Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/historyblob/HistoryBlobStub.php
Tim Starling 20d06b34bb Safer autoloading with respect to file-scope code 
Many files were in the autoloader despite having potentially harmful
file-scope code.

* Exclude all CommandLineInc maintenance scripts from the autoloader.
* Introduce  "NO_AUTOLOAD" tag which excludes the file containing it
  from the autoloader. Use it on CommandLineInc.php and a few
  suspicious-looking files without classes in case they are refactored
  to add classes in the future.
* Add a test which parses all non-PSR4 class files and confirms that
  they do not contain dangerous file-scope code. It's slow (15s) but
  its results were enlightening.
* Several maintenance scripts define constants in the file scope,
  intending to modify the behaviour of MediaWiki. Either move the
  define() to a later setup function, or protect with NO_AUTOLOAD.
* Use require_once consistently with Maintenance.php and
  doMaintenance.php, per the original convention which is supposed to
  allow one maintenance script to use the class of another maintenance
  script. Using require breaks autoloading of these maintenance class
  files.
* When Maintenance.php is included, check if MediaWiki has already
  started, and if so, return early. Revert the fix for T250003 which
  is incompatible with this safety measure. Hopefully it was superseded
  by splitting out the class file.
* In runScript.php add a redundant PHP_SAPI check since it does some
  things in file-scope code before any other check will be run.
* Change the if(false) class_alias(...) to something more hackish and
  more compatible with the new test.
* Some site-related scripts found Maintenance.php in a non-standard way.
  Use the standard way.
* fileOpPerfTest.php called error_reporting(). Probably debugging code
  left in; removed.
* Moved mediawiki.compress.7z registration from the class file to the
  caller.

Change-Id: I1b1be90343a5ab678df6f1b1bdd03319dcf6537f
2021-01-11 11:59:36 +11:00

153 lines
3.9 KiB
PHP
Raw Blame History

<?php
/**
* Efficient concatenated text storage.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
use MediaWiki\MediaWikiServices;
/**
* Pointer object for an item within a CGZ blob stored in the text table.
*/
class HistoryBlobStub {
/**
* @var array One-step cache variable to hold base blobs; operations that
* pull multiple revisions may often pull multiple times from the same
* blob. By keeping the last-used one open, we avoid redundant
* unserialization and decompression overhead.
*/
protected static $blobCache = [];
/** @var int */
protected $mOldId;
/** @var string */
protected $mHash;
/** @var string */
protected $mRef;
/**
* @param string $hash The content hash of the text
* @param int $oldid The old_id for the CGZ object
*/
public function __construct( $hash = '', $oldid = 0 ) {
$this->mHash = $hash;
}
/**
* Sets the location (old_id) of the main object to which this object
* points
* @param int $id
*/
public function setLocation( $id ) {
$this->mOldId = $id;
}
/**
* Sets the location (old_id) of the referring object
* @param string $id
*/
public function setReferrer( $id ) {
$this->mRef = $id;
}
/**
* Gets the location of the referring object
* @return string
*/
public function getReferrer() {
return $this->mRef;
}
/**
* @return string|false
*/
public function getText() {
if ( isset( self::$blobCache[$this->mOldId] ) ) {
$obj = self::$blobCache[$this->mOldId];
} else {
$dbr = wfGetDB( DB_REPLICA );
$row = $dbr->selectRow(
'text',
[ 'old_flags', 'old_text' ],
[ 'old_id' => $this->mOldId ],
__METHOD__
);
if ( !$row ) {
return false;
}
$flags = explode( ',', $row->old_flags );
if ( in_array( 'external', $flags ) ) {
$url = $row->old_text;
$parts = explode( '://', $url, 2 );
if ( !isset( $parts[1] ) || $parts[1] == '' ) {
return false;
}
$row->old_text = MediaWikiServices::getInstance()
->getExternalStoreAccess()
->fetchFromURL( $url );
}
if ( !in_array( 'object', $flags ) ) {
return false;
}
if ( in_array( 'gzip', $flags ) ) {
// This shouldn't happen, but a bug in the compress script
// may at times gzip-compress a HistoryBlob object row.
$obj = unserialize( gzinflate( $row->old_text ) );
} else {
$obj = unserialize( $row->old_text );
}
if ( !is_object( $obj ) ) {
// Correct for old double-serialization bug.
$obj = unserialize( $obj );
}
// Save this item for reference; if pulling many
// items in a row we'll likely use it again.
$obj->uncompress();
self::$blobCache = [ $this->mOldId => $obj ];
}
return $obj->getItem( $this->mHash );
}
/**
* Get the content hash
*
* @return string
*/
public function getHash() {
return $this->mHash;
}
}
// Blobs generated by MediaWiki < 1.5 on PHP 4 were serialized with the
// class name coerced to lowercase. We can improve efficiency by adding
// autoload entries for the lowercase variants of these classes (T166759).
// The code below is never executed, but it is picked up by the AutoloadGenerator
// parser, which scans for class_alias() calls.
/*
class_alias( HistoryBlobStub::class, 'historyblobstub' );
*/
Reference in a new issue View git blame Copy permalink