cleaner to do on
|
||||
/// demand; but currently we have no wrapper for $_SERVER etc.
|
||||
$this->checkMagicQuotes();
|
||||
if ( function_exists( 'get_magic_quotes_gpc' ) && get_magic_quotes_gpc() ) {
|
||||
throw new MWException( "MediaWiki does not function when magic quotes are enabled." );
|
||||
}
|
||||
|
||||
// POST overrides GET data
|
||||
// We don't use $_REQUEST here to avoid interference from cookies...
|
||||
|
|
@ -271,51 +270,6 @@ class WebRequest {
|
|||
return array();
|
||||
}
|
||||
|
||||
/**
|
||||
* Recursively strips slashes from the given array;
|
||||
* used for undoing the evil that is magic_quotes_gpc.
|
||||
*
|
||||
* @param array $arr will be modified
|
||||
* @param bool $topLevel Specifies if the array passed is from the top
|
||||
* level of the source. In PHP5 magic_quotes only escapes the first level
|
||||
* of keys that belong to an array.
|
||||
* @return array The original array
|
||||
* @see http://www.php.net/manual/en/function.get-magic-quotes-gpc.php#49612
|
||||
*/
|
||||
private function &fix_magic_quotes( &$arr, $topLevel = true ) {
|
||||
$clean = array();
|
||||
foreach ( $arr as $key => $val ) {
|
||||
if ( is_array( $val ) ) {
|
||||
$cleanKey = $topLevel ? stripslashes( $key ) : $key;
|
||||
$clean[$cleanKey] = $this->fix_magic_quotes( $arr[$key], false );
|
||||
} else {
|
||||
$cleanKey = stripslashes( $key );
|
||||
$clean[$cleanKey] = stripslashes( $val );
|
||||
}
|
||||
}
|
||||
$arr = $clean;
|
||||
return $arr;
|
||||
}
|
||||
|
||||
/**
|
||||
* If magic_quotes_gpc option is on, run the global arrays
|
||||
* through fix_magic_quotes to strip out the stupid slashes.
|
||||
* WARNING: This should only be done once! Running a second
|
||||
* time could damage the values.
|
||||
*/
|
||||
private function checkMagicQuotes() {
|
||||
$mustFixQuotes = function_exists( 'get_magic_quotes_gpc' )
|
||||
&& get_magic_quotes_gpc();
|
||||
if ( $mustFixQuotes ) {
|
||||
$this->fix_magic_quotes( $_COOKIE );
|
||||
$this->fix_magic_quotes( $_ENV );
|
||||
$this->fix_magic_quotes( $_GET );
|
||||
$this->fix_magic_quotes( $_POST );
|
||||
$this->fix_magic_quotes( $_REQUEST );
|
||||
$this->fix_magic_quotes( $_SERVER );
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Recursively normalizes UTF-8 strings in the given array.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -119,7 +119,6 @@ abstract class Installer {
|
|||
'envCheckRegisterGlobals',
|
||||
'envCheckBrokenXML',
|
||||
'envCheckMagicQuotes',
|
||||
'envCheckMagicSybase',
|
||||
'envCheckMbstring',
|
||||
'envCheckSafeMode',
|
||||
'envCheckXML',
|
||||
|
|
@ -762,31 +761,19 @@ abstract class Installer {
|
|||
}
|
||||
|
||||
/**
|
||||
* Environment check for magic_quotes_runtime.
|
||||
* Environment check for magic_quotes_(gpc|runtime|sybase).
|
||||
* @return bool
|
||||
*/
|
||||
protected function envCheckMagicQuotes() {
|
||||
if ( wfIniGetBool( "magic_quotes_runtime" ) ) {
|
||||
$this->showError( 'config-magic-quotes-runtime' );
|
||||
|
||||
return false;
|
||||
$status = true;
|
||||
foreach ( array( 'gpc', 'runtime', 'sybase' ) as $magicJunk ) {
|
||||
if ( wfIniGetBool( "magic_quotes_$magicJunk" ) ) {
|
||||
$this->showError( "config-magic-quotes-$magicJunk" );
|
||||
$status = false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Environment check for magic_quotes_sybase.
|
||||
* @return bool
|
||||
*/
|
||||
protected function envCheckMagicSybase() {
|
||||
if ( wfIniGetBool( 'magic_quotes_sybase' ) ) {
|
||||
$this->showError( 'config-magic-quotes-sybase' );
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
return $status;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@
|
|||
"config-outdated-sqlite": "<strong>Warning:</strong> you have SQLite $1, which is lower than minimum required version $2. SQLite will be unavailable.",
|
||||
"config-no-fts3": "<strong>Warning:</strong> SQLite is compiled without the [//sqlite.org/fts3.html FTS3 module], search features will be unavailable on this backend.",
|
||||
"config-register-globals-error": "<strong>Error: PHP's <code>[http://php.net/register_globals register_globals]</code> option is enabled.\nIt must be disabled to continue with the installation.</strong>\nSee [https://www.mediawiki.org/wiki/register_globals https://www.mediawiki.org/wiki/register_globals] for help on how to do so.",
|
||||
"config-magic-quotes-gpc": "<strong>Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc magic_quotes_gpc] is active!</strong>\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
|
||||
"config-magic-quotes-runtime": "<strong>Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime magic_quotes_runtime] is active!'</strong>\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
|
||||
"config-magic-quotes-sybase": "<strong>Fatal: [http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-sybase magic_quotes_sybase] is active!</strong>\nThis option corrupts data input unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
|
||||
"config-mbstring": "<strong>Fatal: [http://www.php.net/manual/en/ref.mbstring.php#mbstring.overload mbstring.func_overload] is active!</strong>\nThis option causes errors and may corrupt data unpredictably.\nYou cannot install or use MediaWiki unless this option is disabled.",
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@
|
|||
"config-outdated-sqlite": "Used as warning. Parameters:\n* $1 - the version of SQLite that has been installed\n* $2 - minimum version",
|
||||
"config-no-fts3": "A \"[[:wikipedia:Front and back ends|backend]]\" is a system or component that ordinary users don't interact with directly and don't need to know about, and that is responsible for a distinct task or service - for example, a storage back-end is a generic system for storing data which other applications can use. Possible alternatives for back-end are \"system\" or \"service\", or (depending on context and language) even leave it untranslated.",
|
||||
"config-register-globals-error": "Error message in the MediaWiki installer environment checks.",
|
||||
"config-magic-quotes-gpc": "{{Related|Config-fatal}}",
|
||||
"config-magic-quotes-runtime": "{{Related|Config-fatal}}",
|
||||
"config-magic-quotes-sybase": "{{Related|Config-fatal}}",
|
||||
"config-mbstring": "{{Related|Config-fatal}}",
|
||||
|
|
|
|||
Loading…
Reference in a new issue