Page MenuHomePhabricator
Create Task
Maniphest T182746

PdfHandler binaries should have shell restrictions applied to them
Closed, ResolvedPublic
Actions

Description

PdfHandler shells out to pdftotext, convert, gs, and pdfinfo. All of these should be restricted using https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions

convert and ps are already firejailed in Wikimedia production, but need to be converted to the MediaWiki framework

Related Objects
Search...

Event Timeline

Legoktm triaged this task as Medium priority.Dec 13 2017, 2:24 AM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2017, 2:24 AM
Legoktm mentioned this in T172584: Securing external binaries run by MediaWiki.Dec 13 2017, 2:24 AM
Krinkle subscribed.Sep 19 2018, 12:08 AM

The current command as I see it from pdftotext errors in Logstash:

/bin/bash '/srv/mediawiki/php-1.32.0-wmf.20/includes/shell/limit.sh' ''\''/usr/bin/pdftotext'\'' '\''/tmp/0ZSSAt'\'' '\''-'\''' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=50; MW_CGROUP='\''/sys/fs/cgroup/memory/mediawiki/job'\''; MW_MEM_LIMIT=1048576; MW_FILE_SIZE_LIMIT=524288; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'

I don't know since when it started using shell/limit or whether it always was, but, does this suffice for this task?

Krinkle removed a project: MediaWiki-Shell.Sep 11 2020, 4:58 PM
TheDJ closed this task as Resolved.Jun 14 2022, 11:05 PM
TheDJ claimed this task.
TheDJ subscribed.

This is now using shellbox, so I’m assuming we can call this resolved. Pls reopen if not the case.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL