[MediaWiki-l] Removed support for register_globals in 1.24
legoktm.wikipedia at gmail.com
Wed Jul 9 01:49:31 UTC 2014
This is a heads-up message that support for register_globals will be
dropped in the upcoming release of MediaWiki 1.24. The rationale can be
found in the forwarded email below that was originally sent to wikitech-l.
If you're not familiar with what register_globals is, it was a PHP
"feature" that could actually turn into a major security vulnerability.
More information about it is on php.net.
In the past MediaWiki has tried to prevent against attacks in this form,
but starting with 1.24 it will simply refuse to run if register_globals
is enabled. The installer will also display an error if enabled.
If you are running a version of PHP >= 5.4, you don't need to worry
about this. If you are running PHP 5.3, check your php.ini file to
ensure that register_globals is set to "off". There is also some more
documentation on how to disable it if you can't edit your hosting
provider's php.ini on mediawiki.org.
-------- Original Message --------
Subject: Removing support for register_globals
Date: Tue, 08 Jul 2014 18:01:41 -0700
From: Legoktm <legoktm.wikipedia at gmail.com>
To: wikitech-l at lists.wikimedia.org
tl;dr: <https://gerrit.wikimedia.org/r/144854> stops supporting
MediaWiki instances with register_globals enabled.
When PHP 5.3 was released, register_globals was officially deprecated,
and that was over 5 years ago. It was then removed in PHP 5.4.
Since MediaWiki still supports 5.3, we've had a check at the top of
WebStart.php and in the installer to recommend disabling
register_globals if it's still enabled. When working with configuration
database-related things as well as general code review of extensions,
I've noticed code that does isset( $wgFoo ) in an unsafe manner. We
could fix those individual issues, but I think it would be easier to
just stop supporting installs that have register_globals enabled. It's 2014!
I've uploaded a patchset that will disable any current installation
that has register_globals enabled. It also modifies the command-line
installer to prevent installation if it is enabled.
More information about the MediaWiki-l