summaryrefslogtreecommitdiff
path: root/includes/GlobalFunctions.php
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2012-03-22 21:04:56 +0100
committerPierre Schmitz <pierre@archlinux.de>2012-03-22 21:04:56 +0100
commit81be3ba123fa26c29ab157288530ffaec9d0930f (patch)
tree8054ad0536e27b20838d85a05884ca47752537dc /includes/GlobalFunctions.php
parentba0fc4fa20067528effd4802e53ceeb959640825 (diff)
Update to MediaWiki 1.18.2
Diffstat (limited to 'includes/GlobalFunctions.php')
-rw-r--r--includes/GlobalFunctions.php29
1 files changed, 29 insertions, 0 deletions
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 3424211f..8ed79c40 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3065,6 +3065,33 @@ function wfHttpOnlySafe() {
}
/**
+ * Override session_id before session startup if php's built-in
+ * session generation code is not secure.
+ */
+function wfFixSessionID() {
+ // If the cookie or session id is already set we already have a session and should abort
+ if ( isset( $_COOKIE[ session_name() ] ) || session_id() ) {
+ return;
+ }
+
+ // PHP's built-in session entropy is enabled if:
+ // - entropy_file is set or you're on Windows with php 5.3.3+
+ // - AND entropy_length is > 0
+ // We treat it as disabled if it doesn't have an entropy length of at least 32
+ $entropyEnabled = (
+ ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+ || ini_get( 'session.entropy_file' )
+ )
+ && intval( ini_get( 'session.entropy_length' ) ) >= 32;
+
+ // If built-in entropy is not enabled or not sufficient override php's built in session id generation code
+ if ( !$entropyEnabled ) {
+ wfDebug( __METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n" );
+ session_id( MWCryptRand::generateHex( 32 ) );
+ }
+}
+
+/**
* Initialise php session
*
* @param $sessionId Bool
@@ -3103,6 +3130,8 @@ function wfSetupSession( $sessionId = false ) {
session_cache_limiter( 'private, must-revalidate' );
if ( $sessionId ) {
session_id( $sessionId );
+ } else {
+ wfFixSessionID();
}
wfSuppressWarnings();
session_start();