Page MenuHomePhabricator
Create Task
Maniphest T182468

Restrict pygments with firejail
Closed, ResolvedPublic
Actions

Description

SyntaxHighlight shells out to pygments, which should be restricted with firejail.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/SyntaxHighlight_GeSHimaster+7 -2Use shell restrictions to contain pygments
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Dec 8 2017, 9:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 8 2017, 9:12 PM
Legoktm added a subtask: T182467: Use Shell\Command in SyntaxHighlight instead of symfony/process.Dec 8 2017, 9:12 PM
gerritbot added a subscriber: gerritbot.Dec 8 2017, 9:12 PM

Change 396477 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] Use shell restrictions to contain pygments

https://gerrit.wikimedia.org/r/396477

gerritbot added a project: Patch-For-Review.Dec 8 2017, 9:12 PM
Legoktm added a parent task: T172584: Securing external binaries run by MediaWiki.Dec 8 2017, 9:47 PM
Legoktm mentioned this in T172584: Securing external binaries run by MediaWiki.
Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017) board.Dec 9 2017, 10:42 AM
Krinkle moved this task from Backlog to Accepted on the SyntaxHighlight board.Dec 22 2017, 3:12 AM
CCicalese_WMF moved this task from MWPT-Q2-Oct-Dec-2017 to MWPT-Q3-Jan-Mar-2018 on the MediaWiki-Platform-Team board.Jan 2 2018, 3:41 PM
CCicalese_WMF edited projects, added MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018); removed MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017).
CCicalese_WMF moved this task from Ready to In Progress on the MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018) board.Jan 2 2018, 3:48 PM
Krinkle closed subtask T182467: Use Shell\Command in SyntaxHighlight instead of symfony/process as Resolved.Jan 9 2018, 5:29 PM
gerritbot added a comment.Jan 11 2018, 9:28 PM

Change 396477 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] Use shell restrictions to contain pygments

https://gerrit.wikimedia.org/r/396477

Legoktm closed this task as Resolved.Jan 12 2018, 1:27 AM

\o/

CCicalese_WMF moved this task from In Progress to Done on the MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018) board.Jan 12 2018, 5:00 PM
ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-16 (1.31.0-wmf.17)).Jan 13 2018, 8:01 PM
ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)); removed MW-1.31-release-notes (WMF-deploy-2018-01-16 (1.31.0-wmf.17)).Feb 22 2018, 8:00 PM
Reedy mentioned this in T250763: Cannot use SyntaxHighlight: "Unable to run external programs, proc_open() is disabled".Apr 20 2020, 11:54 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 21 2020, 12:10 AM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL