[MediaWiki-commits] [Gerrit] mediawiki/core[master]: WIP: add default shell restrictions

Sat, 06 Jan 2018 04:48:22 -0800 

MaxSem has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/402578 )

Change subject: WIP: add default shell restrictions
......................................................................

WIP: add default shell restrictions

Before it's too late, let's boil the oceans
and just do it. This patch assumes that old code
calling wfShellExec() doesn't know about restrictions
so it doesn't restrict anything. New code, however,
needs to specify its restrictions or deal with defaults.

Change-Id: I58963901087202d4a405bcdb6bd12758bb6b0ff7
---
M includes/DefaultSettings.php
M includes/GlobalFunctions.php
M includes/ServiceWiring.php
M includes/shell/CommandFactory.php
M includes/shell/Shell.php
5 files changed, 28 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/78/402578/1

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 8091428..34d2ca5 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -38,6 +38,8 @@
  * @file
  */
 
+use MediaWiki\Shell\Shell;
+
 /**
  * @cond file_level_code
  * This is not a valid entry point, perform no further processing unless
@@ -8305,6 +8307,14 @@
  */
 $wgShellRestrictionMethod = false;
 
+/**
+ * Default shell execution restriction. Does not apply to legacy calls to 
wfShellExec()
+ * Does not use Shell::RESTRICT_DEFAULT to isolate library changes from 
configuration.
+ *
+ * @since 1.31
+ */
+$wgShellDefaultRestriction = Shell::NO_ROOT | Shell::NO_NETWORK | 
Shell::NO_LOCALSETTINGS;
+
 /** @} */ # End shell }
 
 /************************************************************************//**
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 310adeb..94b0086 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -2315,6 +2315,8 @@
                        ->limits( $limits )
                        ->includeStderr( $includeStderr )
                        ->profileMethod( $profileMethod )
+                       // For b/c
+                       ->restrict( Shell::RESTRICT_NONE )
                        ->execute();
        } catch ( ProcOpenError $ex ) {
                $retval = -1;
diff --git a/includes/ServiceWiring.php b/includes/ServiceWiring.php
index 246b838..7798412 100644
--- a/includes/ServiceWiring.php
+++ b/includes/ServiceWiring.php
@@ -445,8 +445,9 @@
                ];
                $cgroup = $config->get( 'ShellCgroup' );
                $restrictionMethod = $config->get( 'ShellRestrictionMethod' );
+               $restriction = $config->get( 'ShellDefaultRestriction' );
 
-               $factory = new CommandFactory( $limits, $cgroup, 
$restrictionMethod );
+               $factory = new CommandFactory( $limits, $cgroup, 
$restrictionMethod, $restriction );
                $factory->setLogger( LoggerFactory::getInstance( 'exec' ) );
                $factory->logStderr();
 
diff --git a/includes/shell/CommandFactory.php 
b/includes/shell/CommandFactory.php
index 78f1d80..036aa63 100644
--- a/includes/shell/CommandFactory.php
+++ b/includes/shell/CommandFactory.php
@@ -46,6 +46,9 @@
         */
        private $restrictionMethod;
 
+       /** @var int */
+       private $defaultRestriction;
+
        /**
         * @var string|bool
         */
@@ -58,7 +61,7 @@
         * @param string|bool $cgroup See {@see Command::cgroup()}
         * @param string|bool $restrictionMethod
         */
-       public function __construct( array $limits, $cgroup, $restrictionMethod 
) {
+       public function __construct( array $limits, $cgroup, 
$restrictionMethod, $defaultRestriction ) {
                $this->limits = $limits;
                $this->cgroup = $cgroup;
                if ( $restrictionMethod === 'autodetect' ) {
@@ -71,6 +74,7 @@
                } else {
                        $this->restrictionMethod = $restrictionMethod;
                }
+               $this->defaultRestriction = $defaultRestriction;
                $this->setLogger( new NullLogger() );
        }
 
@@ -108,6 +112,7 @@
                return $command
                        ->limits( $this->limits )
                        ->cgroup( $this->cgroup )
-                       ->logStderr( $this->doLogStderr );
+                       ->logStderr( $this->doLogStderr )
+                       ->restrict( $this->defaultRestriction );
        }
 }
diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php
index d57bf4f..a3f0cbb 100644
--- a/includes/shell/Shell.php
+++ b/includes/shell/Shell.php
@@ -101,6 +101,13 @@
        const NO_LOCALSETTINGS = 32;
 
        /**
+        * Don't apply any restrictions
+        *
+        * @since 1.31
+        */
+       const RESTRICT_NONE = 0;
+
+       /**
         * Returns a new instance of Command class
         *
         * @param string|string[] $command String or array of strings 
representing the command to

-- 
To view, visit https://gerrit.wikimedia.org/r/402578
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I58963901087202d4a405bcdb6bd12758bb6b0ff7
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: MaxSem <maxsem.w...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to