It appears that people can use any binary they want here, so I'm not exactly sure how well we can restrict this. But see https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions for what needs to happen.
Description
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Declined | None | T172584 Securing external binaries run by MediaWiki | |||
Resolved | BPirkle | T182748 $wgExternalDiffEngine should have shell restrictions |
Event Timeline
Comment Actions
I noticed this committed change, which modifies related code but is not associated with this issue. It appears to set access restrictions for the external diff engine, via CommandFactory::create() in CommandFactory.php. (This is the code that ultimately gets called when the external diff engine is invoked.)
https://phabricator.wikimedia.org/rMWefa586fddd5ebacd8a89b56d797c1eff1681cfc4
Is there more to do here, or has the goal already been accomplished?
Comment Actions
Yes, command execution is protected by default if it uses new APIs (as opposed to wfShellExec()), so unless the defaults (NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS) need tweaking this can be closed.