GitInfo shell restriction of whitelisting paths is broken for git submodules
Closed, ResolvedPublic

Description

2017-12-03 06:46:10 km-pt testwiki: MediaWiki\Shell\Command::execute: /usr/bin/firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --whitelist=/srv/mediawiki/core/includes/shell/limit.sh --whitelist=/srv/mediawiki/core/extensions/Linter/../.git/modules/Linter --noroot --seccomp=@default --net=none -- /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' 'GIT_DIR='\''/srv/mediawiki/core/extensions/Linter/../.git/modules/Linter'\'' '\''/usr/bin/git'\'' '\''show'\'' '\''-s'\'' '\''--format=format:%ct'\'' '\''HEAD'\''' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'
2017-12-03 06:46:10 km-pt testwiki: Error running /usr/bin/firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --whitelist=/srv/mediawiki/core/includes/shell/limit.sh --whitelist=/srv/mediawiki/core/extensions/Linter/../.git/modules/Linter --noroot --seccomp=@default --net=none -- /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' 'GIT_DIR='\''/srv/mediawiki/core/extensions/Linter/../.git/modules/Linter'\'' '\''/usr/bin/git'\'' '\''show'\'' '\''-s'\'' '\''--format=format:%ct'\'' '\''HEAD'\''' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes': Error: "/srv/mediawiki/core/extensions/Linter/../.git/modules/Linter" is an invalid filename

#0 /srv/mediawiki/core/includes/GitInfo.php(237): MediaWiki\Shell\Command->execute()
#1 /srv/mediawiki/core/includes/specials/SpecialVersion.php(748): GitInfo->getHeadCommitDate()
#2 /srv/mediawiki/core/includes/specials/SpecialVersion.php(644): SpecialVersion->getCreditsForExtension(string, array)
#3 /srv/mediawiki/core/includes/specials/SpecialVersion.php(441): SpecialVersion->getExtensionCategory(string, string)
#4 /srv/mediawiki/core/includes/specials/SpecialVersion.php(144): SpecialVersion->getExtensionCredits()
#5 /srv/mediawiki/core/includes/specialpage/SpecialPage.php(522): SpecialVersion->execute(NULL)
#6 /srv/mediawiki/core/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL)
#7 /srv/mediawiki/core/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Title, RequestContext)
#8 /srv/mediawiki/core/includes/MediaWiki.php(851): MediaWiki->performRequest()
#9 /srv/mediawiki/core/includes/MediaWiki.php(523): MediaWiki->main()
#10 /srv/mediawiki/core/index.php(43): MediaWiki->run()
#11 {main}
Legoktm created this task.Dec 3 2017, 7:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2017, 7:19 AM

Change 394837 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] GitInfo: Fix shell restrictions for submodules

https://gerrit.wikimedia.org/r/394837

Change 394837 merged by jenkins-bot:
[mediawiki/core@master] GitInfo: Fix shell restrictions for submodules

https://gerrit.wikimedia.org/r/394837

Legoktm closed this task as Resolved.Dec 7 2017, 6:30 PM