Update to MediaWiki 1.18.2

1 files changed, 29 insertions, 0 deletions

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 3424211f..8ed79c40 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3065,6 +3065,33 @@ function wfHttpOnlySafe() {
 }
 
 /**
+ * Override session_id before session startup if php's built-in
+ * session generation code is not secure.
+ */
+function wfFixSessionID() {
+	// If the cookie or session id is already set we already have a session and should abort
+	if ( isset( $_COOKIE[ session_name() ] ) || session_id() ) {
+		return;
+	}
+
+	// PHP's built-in session entropy is enabled if:
+	// - entropy_file is set or you're on Windows with php 5.3.3+
+	// - AND entropy_length is > 0
+	// We treat it as disabled if it doesn't have an entropy length of at least 32
+	$entropyEnabled = (
+			( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
+			|| ini_get( 'session.entropy_file' )
+		)
+		&& intval( ini_get( 'session.entropy_length' ) ) >= 32;
+	
+	// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
+	if ( !$entropyEnabled ) {
+		wfDebug( __METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n" );
+		session_id( MWCryptRand::generateHex( 32 ) );
+	}
+}
+
+/**
  * Initialise php session
  *
  * @param $sessionId Bool
@@ -3103,6 +3130,8 @@ function wfSetupSession( $sessionId = false ) {
 	session_cache_limiter( 'private, must-revalidate' );
 	if ( $sessionId ) {
 		session_id( $sessionId );
+	} else {
+		wfFixSessionID();
 	}
 	wfSuppressWarnings();
 	session_start();