Page MenuHomePhabricator

$wgExternalDiffEngine should have shell restrictions
Closed, ResolvedPublic

Description

It appears that people can use any binary they want here, so I'm not exactly sure how well we can restrict this. But see https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions for what needs to happen.

Event Timeline

Legoktm triaged this task as Medium priority.Dec 13 2017, 2:31 AM
Legoktm created this task.

I noticed this committed change, which modifies related code but is not associated with this issue. It appears to set access restrictions for the external diff engine, via CommandFactory::create() in CommandFactory.php. (This is the code that ultimately gets called when the external diff engine is invoked.)

https://phabricator.wikimedia.org/rMWefa586fddd5ebacd8a89b56d797c1eff1681cfc4

Is there more to do here, or has the goal already been accomplished?

Yes, command execution is protected by default if it uses new APIs (as opposed to wfShellExec()), so unless the defaults (NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS) need tweaking this can be closed.