00001 <?php 00002 00003 # This does the initial setup for a web request. It does some security checks, 00004 # starts the profiler and loads the configuration, and optionally loads 00005 # Setup.php depending on whether MW_NO_SETUP is defined. 00006 00007 # Protect against register_globals 00008 # This must be done before any globals are set by the code 00009 if ( ini_get( 'register_globals' ) ) { 00010 if ( isset( $_REQUEST['GLOBALS'] ) ) { 00011 die( '<a href="http://www.hardened-php.net/index.76.html">$GLOBALS overwrite vulnerability</a>'); 00012 } 00013 $verboten = array( 00014 'GLOBALS', 00015 '_SERVER', 00016 'HTTP_SERVER_VARS', 00017 '_GET', 00018 'HTTP_GET_VARS', 00019 '_POST', 00020 'HTTP_POST_VARS', 00021 '_COOKIE', 00022 'HTTP_COOKIE_VARS', 00023 '_FILES', 00024 'HTTP_POST_FILES', 00025 '_ENV', 00026 'HTTP_ENV_VARS', 00027 '_REQUEST', 00028 '_SESSION', 00029 'HTTP_SESSION_VARS' 00030 ); 00031 foreach ( $_REQUEST as $name => $value ) { 00032 if( in_array( $name, $verboten ) ) { 00033 header( "HTTP/1.x 500 Internal Server Error" ); 00034 echo "register_globals security paranoia: trying to overwrite superglobals, aborting."; 00035 die( -1 ); 00036 } 00037 unset( $GLOBALS[$name] ); 00038 } 00039 } 00040 00041 $wgRequestTime = microtime(true); 00042 # getrusage() does not exist on the Microsoft Windows platforms, catching this 00043 if ( function_exists ( 'getrusage' ) ) { 00044 $wgRUstart = getrusage(); 00045 } else { 00046 $wgRUstart = array(); 00047 } 00048 unset( $IP ); 00049 @ini_set( 'allow_url_fopen', 0 ); # For security 00050 00051 # Valid web server entry point, enable includes. 00052 # Please don't move this line to includes/Defines.php. This line essentially 00053 # defines a valid entry point. If you put it in includes/Defines.php, then 00054 # any script that includes it becomes an entry point, thereby defeating 00055 # its purpose. 00056 define( 'MEDIAWIKI', true ); 00057 00058 # Full path to working directory. 00059 # Makes it possible to for example to have effective exclude path in apc. 00060 # Also doesn't break installations using symlinked includes, like 00061 # dirname( __FILE__ ) would do. 00062 $IP = getenv( 'MW_INSTALL_PATH' ); 00063 if ( $IP === false ) { 00064 $IP = realpath( '.' ); 00065 } 00066 00067 00068 # Start profiler 00069 require_once( "$IP/StartProfiler.php" ); 00070 wfProfileIn( 'WebStart.php-conf' ); 00071 00072 # Load up some global defines. 00073 require_once( "$IP/includes/Defines.php" ); 00074 00075 # Check for PHP 5 00076 if ( !function_exists( 'version_compare' ) 00077 || version_compare( phpversion(), '5.0.0' ) < 0 00078 ) { 00079 define( 'MW_PHP4', '1' ); 00080 require( "$IP/includes/DefaultSettings.php" ); 00081 require( "$IP/includes/templates/PHP4.php" ); 00082 exit; 00083 } 00084 00085 # Test for PHP bug which breaks PHP 5.0.x on 64-bit... 00086 # As of 1.8 this breaks lots of common operations instead 00087 # of just some rare ones like export. 00088 $borked = str_replace( 'a', 'b', array( -1 => -1 ) ); 00089 if( !isset( $borked[-1] ) ) { 00090 echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" . 00091 "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n"; 00092 exit; 00093 } 00094 00095 # Start the autoloader, so that extensions can derive classes from core files 00096 require_once( "$IP/includes/AutoLoader.php" ); 00097 00098 if ( defined( 'MW_CONFIG_CALLBACK' ) ) { 00099 # Use a callback function to configure MediaWiki 00100 require_once( "$IP/includes/DefaultSettings.php" ); 00101 call_user_func( MW_CONFIG_CALLBACK ); 00102 } else { 00103 # LocalSettings.php is the per site customization file. If it does not exit 00104 # the wiki installer need to be launched or the generated file moved from 00105 # ./config/ to ./ 00106 if( !file_exists( "$IP/LocalSettings.php" ) ) { 00107 require_once( "$IP/includes/DefaultSettings.php" ); # used for printing the version 00108 require_once( "$IP/includes/templates/NoLocalSettings.php" ); 00109 die(); 00110 } 00111 00112 # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked) 00113 require_once( "$IP/LocalSettings.php" ); 00114 } 00115 wfProfileOut( 'WebStart.php-conf' ); 00116 00117 wfProfileIn( 'WebStart.php-ob_start' ); 00118 # Initialise output buffering 00119 if ( ob_get_level() ) { 00120 # Someone's been mixing configuration data with code! 00121 # How annoying. 00122 } elseif ( !defined( 'MW_NO_OUTPUT_BUFFER' ) ) { 00123 require_once( "$IP/includes/OutputHandler.php" ); 00124 ob_start( 'wfOutputHandler' ); 00125 } 00126 wfProfileOut( 'WebStart.php-ob_start' ); 00127 00128 if ( !defined( 'MW_NO_SETUP' ) ) { 00129 require_once( "$IP/includes/Setup.php" ); 00130 }