[MediaWiki-l] Removed support for register_globals in 1.24

Legoktm legoktm.wikipedia at gmail.com
Wed Jul 9 01:49:31 UTC 2014


This is a heads-up message that support for register_globals[1] will be
dropped in the upcoming release of MediaWiki 1.24. The rationale can be
found in the forwarded email below that was originally sent to wikitech-l.

If you're not familiar with what register_globals is, it was a PHP
"feature" that could actually turn into a major security vulnerability.
More information about it is on php.net[1].

In the past MediaWiki has tried to prevent against attacks in this form,
but starting with 1.24 it will simply refuse to run if register_globals
is enabled. The installer will also display an error if enabled.

If you are running a version of PHP >= 5.4, you don't need to worry
about this. If you are running PHP 5.3, check your php.ini file to
ensure that register_globals is set to "off". There is also some more
documentation on how to disable it if you can't edit your hosting
provider's php.ini on mediawiki.org[2].

[1] http://www.php.net/manual/en/security.globals.php

-- Legoktm

-------- Original Message --------
Subject: Removing support for register_globals
Date: Tue, 08 Jul 2014 18:01:41 -0700
From: Legoktm <legoktm.wikipedia at gmail.com>
To: wikitech-l at lists.wikimedia.org


tl;dr: <https://gerrit.wikimedia.org/r/144854> stops supporting
MediaWiki instances with register_globals enabled.

When PHP 5.3 was released, register_globals was officially deprecated,
and that was over 5 years ago[1]. It was then removed in PHP 5.4.

Since MediaWiki still supports 5.3, we've had a check at the top of
WebStart.php and in the installer to recommend disabling
register_globals if it's still enabled. When working with configuration
database-related things as well as general code review of extensions,
I've noticed code that does isset( $wgFoo ) in an unsafe manner. We
could fix those individual issues, but I think it would be easier to
just stop supporting installs that have register_globals enabled. It's 2014!

I've uploaded a patchset[2] that will disable any current installation
that has register_globals enabled. It also modifies the command-line
installer to prevent installation if it is enabled.

[1] http://www.php.net/manual/en/security.globals.php
[2] https://gerrit.wikimedia.org/r/144854

-- Legoktm

More information about the MediaWiki-l mailing list