MDL-10275 added fatal PHP config setting test on each page, replaces …

…some tests done in installer
moodle · Feb 1, 2009 · fbf2c91 · fbf2c91
1 parent b3d960e
commit fbf2c91
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 17 deletions.
diff --git a/admin/index.php b/admin/index.php
@@ -8,9 +8,9 @@
 
 /// Check that PHP is of a sufficient version
 /// Moved here because older versions do not allow while(@ob_end_clean());
-    if (version_compare(phpversion(), "5.2.4") < 0) {
+    if (version_compare(phpversion(), "5.2.8") < 0) {
         $phpversion = phpversion();
-        echo "Sorry, Moodle requires PHP 5.2.4 or later (currently using version $phpversion)";
+        echo "Sorry, Moodle requires PHP 5.2.8 or later (currently using version $phpversion)";
         die;
     }
 
@@ -405,9 +405,8 @@
 
 /// setup critical warnings before printing admin tree block
     $insecuredataroot         = is_dataroot_insecure(true);
-    $register_globals_enabled = ini_get_bool('register_globals');
 
-    $SESSION->admin_critical_warning = ($register_globals_enabled || $insecuredataroot==INSECURE_DATAROOT_ERROR);
+    $SESSION->admin_critical_warning = ($insecuredataroot==INSECURE_DATAROOT_ERROR);
 
     $adminroot = admin_get_root();
 
@@ -433,10 +432,6 @@
         print_box(get_string("upgrade$CFG->upgrade", "admin", "$CFG->wwwroot/$CFG->admin/upgrade$CFG->upgrade.php"));
     }
 
-    if ($register_globals_enabled) {
-        print_box(get_string('globalswarning', 'admin'), 'generalbox adminerror');
-    }
-
     if ($insecuredataroot == INSECURE_DATAROOT_WARNING) {
         print_box(get_string('datarootsecuritywarning', 'admin', $CFG->dataroot), 'generalbox adminwarning');
     } else if ($insecuredataroot == INSECURE_DATAROOT_ERROR) {

diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
@@ -396,6 +396,8 @@
 $string['experimentalsettings'] = 'Experimental settings';
 $string['extendedusernamechars'] = 'Allow extended characters in usernames';
 $string['extrauserselectorfields'] = 'When selecting users, search and display';
+$string['fatalsessionautostart'] = '<p>Serious configuration error detected, please notify server administrator.<p><p> To operate properly, Moodle requires that administrator changes PHP settings.</p><p><code>session.auto_start</code> must be set to <code>off</code>.</p><p>This setting is controlled by editing <code>php.ini</code>, Apache/IIS <br />configuration or <code>.htaccess</code> file on the server.</p>';
+$string['fatalmagicquotesruntime'] = '<p>Serious configuration error detected, please notify server administrator.<p><p> To operate properly, Moodle requires that administrator changes PHP settings.</p><p><code>magic_quotes_runtime</code> must be set to <code>off</code>.</p><p>This setting is controlled by editing <code>php.ini</code>, Apache/IIS <br />configuration or <code>.htaccess</code> file on the server.</p>';
 $string['filecreated'] = 'New file created';
 $string['filestoredin'] = 'Save file into folder :';
 $string['filestoredinhelp'] = 'Where the file will be stored';

diff --git a/lib/adminlib.php b/lib/adminlib.php
@@ -244,9 +244,7 @@ function admin_critical_warnings_present() {
 
     if (!isset($SESSION->admin_critical_warning)) {
         $SESSION->admin_critical_warning = 0;
-        if (ini_get_bool('register_globals')) {
-            $SESSION->admin_critical_warning = 1;
-        } else if (is_dataroot_insecure(true) === INSECURE_DATAROOT_ERROR) {
+        if (is_dataroot_insecure(true) === INSECURE_DATAROOT_ERROR) {
             $SESSION->admin_critical_warning = 1;
         }
     }

diff --git a/lib/setup.php b/lib/setup.php
@@ -86,12 +86,6 @@
 /** Relative moodle script path "/course/view.php" */
 global $SCRIPT;
 
-/// First try to detect some attacks on older buggy PHP versions
-    if (isset($_REQUEST['GLOBALS']) || isset($_COOKIE['GLOBALS']) || isset($_FILES['GLOBALS'])) {
-        die('Fatal: Illegal GLOBALS overwrite attempt detected!');
-    }
-
-
     if (!isset($CFG->wwwroot)) {
         trigger_error('Fatal: $CFG->wwwroot is not configured! Exiting.');
         die;
@@ -170,6 +164,9 @@
 /// set handler for uncought exceptions - equivalent to print_error() call
     set_exception_handler('default_exception_handler');
 
+/// make sure PHP is not severly misconfigured
+    setup_validate_php_configuration();
+
 /// Connect to the database
     setup_DB();
 

diff --git a/lib/setuplib.php b/lib/setuplib.php
@@ -84,6 +84,24 @@ function default_exception_handler($ex) {
     }
 }
 
+/**
+ * This function verifies the sanity of PHP configuration
+ * and stops execution if anything critical found.
+ */
+function setup_validate_php_configuration() {
+   // this must be very fast - no slow checks here!!!
+
+   if (ini_get_bool('register_globals')) {
+       print_error('globalswarning', 'admin');
+   }
+   if (ini_get_bool('session.auto_start')) {
+       print_error('sessionautostartwarning', 'admin');
+   }
+   if (ini_get_bool('magic_quotes_runtime')) {
+       print_error('fatalmagicquotesruntime', 'admin');
+   }
+}
+
 /**
  * Initialises $FULLME and friends.
  * @return void