[TASK] Require PHP setting register_globals set to Off
authorHelmut Hummel <helmut.hummel@typo3.org>
Sat, 18 Aug 2012 10:17:27 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Sat, 18 Aug 2012 10:41:58 +0000 (12:41 +0200)
Die early in the bootstrap if register_globals is On.

Change-Id: Icd2541447c190db7f1a6d01cd9da624568018b41
Resolves: #39920
Releases: 6.0
Reviewed-on: http://review.typo3.org/13882
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
INSTALL.txt
NEWS.txt
typo3/classes/Bootstrap/BaseSetup.php
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_systemstatus.php

index c2fc9ac..9788d86 100644 (file)
@@ -38,6 +38,7 @@ The following configuration is the minimum required:
        Some extensions can be optionally compiled into PHP. A list of loaded
        extensions can be checked using the phpinfo() function.
 - memory_limit set to at least 64M in php.ini
+- register_globals is disabled in php.ini
 - MySQL 5.0 or newer
 - 200 MB of disk space
 - AllowOverride in the Apache configuration includes "Indexes" and "FileInfo"
index 082b79b..4197bea 100644 (file)
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -87,6 +87,11 @@ Extension authors should remove the three line XCLASS statement at the bottom
 of class files now for any extension with a compatibility for 6.0 and above.
 More information can be found at http://wiki.typo3.org/Autoload
 
+* PHP setting register_globals must be off
+
+The bootstrap now verifies the PHP setting register_globals is disabled for
+security reasons. The script dies otherwise.
+
 Removed Functionality
 -------------------------------------------------------------------------------
 
@@ -217,4 +222,4 @@ Development
 Performance
 -------------------------------------------------------------------------------
 
-...
\ No newline at end of file
+...
index 3048e23..93711ae 100644 (file)
@@ -50,7 +50,7 @@ class Typo3_Bootstrap_BaseSetup {
         * @return void
         */
        public static function run($relativePathPart = '') {
-               self::checkPhpVersionOrDie();
+               self::ensureRequiredEnvironment();
                self::checkGlobalsAreNotSetViaPostOrGet();
                self::defineBaseConstants();
                self::definePaths($relativePathPart);
@@ -69,10 +69,25 @@ class Typo3_Bootstrap_BaseSetup {
         *
         * @return void
         */
-       protected static function checkPhpVersionOrDie() {
+       protected static function ensureRequiredEnvironment() {
                if (version_compare(phpversion(), '5.3', '<')) {
                        die('TYPO3 requires PHP 5.3.0 or higher.');
                }
+
+               if (self::getPhpIniValueBoolean('register_globals')) {
+                       die('TYPO3 requires PHP setting "register_globals" set to Off. (Error: #1345284320)');
+               }
+       }
+
+       /**
+        * Cast a on/off php ini value to boolean
+        *
+        * @param string $configOption
+        * @return boolean TRUE if the given option is enabled, FALSE if disabled
+        * @see t3lib_utility_PhpOptions::getIniValueBoolean
+        */
+       protected static function getPhpIniValueBoolean($configOption) {
+               return filter_var(ini_get($configOption), FILTER_VALIDATE_BOOLEAN, array(FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE));
        }
 
        /**
index e282020..aef52c8 100644 (file)
@@ -54,7 +54,6 @@ class tx_reports_reports_status_SystemStatus implements tx_reports_StatusProvide
                        'Php'                 => $this->getPhpStatus(),
                        'PhpMemoryLimit'      => $this->getPhpMemoryLimitStatus(),
                        'PhpPeakMemory'       => $this->getPhpPeakMemoryStatus(),
-                       'PhpRegisterGlobals'  => $this->getPhpRegisterGlobalsStatus(),
                        'Webserver'           => $this->getWebserverStatus(),
                        'PhpModules'          => $this->getMissingPhpModules(),
                );
@@ -180,35 +179,6 @@ class tx_reports_reports_status_SystemStatus implements tx_reports_StatusProvide
                );
        }
 
-       /**
-        * Checks whether register globals is on or off.
-        *
-        * @return tx_reports_reports_status_Status A status of whether register globals is on or off
-        */
-       protected function getPhpRegisterGlobalsStatus() {
-               $value    = $GLOBALS['LANG']->getLL('status_disabled');
-               $message  = '';
-               $severity = tx_reports_reports_status_Status::OK;
-
-               $registerGlobals = trim(ini_get('register_globals'));
-
-                       // Can't reliably check for 'on', therefore checking for the opposite 'off', '', or 0
-               if (!empty($registerGlobals) && strtolower($registerGlobals) != 'off') {
-                       $registerGlobalsHighlight = '<em>register_globals</em>';
-                       $phpManualLink .= '<a href="http://php.net/configuration.changes">' . $GLOBALS['LANG']->getLL('status_phpRegisterGlobalsHowToChange') . '</a>';
-                       $message  = sprintf($GLOBALS['LANG']->getLL('status_phpRegisterGlobalsEnabled'), $registerGlobalsHighlight);
-                       $message .= ' ' . sprintf($GLOBALS['LANG']->getLL('status_phpRegisterGlobalsSecurity'), $registerGlobalsHighlight);
-                       $message .= ' ' . sprintf($GLOBALS['LANG']->getLL('status_phpRegisterGlobalsPHPManual'), $phpManualLink);
-                       $severity = tx_reports_reports_status_Status::ERROR;
-                       $value = $GLOBALS['LANG']->getLL('status_enabled')
-                               . ' (\'' . $registerGlobals . '\')';
-               }
-
-               return t3lib_div::makeInstance('tx_reports_reports_status_Status',
-                       $GLOBALS['LANG']->getLL('status_phpRegisterGlobals'), $value, $message, $severity
-               );
-       }
-
        /**
         * Reports the webserver TYPO3 is running on.
         *