http://www.mediawiki.org/wiki/Special:Code/MediaWiki/93834
Revision: 93834
Author: mah
Date: 2011-08-03 15:46:06 +0000 (Wed, 03 Aug 2011)
Log Message:
-----------
* Make envCheckPath() specific to each installer, web vs cli
* Add warning during the CLI install that the uploads directory isn't
being checked for arbitrary script execution
Modified Paths:
--------------
trunk/phase3/includes/installer/CliInstaller.php
trunk/phase3/includes/installer/Installer.i18n.php
trunk/phase3/includes/installer/Installer.php
trunk/phase3/includes/installer/WebInstaller.php
Modified: trunk/phase3/includes/installer/CliInstaller.php
===================================================================
--- trunk/phase3/includes/installer/CliInstaller.php 2011-08-03 15:38:06 UTC
(rev 93833)
+++ trunk/phase3/includes/installer/CliInstaller.php 2011-08-03 15:46:06 UTC
(rev 93834)
@@ -13,6 +13,7 @@
* @since 1.17
*/
class CliInstaller extends Installer {
+ private $specifiedScriptPath = false;
private $optionMap = array(
'dbtype' => 'wgDBtype',
@@ -45,6 +46,10 @@
parent::__construct();
+ if ( isset( $option['scriptpath'] ) ) {
+ $this->specifiedScriptPath = true;
+ }
+
foreach ( $this->optionMap as $opt => $global ) {
if ( isset( $option[$opt] ) ) {
$GLOBALS[$global] = $option[$opt];
@@ -170,4 +175,16 @@
exit;
}
}
+
+ public function envCheckPath( ) {
+ if ( !$this->specifiedScriptPath ) {
+ $this->showMessage( 'config-no-cli-uri',
$this->getVar("wgScriptPath") );
+ }
+ return parent::envCheckPath();
+ }
+
+ public function dirIsExecutable( $dir, $url ) {
+ $this->showMessage( 'config-no-cli-uploads-check', $dir );
+ return false;
+ }
}
Modified: trunk/phase3/includes/installer/Installer.i18n.php
===================================================================
--- trunk/phase3/includes/installer/Installer.i18n.php 2011-08-03 15:38:06 UTC
(rev 93833)
+++ trunk/phase3/includes/installer/Installer.i18n.php 2011-08-03 15:46:06 UTC
(rev 93834)
@@ -147,10 +147,13 @@
Image thumbnailing will be disabled.',
'config-no-uri' => "'''Error:''' Could not determine
the current URI.
Installation aborted.",
+ 'config-no-cli-uri' => "'''Warning''': No --scriptpath
specified, using default: <code>$1</code>.",
'config-using-server' => 'Using server name
"<nowiki>$1</nowiki>".',
'config-using-uri' => 'Using server URL
"<nowiki>$1$2</nowiki>".',
'config-uploads-not-safe' => "'''Warning:''' Your default
directory for uploads <code>$1</code> is vulnerable to arbitrary scripts
execution.
Although MediaWiki checks all uploaded files for security threats, it is
highly recommended to
[http://www.mediawiki.org/wiki/Manual:Security#Upload_security close this
security vulnerability] before enabling uploads.",
+ 'config-no-cli-uploads-check' => "'''Warning:''' Your default
directory for uploads (<code>$1</code>) is not checked for vulnerability
+to arbitrary script execution during the CLI install.",
'config-brokenlibxml' => 'Your system has a combination of
PHP and libxml2 versions which is buggy and can cause hidden data corruption in
MediaWiki and other web applications.
Upgrade to PHP 5.2.9 or later and libxml2 2.7.3 or later
([http://bugs.php.net/bug.php?id=45996 bug filed with PHP]).
Installation aborted.',
Modified: trunk/phase3/includes/installer/Installer.php
===================================================================
--- trunk/phase3/includes/installer/Installer.php 2011-08-03 15:38:06 UTC
(rev 93833)
+++ trunk/phase3/includes/installer/Installer.php 2011-08-03 15:46:06 UTC
(rev 93834)
@@ -859,10 +859,6 @@
$IP = dirname( dirname( dirname( __FILE__ ) ) );
$this->setVar( 'IP', $IP );
- if( !$this->getVar( 'wgScriptPath' ) ) {
- $this->showError( 'config-no-uri' );
- return false;
- }
$this->showMessage( 'config-using-uri', $this->getVar(
'wgServer' ), $this->getVar( 'wgScriptPath' ) );
return true;
}
Modified: trunk/phase3/includes/installer/WebInstaller.php
===================================================================
--- trunk/phase3/includes/installer/WebInstaller.php 2011-08-03 15:38:06 UTC
(rev 93833)
+++ trunk/phase3/includes/installer/WebInstaller.php 2011-08-03 15:46:06 UTC
(rev 93834)
@@ -1007,20 +1007,6 @@
}
}
- // PHP_SELF isn't available sometimes, such as when PHP is CGI
but
- // cgi.fix_pathinfo is disabled. In that case, fall back to
SCRIPT_NAME
- // to get the path to the current script... hopefully it's
reliable. SIGH
- $path = false;
- if ( !empty( $_SERVER['PHP_SELF'] ) ) {
- $path = $_SERVER['PHP_SELF'];
- } elseif ( !empty( $_SERVER['SCRIPT_NAME'] ) ) {
- $path = $_SERVER['SCRIPT_NAME'];
- }
- if ($path !== false) {
- $uri = preg_replace( '{^(.*)/(mw-)?config.*$}', '$1',
$path );
- $this->setVar( 'wgScriptPath', $uri );
- }
-
return $newValues;
}
@@ -1067,4 +1053,27 @@
$img . ' ' . wfMsgHtml( 'config-download-localsettings'
) );
return Html::rawElement( 'div', array( 'class' =>
'config-download-link' ), $anchor );
}
+
+ public function envCheckPath( ) {
+ // PHP_SELF isn't available sometimes, such as when PHP is CGI
but
+ // cgi.fix_pathinfo is disabled. In that case, fall back to
SCRIPT_NAME
+ // to get the path to the current script... hopefully it's
reliable. SIGH
+ $path = false;
+ if ( !empty( $_SERVER['PHP_SELF'] ) ) {
+ $path = $_SERVER['PHP_SELF'];
+ } elseif ( !empty( $_SERVER['SCRIPT_NAME'] ) ) {
+ $path = $_SERVER['SCRIPT_NAME'];
+ }
+ if ($path !== false) {
+ $uri = preg_replace( '{^(.*)/(mw-)?config.*$}', '$1',
$path );
+ $this->setVar( 'wgScriptPath', $uri );
+ } else {
+ $this->showError( 'config-no-uri' );
+ return false;
+ }
+
+
+ return parent::envCheckPath();
+ }
+
}
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
