WebStart.php 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. <?php
  2. # This does the initial setup for a web request. It does some security checks,
  3. # starts the profiler and loads the configuration, and optionally loads
  4. # Setup.php depending on whether MW_NO_SETUP is defined.
  5. # Protect against register_globals
  6. # This must be done before any globals are set by the code
  7. if ( ini_get( 'register_globals' ) ) {
  8. if ( isset( $_REQUEST['GLOBALS'] ) ) {
  9. die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>');
  10. }
  11. $verboten = array(
  12. 'GLOBALS',
  13. '_SERVER',
  14. 'HTTP_SERVER_VARS',
  15. '_GET',
  16. 'HTTP_GET_VARS',
  17. '_POST',
  18. 'HTTP_POST_VARS',
  19. '_COOKIE',
  20. 'HTTP_COOKIE_VARS',
  21. '_FILES',
  22. 'HTTP_POST_FILES',
  23. '_ENV',
  24. 'HTTP_ENV_VARS',
  25. '_REQUEST',
  26. '_SESSION',
  27. 'HTTP_SESSION_VARS'
  28. );
  29. foreach ( $_REQUEST as $name => $value ) {
  30. if( in_array( $name, $verboten ) ) {
  31. header( "HTTP/1.x 500 Internal Server Error" );
  32. echo "register_globals security paranoia: trying to overwrite superglobals, aborting.";
  33. die( -1 );
  34. }
  35. unset( $GLOBALS[$name] );
  36. }
  37. }
  38. $wgRequestTime = microtime(true);
  39. # getrusage() does not exist on the Microsoft Windows platforms, catching this
  40. if ( function_exists ( 'getrusage' ) ) {
  41. $wgRUstart = getrusage();
  42. } else {
  43. $wgRUstart = array();
  44. }
  45. unset( $IP );
  46. @ini_set( 'allow_url_fopen', 0 ); # For security
  47. # Valid web server entry point, enable includes.
  48. # Please don't move this line to includes/Defines.php. This line essentially
  49. # defines a valid entry point. If you put it in includes/Defines.php, then
  50. # any script that includes it becomes an entry point, thereby defeating
  51. # its purpose.
  52. define( 'MEDIAWIKI', true );
  53. # Full path to working directory.
  54. # Makes it possible to for example to have effective exclude path in apc.
  55. # Also doesn't break installations using symlinked includes, like
  56. # dirname( __FILE__ ) would do.
  57. $IP = getenv( 'MW_INSTALL_PATH' );
  58. if ( $IP === false ) {
  59. $IP = realpath( '.' );
  60. }
  61. # Start profiler
  62. require_once( "$IP/StartProfiler.php" );
  63. wfProfileIn( 'WebStart.php-conf' );
  64. # Load up some global defines.
  65. require_once( "$IP/includes/Defines.php" );
  66. # Check for PHP 5
  67. if ( !function_exists( 'version_compare' )
  68. || version_compare( phpversion(), '5.0.0' ) < 0
  69. ) {
  70. define( 'MW_PHP4', '1' );
  71. require( "$IP/includes/DefaultSettings.php" );
  72. require( "$IP/includes/templates/PHP4.php" );
  73. exit;
  74. }
  75. # Test for PHP bug which breaks PHP 5.0.x on 64-bit...
  76. # As of 1.8 this breaks lots of common operations instead
  77. # of just some rare ones like export.
  78. $borked = str_replace( 'a', 'b', array( -1 => -1 ) );
  79. if( !isset( $borked[-1] ) ) {
  80. echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" .
  81. "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n";
  82. exit;
  83. }
  84. # Start the autoloader, so that extensions can derive classes from core files
  85. require_once( "$IP/includes/AutoLoader.php" );
  86. if ( defined( 'MW_CONFIG_CALLBACK' ) ) {
  87. # Use a callback function to configure MediaWiki
  88. require_once( "$IP/includes/DefaultSettings.php" );
  89. call_user_func( MW_CONFIG_CALLBACK );
  90. } else {
  91. # LocalSettings.php is the per site customization file. If it does not exit
  92. # the wiki installer need to be launched or the generated file moved from
  93. # ./config/ to ./
  94. if( !file_exists( "$IP/LocalSettings.php" ) ) {
  95. require_once( "$IP/includes/DefaultSettings.php" ); # used for printing the version
  96. require_once( "$IP/includes/templates/NoLocalSettings.php" );
  97. die();
  98. }
  99. # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked)
  100. require_once( "$IP/LocalSettings.php" );
  101. }
  102. wfProfileOut( 'WebStart.php-conf' );
  103. wfProfileIn( 'WebStart.php-ob_start' );
  104. # Initialise output buffering
  105. if ( ob_get_level() ) {
  106. # Someone's been mixing configuration data with code!
  107. # How annoying.
  108. } elseif ( !defined( 'MW_NO_OUTPUT_BUFFER' ) ) {
  109. require_once( "$IP/includes/OutputHandler.php" );
  110. ob_start( 'wfOutputHandler' );
  111. }
  112. wfProfileOut( 'WebStart.php-ob_start' );
  113. if ( !defined( 'MW_NO_SETUP' ) ) {
  114. require_once( "$IP/includes/Setup.php" );
  115. }