Page MenuHomePhabricator
Create Task
Maniphest T237419

Treat dynamically-generated paths more defensively in maintenance scripts
Closed, ResolvedPublic
Actions

Description

Follow-up from the security readiness review (T227346).

While it's fairly common for MediaWiki maintenance scripts (e.g. populateFreebaseMapping.php, fetchSuggestions.php, createFileListFromCategoriesAndTemplates.php, createFileListFromGlobalImageLinks.php) include/require files with dynamically-created paths via variables like $basePath and RUN_MAINTENANCE_IF_MAIN, these get picked up by various linters/static analysis tools as potential means of remote code injection. While such vulnerabilities should be difficult to exploit in the case of MediaWiki maintenance scripts, fortifying such includes/requires with checks for valid/expected paths is still probably a worthwhile effort in defensive coding. The same also applies for any file names/paths passed to any of PHP's file system functions (e.g. file_put_contents() within createFileListFromCategoriesAndTemplates.php and createFileListFromGlobalImageLinks.php.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Treat user-provided and dynamically generated paths more defensivelymediawiki/extensions/MachineVisionmaster+120 -14
Customize query in gerrit

Related Objects

Event Timeline

Mholloway created this task.Nov 5 2019, 3:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2019, 3:01 PM
Mholloway mentioned this in T227346: Security readiness review for the MachineVision extension.Nov 5 2019, 3:15 PM
JoeWalsh triaged this task as Medium priority.Nov 6 2019, 4:35 PM
JoeWalsh lowered the priority of this task from Medium to Low.
JoeWalsh raised the priority of this task from Low to Medium.
JoeWalsh moved this task from Needs triage to Upcoming on the Product-Infrastructure-Team-Backlog-Deprecated board.
Mholloway moved this task from Backlog to Ready for dev on the MachineVision board.Nov 18 2019, 5:17 PM
Mholloway edited projects, added Product-Infrastructure-Team-Backlog-Deprecated (Kanban); removed Product-Infrastructure-Team-Backlog-Deprecated.Nov 18 2019, 5:22 PM
Mholloway claimed this task.Nov 18 2019, 8:46 PM
Mholloway moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
gerritbot added a comment.Nov 18 2019, 9:45 PM

Change 551654 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Treat user-provided and dynamically generated paths more defensively

https://gerrit.wikimedia.org/r/551654

gerritbot added a project: Patch-For-Review.Nov 18 2019, 9:45 PM
Mholloway moved this task from Doing to Code Review on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.Nov 18 2019, 9:45 PM
Mholloway moved this task from Code Review to Doing on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.Nov 21 2019, 5:18 PM
gerritbot added a comment.Nov 22 2019, 11:09 PM

Change 551654 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Treat user-provided and dynamically generated paths more defensively

https://gerrit.wikimedia.org/r/551654

Mholloway closed this task as Resolved.Nov 22 2019, 11:17 PM
Mholloway moved this task from Doing to Sign off on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.8; 2019-11-26).Nov 23 2019, 12:00 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:54 AM
sbassett mentioned this in T242134: Security Review For Talk pages project.Feb 18 2020, 9:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits