Page MenuHomePhabricator

Treat dynamically-generated paths more defensively in maintenance scripts
Closed, ResolvedPublic


Follow-up from the security readiness review (T227346).

While it's fairly common for MediaWiki maintenance scripts (e.g. populateFreebaseMapping.php, fetchSuggestions.php, createFileListFromCategoriesAndTemplates.php, createFileListFromGlobalImageLinks.php) include/require files with dynamically-created paths via variables like $basePath and RUN_MAINTENANCE_IF_MAIN, these get picked up by various linters/static analysis tools as potential means of remote code injection. While such vulnerabilities should be difficult to exploit in the case of MediaWiki maintenance scripts, fortifying such includes/requires with checks for valid/expected paths is still probably a worthwhile effort in defensive coding. The same also applies for any file names/paths passed to any of PHP's file system functions (e.g. file_put_contents() within createFileListFromCategoriesAndTemplates.php and createFileListFromGlobalImageLinks.php.)

Event Timeline

Mholloway created this task.Nov 5 2019, 3:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 3:01 PM
JoeWalsh triaged this task as Medium priority.Nov 6 2019, 4:35 PM
JoeWalsh lowered the priority of this task from Medium to Low.
JoeWalsh raised the priority of this task from Low to Medium.

Change 551654 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Treat user-provided and dynamically generated paths more defensively

Change 551654 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Treat user-provided and dynamically generated paths more defensively

Mholloway closed this task as Resolved.Nov 22 2019, 11:17 PM