Page MenuHomePhabricator
Files F31946437

0001-SECURITY-Prevent-invoking-firejail-s-output-function.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Jul 24 2020, 12:49 AM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Prevent-invoking-firejail-s-output-function.patch
View Options

From 682732a40ec51b60888d9786699cf32891ec5c9f Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Thu, 23 Jul 2020 17:27:54 -0700
Subject: [PATCH] SECURITY: Prevent invoking firejail's --output functionality
firejail has an RCE in its handling of --output when dealing with untrusted
arguments. We can avoid this issue by preventing shelling out to firejail
if any parameter starts with '--output'.
Bug: T258763
Change-Id: Ic6a5644566a51a948de7b42daf57b29ced3daff4
---
includes/shell/FirejailCommand.php | 32 ++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index 5db89373b6..5a7434b950 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -48,6 +48,38 @@ class FirejailCommand extends Command {
$this->firejail = $firejail;
}
+ /**
+ * Reject any parameters that start with --output to prevent
+ * exploitation of a firejail RCE
+ *
+ * @param string|string[] ...$args
+ * @return $this
+ */
+ public function params( ...$args ): Command {
+ if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+ // If only one argument has been passed, and that argument is an array,
+ // treat it as a list of arguments
+ $args = reset( $args );
+ }
+ foreach ( $args as $arg ) {
+ if ( substr( $arg, 0, 8 ) === '--output' ) {
+ $ex = new RuntimeException(
+ 'FirejailCommand does not support parameters that start with --output'
+ );
+ $this->logger->error(
+ 'command tried to shell out with a parameter starting with --output',
+ [
+ 'arg' => $arg,
+ 'exception' => $ex
+ ]
+ );
+ throw $ex;
+ }
+ }
+
+ return parent::params( ...$args );
+ }
+
/**
* @inheritDoc
*/
--
2.26.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8481134
Default Alt Text
0001-SECURITY-Prevent-invoking-firejail-s-output-function.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL