I discovered two vulnerabilities with the handling of firejail's --output parameter, which could potentially impact on MediaWiki's use of firejail:
- firejail searches for --output anywhere in argv, it does not respect the end-of-options tag "--". So when MediaWiki forms a firejail command line by concatenating the firejail invocation with the main shell command, any "--output" option in the main shell command would be interpreted by firejail as an output parameter. This causes firejail to write the command's stdout (or stderr with --output-stderr) to the specified file.
- When --output or --output-stderr are specified, firejail forms the command line arguments into a single string and re-executes the resulting command via bash -c. It does this without any quoting or escaping, it just separates the arguments with spaces. So effectively, properly quoted parameters in the original command are unquoted and interpreted for shell metacharacters.
Together, these vulnerabilities mean that if wfShellExec(), Shell::command() or any of their variants are executed by MediaWiki with unprefixed user input as one of the command parameters, the result is a shell execution vulnerability. The shell execution happens before firejail sets up its jail -- it is not constrained.
I reported this vulnerability to email@example.com per the firejail security policy at https://github.com/netblue30/firejail/security/policy .