Ummm... Isn't that a register_globals vulnerability since you removed
$wgProxyKey from DefaultSettings.php?
~Daniel Friesen(Dantman, Nadir-Seen-Fire) of:
-The Nadir-Point Group (
http://nadir-point.com)
--It's Wiki-Tools subgroup (
http://wiki-tools.com)
--The ElectronicMe project (
http://electronic-me.org)
--Games-G.P.S. (
http://ggps.org)
-And Wikia ACG on
Wikia.com (
http://wikia.com/wiki/Wikia_ACG)
--Animepedia (
http://anime.wikia.com)
--Narutopedia (
http://naruto.wikia.com)
demon(a)svn.wikimedia.org wrote:
Revision: 40323
Author: demon
Date: 2008-09-02 15:15:54 +0000 (Tue, 02 Sep 2008)
Log Message:
-----------
Fully deprecate $wgProxyKey. Has been marked as deprecated since 1.4, but never seems to
have been done. Sites with $wgProxyKey set will continue to use the setting (added a
fallback in Setup). Fixes bugs 9258 and 12089.
Modified: trunk/phase3/includes/Setup.php
===================================================================
--- trunk/phase3/includes/Setup.php 2008-09-02 02:11:50 UTC (rev 40322)
+++ trunk/phase3/includes/Setup.php 2008-09-02 15:15:54 UTC (rev 40323)
@@ -150,6 +150,10 @@
wfProfileOut( $fname.'-includes' );
wfProfileIn( $fname.'-misc1' );
+# Override SecretKey with ProxyKey if a site is using the old setting
+if ( isset( $wgProxyKey ) ) {
+ $wgSecretKey = $wgProxyKey;
+}
$wgIP = false; # Load on demand
# Can't stub this one, it sets up $_GET and $_REQUEST in its constructor