Update to MediaWiki 1.26.1

2 files changed, 65 insertions, 2 deletions

diff --git a/includes/libs/MultiHttpClient.php b/includes/libs/MultiHttpClient.php
index 6af3ed51..5555cbcb 100644
--- a/includes/libs/MultiHttpClient.php
+++ b/includes/libs/MultiHttpClient.php
@@ -335,6 +335,19 @@ class MultiHttpClient {
 			);
 		} elseif ( $req['method'] === 'POST' ) {
 			curl_setopt( $ch, CURLOPT_POST, 1 );
+			// Don't interpret POST parameters starting with '@' as file uploads, because this
+			// makes it impossible to POST plain values starting with '@' (and causes security
+			// issues potentially exposing the contents of local files).
+			// The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6,
+			// but we support lower versions, and the option doesn't exist in HHVM 5.6.99.
+			if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) {
+				curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
+			} else if ( is_array( $req['body'] ) ) {
+				// In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS
+				// is an array, but not if it's a string. So convert $req['body'] to a string
+				// for safety.
+				$req['body'] = wfArrayToCgi( $req['body'] );
+			}
 			curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] );
 		} else {
 			if ( is_resource( $req['body'] ) || $req['body'] !== '' ) {
diff --git a/includes/libs/objectcache/APCBagOStuff.php b/includes/libs/objectcache/APCBagOStuff.php
index 0dbbaba9..35e05e80 100644
--- a/includes/libs/objectcache/APCBagOStuff.php
+++ b/includes/libs/objectcache/APCBagOStuff.php
@@ -27,22 +27,72 @@
  * @ingroup Cache
  */
 class APCBagOStuff extends BagOStuff {
+
+	/**
+	 * @var bool If true, trust the APC implementation to serialize and
+	 * deserialize objects correctly. If false, (de-)serialize in PHP.
+	 */
+	protected $nativeSerialize;
+
 	/**
 	 * @var string String to append to each APC key. This may be changed
 	 *  whenever the handling of values is changed, to prevent existing code
 	 *  from encountering older values which it cannot handle.
-	 **/
-	const KEY_SUFFIX = ':1';
+	 */
+	const KEY_SUFFIX = ':2';
+
+	/**
+	 * Constructor
+	 *
+	 * Available parameters are:
+	 *   - nativeSerialize:     If true, pass objects to apc_store(), and trust it
+	 *                          to serialize them correctly. If false, serialize
+	 *                          all values in PHP.
+	 *
+	 * @param array $params
+	 */
+	public function __construct( array $params = array() ) {
+		parent::__construct( $params );
+
+		if ( isset( $params['nativeSerialize'] ) ) {
+			$this->nativeSerialize = $params['nativeSerialize'];
+		} elseif ( extension_loaded( 'apcu' ) && ini_get( 'apc.serializer' ) === 'default' ) {
+			// APCu has a memory corruption bug when the serializer is set to 'default'.
+			// See T120267, and upstream bug reports:
+			//  - https://github.com/krakjoe/apcu/issues/38
+			//  - https://github.com/krakjoe/apcu/issues/35
+			//  - https://github.com/krakjoe/apcu/issues/111
+			$this->logger->warning(
+				'The APCu extension is loaded and the apc.serializer INI setting ' .
+				'is set to "default". This can cause memory corruption! ' .
+				'You should change apc.serializer to "php" instead. ' .
+				'See <https://github.com/krakjoe/apcu/issues/38>.'
+			);
+			$this->nativeSerialize = false;
+		} else {
+			$this->nativeSerialize = true;
+		}
+	}
 
 	public function get( $key, &$casToken = null, $flags = 0 ) {
 		$val = apc_fetch( $key . self::KEY_SUFFIX );
 
 		$casToken = $val;
 
+		if ( is_string( $val ) && !$this->nativeSerialize ) {
+			$val = $this->isInteger( $val )
+				? intval( $val )
+				: unserialize( $val );
+		}
+
 		return $val;
 	}
 
 	public function set( $key, $value, $exptime = 0 ) {
+		if ( !$this->nativeSerialize && !$this->isInteger( $value ) ) {
+			$value = serialize( $value );
+		}
+
 		apc_store( $key . self::KEY_SUFFIX, $value, $exptime );
 
 		return true;