#209409 by Heine, webernet, dww: more accurate register globals value checking

ff1c3902 · Gábor Hojtsy · 436f7d8a · ff1c3902
Commit ff1c3902 authored Jan 21, 2008 by Gábor Hojtsy
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 4 deletions

modules/system/system.install modules/system/system.install +19 -4

No files found.
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -52,10 +52,6 @@ function system_requirements($phase) {
    $requirements['webserver']['description'] = $t('Unable to determine your web server type and version. Drupal might not work properly.');
    $requirements['webserver']['severity'] = REQUIREMENT_WARNING;
  }
-  if (ini_get('register_globals')) {
-    $requirements['php']['description'] = $t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.');
-    $requirements['php']['severity'] = REQUIREMENT_ERROR;
-  }

  // Test PHP version
  $requirements['php'] = array(
@@ -67,6 +63,25 @@ function system_requirements($phase) {
    $requirements['php']['severity'] = REQUIREMENT_ERROR;
  }

+  // Test PHP register_globals setting.
+  $requirements['php_register_globals'] = array(
+    'title' => $t('PHP register globals'),
+  );
+  $register_globals = trim(ini_get('register_globals'));
+  // Unfortunately, ini_get() may return many different values, and we can't 
+  // be certain which values mean 'on', so we instead check for 'not off'
+  // since we never want to tell the user that their site is secure
+  // (register_globals off), when it is in fact on. We can only guarantee
+  // register_globals is off if the value returned is 'off', '', or 0.
+  if (!empty($register_globals) && strtolower($register_globals) != 'off') {
+    $requirements['php_register_globals']['description'] = $t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.');
+    $requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
+    $requirements['php_register_globals']['value'] = $t("Enabled ('@value')", array('@value' => $register_globals));
+  }
+  else {
+    $requirements['php_register_globals']['value'] = $t('Disabled');
+  }
+
  // Test PHP memory_limit
  $memory_limit = ini_get('memory_limit');
  $requirements['php_memory_limit'] = array(