Page MenuHomePhabricator

escapeshellcmd does not work properly with php security update
Closed, ResolvedPublic

Description

Author: daniel

Description:
Debian and Ubuntu are shipping updated php-packages with the following patch:

  • debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete multibyte chars inside escapeshellcmd()

For this reason the escapeshellcmd calls for converting images (imagemagick) in GlobalFunctions.php fail if there is a non-ascii character in filename. I discovered this failure on rezeptewiki.org after updating php from the ubuntu security repository.

To fix the problem we added the following in GlobalFunctions.php in the lines before escapeshellarg():

setlocale(LC_CTYPE, "UTF8", "de_DE.UTF-8");

The locale depends on the installed locales on the system.


Version: 1.13.x
Severity: blocker

Details

Reference
bz14944

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:09 PM
bzimport set Reference to bz14944.

ayg wrote:

I suggest that the fix for this block the release of 1.13, since this is a pretty big regression (even if it's not our fault). CC'ing Tim, who's release manager for 1.13 and also might have some idea about whether the suggested fix actually makes any sense, which I don't. :)

daniel wrote:

My "fix" is a quick and dirty workaround for my installation and was not intended to fix this bug generally. I also think there must be a better solution to fix it.

Assigning this to Tim to check status on before 1.13 final release.

Fixed in r38833, will be backported to 1.13.0rc2.

daniel wrote:

Your workaround is limited to php versions >= 5.2.6, but nearly all linux distributors backported the patch to earlier php versions. I have php 5.2.1 on my server. So the workaround should not depend on the php version.

Maybe the distros should have made sure it worked before they backported it. The patch is insecure, and will have to be rewritten, see my post to php.internals: http://news.php.net/php.internals/39747

Fixed in r38869.

daniel wrote:

The actual solution in MW 1.13.1 will only work if locale en_US is installed on the server. In my envirenment i had to change the locale to de_DE in includes/Setup.php, lines 121 and 122.

(In reply to comment #8)

The actual solution in MW 1.13.1 will only work if locale en_US is installed on
the server. In my envirenment i had to change the locale to de_DE in
includes/Setup.php, lines 121 and 122.

I know, that's what I said to php.internals. There's no better way to do this.

daniel wrote:

This works for me. Thank you for fixing!