Page MenuHomePhabricator
Files F3947904

T129506_00_MediaWiki_REL1_26.patch
dpatrick (Darian Anthony Patrick)
Actions

Authored By
dpatrick
Apr 29 2016, 11:52 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T129506_00_MediaWiki_REL1_26.patch
View Options

From e974481322c9d4f93731cc6de137221b7ca4799c Mon Sep 17 00:00:00 2001
From: Darian Anthony Patrick <dpatrick@wikimedia.org>
Date: Mon, 25 Apr 2016 10:35:42 -0700
Subject: [PATCH] Enforce upper limit on invocations of wfShellExec()
Enforce an upper limit of 100,000 bytes on commands executed via
wfShellExec() to avoid HHVM crash resulting from process spawned with
argument exceeding MAX_ARG_STRLEN, as defined in binfmts.h
Bug: T129506
---
includes/Defines.php | 6 ++++++
includes/GlobalFunctions.php | 8 ++++++++
2 files changed, 14 insertions(+)
diff --git a/includes/Defines.php b/includes/Defines.php
index d55bbcf..2f3d64f 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -304,3 +304,9 @@ define( 'CONTENT_FORMAT_JSON', 'application/json' );
// for future use with the api, and for use by extensions
define( 'CONTENT_FORMAT_XML', 'application/xml' );
/**@}*/
+
+/**@{
+ * Max string length for shell invocations; based on binfmts.h
+ */
+define( 'SHELL_MAX_ARG_STRLEN', '100000');
+/**@}*/
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 64aa87e..c4d5b5b 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -2812,6 +2812,14 @@ function wfShellExec( $cmd, &$retval = null, $environ = array(),
}
wfDebug( "wfShellExec: $cmd\n" );
+ // Don't try to execute commands that exceed Linux's MAX_ARG_STRLEN.
+ // Other platforms may be more accomodating, but we don't want to be
+ // accomodating, because very long commands probably include user
+ // input. See T129506.
+ if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) {
+ throw new Exception( __METHOD__ . '(): total length of $cmd must not exceed SHELL_MAX_ARG_STRLEN' );
+ }
+
$desc = array(
0 => array( 'file', 'php://stdin', 'r' ),
1 => array( 'pipe', 'w' ),
--
2.5.4 (Apple Git-61)

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3687983
Default Alt Text
T129506_00_MediaWiki_REL1_26.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL