Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/272644
Change subject: Enforce MW_NO_SESSION, add MW_NO_SESSION_HANDLER
......................................................................
Enforce MW_NO_SESSION, add MW_NO_SESSION_HANDLER
When an entry point specifies MW_NO_SESSION, actually enforce that by
having both SessionManager and PHP's session handling (session_start()
and friends) throw exceptions.
If an entry point needs the old behavior of using PHP's default session
handling (as defined in php.ini), it should define
MW_NO_SESSION_HANDLER instead of or in addition to MW_NO_SESSION.
This also makes PHPSessionHandler be installed in CLI mode, where it
wasn't installed before.
Bug: T127233
Change-Id: I2a3db06ee8e44a044096c57a819b5fd5e51c5c5c
(cherry-picked from: f61cb18b71dac4b8117c36c4b54653742f6e118c)
---
M includes/DefaultSettings.php
M includes/GlobalFunctions.php
M includes/Setup.php
M includes/installer/Installer.php
M includes/session/PHPSessionHandler.php
M includes/session/SessionManager.php
M includes/user/User.php
7 files changed, 68 insertions(+), 20 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/44/272644/1
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index a2f1c7f..6c85fee 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2294,6 +2294,14 @@
/**
* Whether to use PHP session handling ($_SESSION and session_*() functions)
+ *
+ * If the constant MW_NO_SESSION is defined, this is forced to 'disable'.
+ *
+ * If the constant MW_NO_SESSION_HANDLER is defined, this is ignored and PHP
+ * session handling will function independently of SessionHandler.
+ * SessionHandler and PHP's session handling may attempt to override each
+ * others' cookies.
+ *
* @since 1.27
* @var string
* - 'enable': Integrate with PHP's session handling as much as possible.
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index a1ea936..5fcafb6 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3046,12 +3046,6 @@
function wfSetupSession( $sessionId = false ) {
wfDeprecated( __FUNCTION__, '1.27' );
- // If they're calling this, they probably want our session management
even
- // if NO_SESSION was set for Setup.php.
- if ( !MediaWiki\Session\PHPSessionHandler::isInstalled() ) {
- MediaWiki\Session\PHPSessionHandler::install(
SessionManager::singleton() );
- }
-
if ( $sessionId ) {
session_id( $sessionId );
}
diff --git a/includes/Setup.php b/includes/Setup.php
index 3ceb558..fa2a6bb 100644
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -517,6 +517,11 @@
) {
$wgPHPSessionHandling = 'warn';
}
+if ( defined( 'MW_NO_SESSION' ) ) {
+ // If the entry point wants no session, force 'disable' here unless they
+ // specifically set it to the (undocumented) 'warn'.
+ $wgPHPSessionHandling = MW_NO_SESSION === 'warn' ? 'warn' : 'disable';
+}
Profiler::instance()->scopedProfileOut( $ps_default );
@@ -702,10 +707,13 @@
session_name( $wgSessionName ? $wgSessionName : $wgCookiePrefix
. '_session' );
}
- // Create the SessionManager singleton and set up our session handler
- MediaWiki\Session\PHPSessionHandler::install(
- MediaWiki\Session\SessionManager::singleton()
- );
+ // Create the SessionManager singleton and set up our session handler,
+ // unless we're specifically asked not to.
+ if ( !defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ MediaWiki\Session\PHPSessionHandler::install(
+ MediaWiki\Session\SessionManager::singleton()
+ );
+ }
// Initialize the session
try {
@@ -740,6 +748,16 @@
session_id( $session->getId() );
MediaWiki\quietCall( 'session_start' );
}
+
+ unset( $session );
+} else {
+ // Even if we didn't set up a global Session, still install our session
+ // handler unless specifically requested not to.
+ if ( !defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ MediaWiki\Session\PHPSessionHandler::install(
+ MediaWiki\Session\SessionManager::singleton()
+ );
+ }
}
Profiler::instance()->scopedProfileOut( $ps_session );
diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php
index ded45c2..968220c 100644
--- a/includes/installer/Installer.php
+++ b/includes/installer/Installer.php
@@ -1715,7 +1715,9 @@
* Override the necessary bits of the config to run an installation.
*/
public static function overrideConfig() {
- define( 'MW_NO_SESSION', 1 );
+ // Use PHP's built-in session handling, since MediaWiki's
+ // SessionHandler can't work before we have an object cache set
up.
+ define( 'MW_NO_SESSION_HANDLER', 1 );
// Don't access the database
$GLOBALS['wgUseDatabaseMessages'] = false;
@@ -1739,6 +1741,8 @@
// Some of the environment checks make shell requests, remove
limits
$GLOBALS['wgMaxShellMemory'] = 0;
+ // Override the default CookieSessionProvider with a dummy
+ // implementation that won't stomp on PHP's cookies.
$GLOBALS['wgSessionProviders'] = array(
array(
'class' => 'InstallerSessionProvider',
@@ -1747,6 +1751,9 @@
) )
)
);
+
+ // Don't try to use any object cache for SessionManager either.
+ $GLOBALS['wgSessionCacheType'] = CACHE_NONE;
}
/**
diff --git a/includes/session/PHPSessionHandler.php
b/includes/session/PHPSessionHandler.php
index 7d7e1cb..643fb82 100644
--- a/includes/session/PHPSessionHandler.php
+++ b/includes/session/PHPSessionHandler.php
@@ -111,6 +111,10 @@
return;
}
+ if ( defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ throw new \BadMethodCallException(
'MW_NO_SESSION_HANDLER is defined' );
+ }
+
self::$instance = new self( $manager );
// Close any auto-started session, before we replace it
diff --git a/includes/session/SessionManager.php
b/includes/session/SessionManager.php
index d3b7a2d..094a725 100644
--- a/includes/session/SessionManager.php
+++ b/includes/session/SessionManager.php
@@ -942,6 +942,15 @@
* @return Session
*/
public function getSessionFromInfo( SessionInfo $info, WebRequest
$request ) {
+ if ( defined( 'MW_NO_SESSION' ) ) {
+ if ( MW_NO_SESSION === 'warn' ) {
+ // Undocumented safety case for converting
existing entry points
+ $this->logger->error( 'Sessions are supposed to
be disabled for this entry point' );
+ } else {
+ throw new \BadMethodCallException( 'Sessions
are disabled for this entry point' );
+ }
+ }
+
$id = $info->getId();
if ( !isset( $this->allSessionBackends[$id] ) ) {
diff --git a/includes/user/User.php b/includes/user/User.php
index 95e5ceb..7caa3f9 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -1111,7 +1111,8 @@
$this->mOptionOverrides = null;
$this->mOptionsLoaded = false;
- $loggedOut = $this->mRequest ?
$this->mRequest->getSession()->getLoggedOutTimestamp() : 0;
+ $loggedOut = $this->mRequest && !defined( 'MW_NO_SESSION' )
+ ?
$this->mRequest->getSession()->getLoggedOutTimestamp() : 0;
if ( $loggedOut !== 0 ) {
$this->mTouched = wfTimestamp( TS_MW, $loggedOut );
} else {
@@ -3080,9 +3081,13 @@
if ( is_null( $this->mRights ) ) {
$this->mRights = self::getGroupPermissions(
$this->getEffectiveGroups() );
- $allowedRights =
$this->getRequest()->getSession()->getAllowedUserRights();
- if ( $allowedRights !== null ) {
- $this->mRights = array_intersect(
$this->mRights, $allowedRights );
+ // Deny any rights denied by the user's session, unless
this
+ // endpoint has no sessions.
+ if ( !defined( 'MW_NO_SESSION' ) ) {
+ $allowedRights =
$this->getRequest()->getSession()->getAllowedUserRights();
+ if ( $allowedRights !== null ) {
+ $this->mRights = array_intersect(
$this->mRights, $allowedRights );
+ }
}
Hooks::run( 'UserGetRights', array( $this,
&$this->mRights ) );
@@ -4605,11 +4610,14 @@
}
}
- // Remove any rights that aren't allowed to the global-session
user
- $allowedRights =
SessionManager::getGlobalSession()->getAllowedUserRights();
- if ( $allowedRights !== null && !in_array( $right,
$allowedRights, true ) ) {
- $cache[$right] = false;
- return false;
+ // Remove any rights that aren't allowed to the global-session
user,
+ // unless there are no sessions for this endpoint.
+ if ( !defined( 'MW_NO_SESSION' ) ) {
+ $allowedRights =
SessionManager::getGlobalSession()->getAllowedUserRights();
+ if ( $allowedRights !== null && !in_array( $right,
$allowedRights, true ) ) {
+ $cache[$right] = false;
+ return false;
+ }
}
// Allow extensions to say false
--
To view, visit https://gerrit.wikimedia.org/r/272644
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2a3db06ee8e44a044096c57a819b5fd5e51c5c5c
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: wmf/1.27.0-wmf.14
Gerrit-Owner: Gergő Tisza <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
