PageRenderTime 68ms CodeModel.GetById 25ms RepoModel.GetById 0ms app.codeStats 0ms

/includes/WebStart.php

https://github.com/spenser-roark/OOUG-Wiki
PHP | 159 lines | 86 code | 20 blank | 53 comment | 20 complexity | 530b42c3a2ccdfd272c96272a445a9c0 MD5 | raw file
Possible License(s): GPL-2.0, Apache-2.0, LGPL-3.0
  1. <?php
  2. /**
  3. * This does the initial setup for a web request.
  4. * It does some security checks, starts the profiler and loads the
  5. * configuration, and optionally loads Setup.php depending on whether
  6. * MW_NO_SETUP is defined.
  7. *
  8. * This program is free software; you can redistribute it and/or modify
  9. * it under the terms of the GNU General Public License as published by
  10. * the Free Software Foundation; either version 2 of the License, or
  11. * (at your option) any later version.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License along
  19. * with this program; if not, write to the Free Software Foundation, Inc.,
  20. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  21. * http://www.gnu.org/copyleft/gpl.html
  22. *
  23. * @file
  24. */
  25. # Protect against register_globals
  26. # This must be done before any globals are set by the code
  27. if ( ini_get( 'register_globals' ) ) {
  28. if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] ) ) {
  29. die( '<a href="http://www.hardened-php.net/globals-problem">$GLOBALS overwrite vulnerability</a>');
  30. }
  31. $verboten = array(
  32. 'GLOBALS',
  33. '_SERVER',
  34. 'HTTP_SERVER_VARS',
  35. '_GET',
  36. 'HTTP_GET_VARS',
  37. '_POST',
  38. 'HTTP_POST_VARS',
  39. '_COOKIE',
  40. 'HTTP_COOKIE_VARS',
  41. '_FILES',
  42. 'HTTP_POST_FILES',
  43. '_ENV',
  44. 'HTTP_ENV_VARS',
  45. '_REQUEST',
  46. '_SESSION',
  47. 'HTTP_SESSION_VARS'
  48. );
  49. foreach ( $_REQUEST as $name => $value ) {
  50. if( in_array( $name, $verboten ) ) {
  51. header( "HTTP/1.1 500 Internal Server Error" );
  52. echo "register_globals security paranoia: trying to overwrite superglobals, aborting.";
  53. die( -1 );
  54. }
  55. unset( $GLOBALS[$name] );
  56. }
  57. }
  58. # bug 15461: Make IE8 turn off content sniffing. Everbody else should ignore this
  59. # We're adding it here so that it's *always* set, even for alternate entry
  60. # points and when $wgOut gets disabled or overridden.
  61. header( 'X-Content-Type-Options: nosniff' );
  62. $wgRequestTime = microtime(true);
  63. # getrusage() does not exist on the Microsoft Windows platforms, catching this
  64. if ( function_exists ( 'getrusage' ) ) {
  65. $wgRUstart = getrusage();
  66. } else {
  67. $wgRUstart = array();
  68. }
  69. unset( $IP );
  70. # Valid web server entry point, enable includes.
  71. # Please don't move this line to includes/Defines.php. This line essentially
  72. # defines a valid entry point. If you put it in includes/Defines.php, then
  73. # any script that includes it becomes an entry point, thereby defeating
  74. # its purpose.
  75. define( 'MEDIAWIKI', true );
  76. # Full path to working directory.
  77. # Makes it possible to for example to have effective exclude path in apc.
  78. # Also doesn't break installations using symlinked includes, like
  79. # dirname( __FILE__ ) would do.
  80. $IP = getenv( 'MW_INSTALL_PATH' );
  81. if ( $IP === false ) {
  82. $IP = realpath( '.' );
  83. }
  84. if ( isset( $_SERVER['MW_COMPILED'] ) ) {
  85. define( 'MW_COMPILED', 1 );
  86. } else {
  87. # Get MWInit class
  88. require_once( "$IP/includes/Init.php" );
  89. # Start the autoloader, so that extensions can derive classes from core files
  90. require_once( "$IP/includes/AutoLoader.php" );
  91. # Load the profiler
  92. require_once( "$IP/includes/profiler/Profiler.php" );
  93. # Load up some global defines.
  94. require_once( "$IP/includes/Defines.php" );
  95. }
  96. # Start the profiler
  97. $wgProfiler = array();
  98. if ( file_exists( "$IP/StartProfiler.php" ) ) {
  99. require( "$IP/StartProfiler.php" );
  100. }
  101. wfProfileIn( 'WebStart.php-conf' );
  102. # Load default settings
  103. require_once( MWInit::compiledPath( "includes/DefaultSettings.php" ) );
  104. if ( defined( 'MW_CONFIG_CALLBACK' ) ) {
  105. # Use a callback function to configure MediaWiki
  106. MWFunction::call( MW_CONFIG_CALLBACK );
  107. } else {
  108. if ( !defined( 'MW_CONFIG_FILE' ) ) {
  109. define('MW_CONFIG_FILE', MWInit::interpretedPath( 'LocalSettings.php' ) );
  110. }
  111. # LocalSettings.php is the per site customization file. If it does not exist
  112. # the wiki installer needs to be launched or the generated file uploaded to
  113. # the root wiki directory
  114. if( !file_exists( MW_CONFIG_FILE ) ) {
  115. require_once( "$IP/includes/templates/NoLocalSettings.php" );
  116. die();
  117. }
  118. # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked)
  119. require_once( MW_CONFIG_FILE );
  120. }
  121. if ( $wgEnableSelenium ) {
  122. require_once( MWInit::compiledPath( "includes/SeleniumWebSettings.php" ) );
  123. }
  124. wfProfileOut( 'WebStart.php-conf' );
  125. wfProfileIn( 'WebStart.php-ob_start' );
  126. # Initialise output buffering
  127. # Check that there is no previous output or previously set up buffers, because
  128. # that would cause us to potentially mix gzip and non-gzip output, creating a
  129. # big mess.
  130. if ( !defined( 'MW_NO_OUTPUT_BUFFER' ) && ob_get_level() == 0 ) {
  131. if ( !defined( 'MW_COMPILED' ) ) {
  132. require_once( "$IP/includes/OutputHandler.php" );
  133. }
  134. ob_start( 'wfOutputHandler' );
  135. }
  136. wfProfileOut( 'WebStart.php-ob_start' );
  137. if ( !defined( 'MW_NO_SETUP' ) ) {
  138. require_once( MWInit::compiledPath( "includes/Setup.php" ) );
  139. }