MediaWiki
REL1_22
|
00001 <?php 00026 # Protect against register_globals 00027 # This must be done before any globals are set by the code 00028 if ( ini_get( 'register_globals' ) ) { 00029 if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] ) ) { 00030 die( '<a href="http://www.hardened-php.net/globals-problem">$GLOBALS overwrite vulnerability</a>' ); 00031 } 00032 $verboten = array( 00033 'GLOBALS', 00034 '_SERVER', 00035 'HTTP_SERVER_VARS', 00036 '_GET', 00037 'HTTP_GET_VARS', 00038 '_POST', 00039 'HTTP_POST_VARS', 00040 '_COOKIE', 00041 'HTTP_COOKIE_VARS', 00042 '_FILES', 00043 'HTTP_POST_FILES', 00044 '_ENV', 00045 'HTTP_ENV_VARS', 00046 '_REQUEST', 00047 '_SESSION', 00048 'HTTP_SESSION_VARS' 00049 ); 00050 foreach ( $_REQUEST as $name => $value ) { 00051 if ( in_array( $name, $verboten ) ) { 00052 header( "HTTP/1.1 500 Internal Server Error" ); 00053 echo "register_globals security paranoia: trying to overwrite superglobals, aborting."; 00054 die( -1 ); 00055 } 00056 unset( $GLOBALS[$name] ); 00057 } 00058 } 00059 00060 # bug 15461: Make IE8 turn off content sniffing. Everybody else should ignore this 00061 # We're adding it here so that it's *always* set, even for alternate entry 00062 # points and when $wgOut gets disabled or overridden. 00063 header( 'X-Content-Type-Options: nosniff' ); 00064 00065 $wgRequestTime = microtime( true ); 00066 # getrusage() does not exist on the Microsoft Windows platforms, catching this 00067 if ( function_exists ( 'getrusage' ) ) { 00068 $wgRUstart = getrusage(); 00069 } else { 00070 $wgRUstart = array(); 00071 } 00072 unset( $IP ); 00073 00074 # Valid web server entry point, enable includes. 00075 # Please don't move this line to includes/Defines.php. This line essentially 00076 # defines a valid entry point. If you put it in includes/Defines.php, then 00077 # any script that includes it becomes an entry point, thereby defeating 00078 # its purpose. 00079 define( 'MEDIAWIKI', true ); 00080 00081 # Full path to working directory. 00082 # Makes it possible to for example to have effective exclude path in apc. 00083 # __DIR__ breaks symlinked includes, but realpath() returns false 00084 # if we don't have permissions on parent directories. 00085 $IP = getenv( 'MW_INSTALL_PATH' ); 00086 if ( $IP === false ) { 00087 if ( realpath( '.' ) ) { 00088 $IP = realpath( '.' ); 00089 } else { 00090 $IP = dirname( __DIR__ ); 00091 } 00092 } 00093 00094 # Start the autoloader, so that extensions can derive classes from core files 00095 require_once "$IP/includes/AutoLoader.php"; 00096 00097 # Load the profiler 00098 require_once "$IP/includes/profiler/Profiler.php"; 00099 00100 # Load up some global defines. 00101 require_once "$IP/includes/Defines.php"; 00102 00103 # Start the profiler 00104 $wgProfiler = array(); 00105 if ( file_exists( "$IP/StartProfiler.php" ) ) { 00106 require "$IP/StartProfiler.php"; 00107 } 00108 00109 wfProfileIn( 'WebStart.php-conf' ); 00110 00111 # Load default settings 00112 require_once "$IP/includes/DefaultSettings.php"; 00113 00114 # Load composer's autoloader if present 00115 if ( is_readable( "$IP/vendor/autoload.php" ) ) { 00116 require_once "$IP/vendor/autoload.php"; 00117 } 00118 00119 if ( defined( 'MW_CONFIG_CALLBACK' ) ) { 00120 # Use a callback function to configure MediaWiki 00121 call_user_func( MW_CONFIG_CALLBACK ); 00122 } else { 00123 if ( !defined( 'MW_CONFIG_FILE' ) ) { 00124 define( 'MW_CONFIG_FILE', "$IP/LocalSettings.php" ); 00125 } 00126 00127 # LocalSettings.php is the per site customization file. If it does not exist 00128 # the wiki installer needs to be launched or the generated file uploaded to 00129 # the root wiki directory 00130 if ( !file_exists( MW_CONFIG_FILE ) ) { 00131 require_once "$IP/includes/templates/NoLocalSettings.php"; 00132 die(); 00133 } 00134 00135 # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked) 00136 require_once MW_CONFIG_FILE; 00137 } 00138 00139 wfProfileOut( 'WebStart.php-conf' ); 00140 00141 wfProfileIn( 'WebStart.php-ob_start' ); 00142 # Initialise output buffering 00143 # Check that there is no previous output or previously set up buffers, because 00144 # that would cause us to potentially mix gzip and non-gzip output, creating a 00145 # big mess. 00146 if ( !defined( 'MW_NO_OUTPUT_BUFFER' ) && ob_get_level() == 0 ) { 00147 require_once "$IP/includes/OutputHandler.php"; 00148 ob_start( 'wfOutputHandler' ); 00149 } 00150 wfProfileOut( 'WebStart.php-ob_start' ); 00151 00152 if ( !defined( 'MW_NO_SETUP' ) ) { 00153 require_once "$IP/includes/Setup.php"; 00154 }