Page MenuHomePhabricator
Create Task
Maniphest T182468

Restrict pygments with firejail
Closed, ResolvedPublic
Actions

Description

SyntaxHighlight shells out to pygments, which should be restricted with firejail.

Details

SubjectRepoBranchLines +/-
Use shell restrictions to contain pygmentsmediawiki/extensions/SyntaxHighlight_GeSHimaster+7 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Dec 8 2017, 9:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 8 2017, 9:12 PM
Legoktm added a subtask: T182467: Use Shell\Command in SyntaxHighlight instead of symfony/process.Dec 8 2017, 9:12 PM
gerritbot subscribed.Dec 8 2017, 9:12 PM

Change 396477 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] Use shell restrictions to contain pygments

https://gerrit.wikimedia.org/r/396477

gerritbot added a project: Patch-For-Review.Dec 8 2017, 9:12 PM
Legoktm added a parent task: T172584: Securing external binaries run by MediaWiki.Dec 8 2017, 9:47 PM
Legoktm mentioned this in T172584: Securing external binaries run by MediaWiki.
Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017) board.Dec 9 2017, 10:42 AM
Krinkle moved this task from Backlog to Accepted on the SyntaxHighlight board.Dec 22 2017, 3:12 AM
CCicalese_WMF moved this task from MWPT-Q2-Oct-Dec-2017 to MWPT-Q3-Jan-Mar-2018 on the MediaWiki-Platform-Team-Archived board.Jan 2 2018, 3:41 PM
CCicalese_WMF edited projects, added MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018); removed MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017).
CCicalese_WMF moved this task from Ready to In Progress on the MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018) board.Jan 2 2018, 3:48 PM
Krinkle closed subtask T182467: Use Shell\Command in SyntaxHighlight instead of symfony/process as Resolved.Jan 9 2018, 5:29 PM
gerritbot added a comment.Jan 11 2018, 9:28 PM

Change 396477 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] Use shell restrictions to contain pygments

https://gerrit.wikimedia.org/r/396477

Legoktm closed this task as Resolved.Jan 12 2018, 1:27 AM

\o/

CCicalese_WMF moved this task from In Progress to Done on the MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018) board.Jan 12 2018, 5:00 PM
ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-16 (1.31.0-wmf.17)).Jan 13 2018, 8:01 PM
ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)); removed MW-1.31-release-notes (WMF-deploy-2018-01-16 (1.31.0-wmf.17)).Feb 22 2018, 8:00 PM
Reedy mentioned this in T250763: Cannot use SyntaxHighlight: "Unable to run external programs, proc_open() is disabled".Apr 20 2020, 11:54 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 21 2020, 12:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL