Markus Krötzsch wrote:
Thanks Tim! I have now backported your fixes in the current SVN version to the latest Semantic MediaWiki release 1.1.1. The updated release 1.1.2 can be obtained via Sourceforge [1] or SVN [2]. Updating existing SMW 1.1* installations can thus be done without moving to the development version, and without any additional side effects on the running wiki.
We will take care of preventing the "register_globals" issue in all future ...
The scanner picked up no register_globals vulnerabilities at all in the core. Part of the reason for this is that we changed our practices years ago to avoid explicit inclusion, by using the autoloader for almost everything. Make global functions into static member functions, make constants into class constants. By getting rid of include statements except in the autoloader, where it is properly guarded, you eliminate arbitrary inclusion vulnerabilities. It's also more efficient, especially for installations with no bytecode cache, because you can often load less code on average.
SemanticMediaWiki has "@note AUTOLOADED" for autoloaded classes. I'd like to see those comments removed, since they will be unnecessary once every single class in the extension is registered in the autoloader.
Guarding with if(defined('MEDIAWIKI')) has proven to be a fairly poor solution, since apparently nobody understands what it is there for, and in some extensions it was applied sporadically or incorrectly. We can enforce the use of if(defined('MEDIAWIKI')) by regular vulnerability scanning, but obviously it would be better if we could encourage the use of inherently secure practices.
Using .inc as a file extension for included PHP files would fix the problem more effectively than either autoloading or guarding.
-- Tim Starling