www.fgks.org »
Address
:
[go:
up one dir
,
main page
]
Include Form
Remove Scripts
Accept Cookies
Show Images
Show Referer
Rotate13
Base64
Strip Meta
Strip Title
Session Cookies
Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3947901
T129506_00_MediaWiki_REL1_23.patch
dpatrick (Darian Anthony Patrick)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
dpatrick
Apr 29 2016, 11:52 PM
2016-04-29 23:52:47 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T129506_00_MediaWiki_REL1_23.patch
View Options
From baa336ade5ed0036fa6f5ab3cab834ec5659aaed Mon Sep 17 00:00:00 2001
From: Darian Anthony Patrick <dpatrick@wikimedia.org>
Date: Mon, 25 Apr 2016 12:02:02 -0700
Subject: [PATCH] Enforce upper limit on invocations of wfShellExec()
Enforce an upper limit of 100,000 bytes on commands executed via
wfShellExec() to avoid HHVM crash resulting from process spawned with
argument exceeding MAX_ARG_STRLEN, as defined in binfmts.h
Bug: T129506
---
includes/Defines.php | 6 ++++++
includes/GlobalFunctions.php | 9 ++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/includes/Defines.php b/includes/Defines.php
index 19801ec..8db0183 100644
--- a/includes/Defines.php
+++ b/includes/Defines.php
@@ -310,3 +310,9 @@ define( 'CONTENT_FORMAT_JSON', 'application/json' );
// for future use with the api, and for use by extensions
define( 'CONTENT_FORMAT_XML', 'application/xml' );
/**@}*/
+
+/**@{
+ * Max string length for shell invocations; based on binfmts.h
+ */
+define( 'SHELL_MAX_ARG_STRLEN', '100000');
+/**@}*/
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index ef6a53f..3c9df6c 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -26,7 +26,6 @@ if ( !defined( 'MEDIAWIKI' ) ) {
// Hide compatibility functions from Doxygen
/// @cond
-
/**
* Compatibility functions
*
@@ -2921,6 +2920,14 @@ function wfShellExec( $cmd, &$retval = null, $environ = array(),
}
wfDebug( "wfShellExec: $cmd\n" );
+ // Don't try to execute commands that exceed Linux's MAX_ARG_STRLEN.
+ // Other platforms may be more accomodating, but we don't want to be
+ // accomodating, because very long commands probably include user
+ // input. See T129506.
+ if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) {
+ throw new Exception( __METHOD__ . '(): total length of $cmd must not exceed SHELL_MAX_ARG_STRLEN' );
+ }
+
$desc = array(
0 => array( 'file', 'php://stdin', 'r' ),
1 => array( 'pipe', 'w' ),
--
2.5.4 (Apple Git-61)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3687980
Default Alt Text
T129506_00_MediaWiki_REL1_23.patch (1 KB)
Attached To
Mode
T124940: MediaWiki 1.26.3 security release
Attached
Detach File
T129506: MediaWiki:Gadget-popups.js isn't renderable
Attached
Detach File
Event Timeline
Log In to Comment