From efa586fddd5ebacd8a89b56d797c1eff1681cfc4 Mon Sep 17 00:00:00 2001 From: Max Semenik Date: Sat, 6 Jan 2018 15:41:37 +0300 Subject: [PATCH] Restrict shell commands by default Before it's too late, let's boil the oceans and just do it. This patch assumes that old code calling wfShellExec() doesn't know about restrictions so it doesn't restrict anything. New code, however, needs to specify its restrictions or deal with defaults. Change-Id: I58963901087202d4a405bcdb6bd12758bb6b0ff7 --- RELEASE-NOTES-1.31 | 2 ++ includes/GlobalFunctions.php | 2 ++ includes/shell/CommandFactory.php | 1 + includes/shell/Shell.php | 7 +++++++ 4 files changed, 12 insertions(+) diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 312933b591..3de040273a 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -255,6 +255,8 @@ changes to languages because of Phabricator reports. MWTidy::checkErrors() and its callee TidyDriverBase::validate() are removed, as are MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument(). The $wgValidateAllHtml configuration option is removed and will be ignored. +* Execution of external programs using MediaWiki\Shell\Command now applies RESTRICT_DEFAULT + Firejail restriction by default. === Deprecations in 1.31 === * The Revision class was deprecated in favor of RevisionStore, BlobStore, and diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index cd8ae46907..3dfe12e7fc 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -2327,6 +2327,8 @@ function wfShellExec( $cmd, &$retval = null, $environ = [], ->limits( $limits ) ->includeStderr( $includeStderr ) ->profileMethod( $profileMethod ) + // For b/c + ->restrict( Shell::RESTRICT_NONE ) ->execute(); } catch ( ProcOpenError $ex ) { $retval = -1; diff --git a/includes/shell/CommandFactory.php b/includes/shell/CommandFactory.php index 78f1d8008f..b4b9b921a9 100644 --- a/includes/shell/CommandFactory.php +++ b/includes/shell/CommandFactory.php @@ -100,6 +100,7 @@ class CommandFactory { public function create() { if ( $this->restrictionMethod === 'firejail' ) { $command = new FirejailCommand( $this->findFirejail() ); + $command->restrict( Shell::RESTRICT_DEFAULT ); } else { $command = new Command(); } diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php index 72107e94e2..742e1424ad 100644 --- a/includes/shell/Shell.php +++ b/includes/shell/Shell.php @@ -101,6 +101,13 @@ class Shell { */ const NO_LOCALSETTINGS = 32; + /** + * Don't apply any restrictions + * + * @since 1.31 + */ + const RESTRICT_NONE = 0; + /** * Returns a new instance of Command class * -- 2.20.1