Add parser tests for bug 52468 and bug 52363.
[mediawiki.git] / includes / WebStart.php
blobf840a5ed784c25dceea58e43c0c51dc4d71f2b6a
1 <?php
2 /**
3 * This does the initial setup for a web request.
4 * It does some security checks, starts the profiler and loads the
5 * configuration, and optionally loads Setup.php depending on whether
6 * MW_NO_SETUP is defined.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21 * http://www.gnu.org/copyleft/gpl.html
23 * @file
26 # Protect against register_globals
27 # This must be done before any globals are set by the code
28 if ( ini_get( 'register_globals' ) ) {
29 if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] ) ) {
30 die( '<a href="http://www.hardened-php.net/globals-problem">$GLOBALS overwrite vulnerability</a>' );
32 $verboten = array(
33 'GLOBALS',
34 '_SERVER',
35 'HTTP_SERVER_VARS',
36 '_GET',
37 'HTTP_GET_VARS',
38 '_POST',
39 'HTTP_POST_VARS',
40 '_COOKIE',
41 'HTTP_COOKIE_VARS',
42 '_FILES',
43 'HTTP_POST_FILES',
44 '_ENV',
45 'HTTP_ENV_VARS',
46 '_REQUEST',
47 '_SESSION',
48 'HTTP_SESSION_VARS'
50 foreach ( $_REQUEST as $name => $value ) {
51 if ( in_array( $name, $verboten ) ) {
52 header( "HTTP/1.1 500 Internal Server Error" );
53 echo "register_globals security paranoia: trying to overwrite superglobals, aborting.";
54 die( -1 );
56 unset( $GLOBALS[$name] );
60 # bug 15461: Make IE8 turn off content sniffing. Everybody else should ignore this
61 # We're adding it here so that it's *always* set, even for alternate entry
62 # points and when $wgOut gets disabled or overridden.
63 header( 'X-Content-Type-Options: nosniff' );
65 $wgRequestTime = microtime( true );
66 # getrusage() does not exist on the Microsoft Windows platforms, catching this
67 if ( function_exists ( 'getrusage' ) ) {
68 $wgRUstart = getrusage();
69 } else {
70 $wgRUstart = array();
72 unset( $IP );
74 # Valid web server entry point, enable includes.
75 # Please don't move this line to includes/Defines.php. This line essentially
76 # defines a valid entry point. If you put it in includes/Defines.php, then
77 # any script that includes it becomes an entry point, thereby defeating
78 # its purpose.
79 define( 'MEDIAWIKI', true );
81 # Full path to working directory.
82 # Makes it possible to for example to have effective exclude path in apc.
83 # __DIR__ breaks symlinked includes, but realpath() returns false
84 # if we don't have permissions on parent directories.
85 $IP = getenv( 'MW_INSTALL_PATH' );
86 if ( $IP === false ) {
87 if ( realpath( '.' ) ) {
88 $IP = realpath( '.' );
89 } else {
90 $IP = dirname( __DIR__ );
94 # Get MWInit class
95 require_once "$IP/includes/Init.php";
97 # Start the autoloader, so that extensions can derive classes from core files
98 require_once "$IP/includes/AutoLoader.php";
100 # Load the profiler
101 require_once "$IP/includes/profiler/Profiler.php";
103 # Load up some global defines.
104 require_once "$IP/includes/Defines.php";
106 # Start the profiler
107 $wgProfiler = array();
108 if ( file_exists( "$IP/StartProfiler.php" ) ) {
109 require "$IP/StartProfiler.php";
112 wfProfileIn( 'WebStart.php-conf' );
114 # Load default settings
115 require_once "$IP/includes/DefaultSettings.php";
117 # Load composer's autoloader if present
118 if ( is_readable( "$IP/vendor/autoload.php" ) ) {
119 require_once "$IP/vendor/autoload.php";
122 if ( defined( 'MW_CONFIG_CALLBACK' ) ) {
123 # Use a callback function to configure MediaWiki
124 call_user_func( MW_CONFIG_CALLBACK );
125 } else {
126 if ( !defined( 'MW_CONFIG_FILE' ) ) {
127 define( 'MW_CONFIG_FILE', "$IP/LocalSettings.php" );
130 # LocalSettings.php is the per site customization file. If it does not exist
131 # the wiki installer needs to be launched or the generated file uploaded to
132 # the root wiki directory
133 if ( !file_exists( MW_CONFIG_FILE ) ) {
134 require_once "$IP/includes/templates/NoLocalSettings.php";
135 die();
138 # Include site settings. $IP may be changed (hopefully before the AutoLoader is invoked)
139 require_once MW_CONFIG_FILE;
142 wfProfileOut( 'WebStart.php-conf' );
144 wfProfileIn( 'WebStart.php-ob_start' );
145 # Initialise output buffering
146 # Check that there is no previous output or previously set up buffers, because
147 # that would cause us to potentially mix gzip and non-gzip output, creating a
148 # big mess.
149 if ( !defined( 'MW_NO_OUTPUT_BUFFER' ) && ob_get_level() == 0 ) {
150 require_once "$IP/includes/OutputHandler.php";
151 ob_start( 'wfOutputHandler' );
153 wfProfileOut( 'WebStart.php-ob_start' );
155 if ( !defined( 'MW_NO_SETUP' ) ) {
156 require_once "$IP/includes/Setup.php";