php-phpbb/phpBB/includes/startup.php

<?php
/**
*
* @package phpBB3
* @copyright (c) 2011 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
*/

/**
*/
if (!defined('IN_PHPBB'))
{
	exit;
}

// Report all errors, except notices and deprecation messages
if (!defined('E_DEPRECATED'))
{
	define('E_DEPRECATED', 8192);
}
error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED);

/*
* Remove variables created by register_globals from the global scope
* Thanks to Matt Kavanagh
*/
function deregister_globals()
{
	$not_unset = array(
		'GLOBALS'	=> true,
		'_GET'		=> true,
		'_POST'		=> true,
		'_COOKIE'	=> true,
		'_REQUEST'	=> true,
		'_SERVER'	=> true,
		'_SESSION'	=> true,
		'_ENV'		=> true,
		'_FILES'	=> true,
		'phpEx'		=> true,
		'phpbb_root_path'	=> true
	);

	// Not only will array_merge and array_keys give a warning if
	// a parameter is not an array, array_merge will actually fail.
	// So we check if _SESSION has been initialised.
	if (!isset($_SESSION) || !is_array($_SESSION))
	{
		$_SESSION = array();
	}

	// Merge all into one extremely huge array; unset this later
	$input = array_merge(
		array_keys($_GET),
		array_keys($_POST),
		array_keys($_COOKIE),
		array_keys($_SERVER),
		array_keys($_SESSION),
		array_keys($_ENV),
		array_keys($_FILES)
	);

	foreach ($input as $varname)
	{
		if (isset($not_unset[$varname]))
		{
			// Hacking attempt. No point in continuing unless it's a COOKIE (so a cookie called GLOBALS doesn't lock users out completely)
			if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS']))
			{
				exit;
			}
			else
			{
				$cookie = &$_COOKIE;
				while (isset($cookie['GLOBALS']))
				{
					if (!is_array($cookie['GLOBALS']))
					{
						break;
					}

					foreach ($cookie['GLOBALS'] as $registered_var => $value)
					{
						if (!isset($not_unset[$registered_var]))
						{
							unset($GLOBALS[$registered_var]);
						}
					}
					$cookie = &$cookie['GLOBALS'];
				}
			}
		}

		unset($GLOBALS[$varname]);
	}

	unset($input);
}

// If we are on PHP >= 6.0.0 we do not need some code
if (version_compare(PHP_VERSION, '6.0.0-dev', '>='))
{
	/**
	* @ignore
	*/
	define('STRIP', false);
}
else
{
	@set_magic_quotes_runtime(0);

	// Be paranoid with passed vars
	if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on' || !function_exists('ini_get'))
	{
		deregister_globals();
	}

	define('STRIP', (get_magic_quotes_gpc()) ? true : false);
}

$starttime = explode(' ', microtime());
$starttime = $starttime[1] + $starttime[0];
[ticket/10218] Moving global deregistration, etc. to startup.php Because startup.php deletes all variables, the constants in database_update are used to preserve settings at the top. PHPBB3-10218 2011-06-14 06:11:35 -04:00			`<?php`
			`/**`
			`*`
			`* @package phpBB3`
			`* @copyright (c) 2011 phpBB Group`
			`* @license http://opensource.org/licenses/gpl-license.php GNU Public License`
			`*`
			`*/`

			`/**`
			`*/`
			`if (!defined('IN_PHPBB'))`
			`{`
			`exit;`
			`}`

			`// Report all errors, except notices and deprecation messages`
			`if (!defined('E_DEPRECATED'))`
			`{`
			`define('E_DEPRECATED', 8192);`
			`}`
			`error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED);`

			`/*`
			`* Remove variables created by register_globals from the global scope`
			`* Thanks to Matt Kavanagh`
			`*/`
			`function deregister_globals()`
			`{`
			`$not_unset = array(`
			`'GLOBALS' => true,`
			`'_GET' => true,`
			`'_POST' => true,`
			`'_COOKIE' => true,`
			`'_REQUEST' => true,`
			`'_SERVER' => true,`
			`'_SESSION' => true,`
			`'_ENV' => true,`
			`'_FILES' => true,`
			`'phpEx' => true,`
			`'phpbb_root_path' => true`
			`);`

			`// Not only will array_merge and array_keys give a warning if`
			`// a parameter is not an array, array_merge will actually fail.`
			`// So we check if _SESSION has been initialised.`
			`if (!isset($_SESSION) \|\| !is_array($_SESSION))`
			`{`
			`$_SESSION = array();`
			`}`

			`// Merge all into one extremely huge array; unset this later`
			`$input = array_merge(`
			`array_keys($_GET),`
			`array_keys($_POST),`
			`array_keys($_COOKIE),`
			`array_keys($_SERVER),`
			`array_keys($_SESSION),`
			`array_keys($_ENV),`
			`array_keys($_FILES)`
			`);`

			`foreach ($input as $varname)`
			`{`
			`if (isset($not_unset[$varname]))`
			`{`
			`// Hacking attempt. No point in continuing unless it's a COOKIE (so a cookie called GLOBALS doesn't lock users out completely)`
			`if ($varname !== 'GLOBALS' \|\| isset($_GET['GLOBALS']) \|\| isset($_POST['GLOBALS']) \|\| isset($_SERVER['GLOBALS']) \|\| isset($_SESSION['GLOBALS']) \|\| isset($_ENV['GLOBALS']) \|\| isset($_FILES['GLOBALS']))`
			`{`
			`exit;`
			`}`
			`else`
			`{`
			`$cookie = &$_COOKIE;`
			`while (isset($cookie['GLOBALS']))`
			`{`
			`if (!is_array($cookie['GLOBALS']))`
			`{`
			`break;`
			`}`

			`foreach ($cookie['GLOBALS'] as $registered_var => $value)`
			`{`
			`if (!isset($not_unset[$registered_var]))`
			`{`
			`unset($GLOBALS[$registered_var]);`
			`}`
			`}`
			`$cookie = &$cookie['GLOBALS'];`
			`}`
			`}`
			`}`

			`unset($GLOBALS[$varname]);`
			`}`

			`unset($input);`
			`}`

			`// If we are on PHP >= 6.0.0 we do not need some code`
			`if (version_compare(PHP_VERSION, '6.0.0-dev', '>='))`
			`{`
			`/**`
			`* @ignore`
			`*/`
			`define('STRIP', false);`
			`}`
			`else`
			`{`
			`@set_magic_quotes_runtime(0);`

			`// Be paranoid with passed vars`
			`if (@ini_get('register_globals') == '1' \|\| strtolower(@ini_get('register_globals')) == 'on' \|\| !function_exists('ini_get'))`
			`{`
			`deregister_globals();`
			`}`

			`define('STRIP', (get_magic_quotes_gpc()) ? true : false);`
			`}`
[ticket/10218] Prevent startime from being overwritten by deregister_globals() PHPBB3-10218 2011-06-15 00:50:12 -04:00
			`$starttime = explode(' ', microtime());`
			`$starttime = $starttime[1] + $starttime[0];`