MediaWiki REL1_34
MediaWiki\Shell\FirejailCommand Class Reference

Restricts execution of shell commands using firejail. More...

Inheritance diagram for MediaWiki\Shell\FirejailCommand:
Collaboration diagram for MediaWiki\Shell\FirejailCommand:

Public Member Functions

 __construct ( $firejail)
 
 params (... $args)
 Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368)
 
 whitelistPaths (array $paths)
 If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted
Parameters
string[]$paths
Returns
$this

 
- Public Member Functions inherited from MediaWiki\Shell\Command
 __construct ()
 Don't call directly, instead use Shell::command()
 
 __destruct ()
 Makes sure the programmer didn't forget to execute the command after all.
 
 __toString ()
 Returns the final command line before environment/limiting, etc are applied.
 
 cgroup ( $cgroup)
 Sets cgroup for this command.
 
 environment (array $env)
 Sets environment variables which should be added to the executed command environment.
 
 execute ()
 Executes command.
 
 includeStderr ( $yesno=true)
 Controls whether stderr should be included in stdout, including errors from limit.sh.
 
 input ( $inputString)
 Sends the provided input to the command.
 
 limits (array $limits)
 Sets execution limits.
 
 logStderr ( $yesno=true)
 When enabled, text sent to stderr will be logged with a level of 'error'.
 
 profileMethod ( $method)
 Sets calling function for profiler.
 
 restrict ( $restrictions)
 Set restrictions for this request, overwriting any previously set restrictions.
 
 unsafeParams (... $args)
 Adds unsafe parameters to the command.
 

Protected Member Functions

 buildFinalCommand ( $command)
 String together all the options and build the final command to execute.
Parameters
string$commandAlready-escaped command to run
Returns
array [ command, whether to use log pipe ]

 
- Protected Member Functions inherited from MediaWiki\Shell\Command
 hasRestriction ( $restriction)
 Bitfield helper on whether a specific restriction is enabled.
 

Private Attributes

string $firejail
 Path to firejail.
 
string[] $whitelistedPaths = []
 

Additional Inherited Members

- Protected Attributes inherited from MediaWiki\Shell\Command
string $command = ''
 
int $restrictions = 0
 Bitfield with restrictions.
 

Detailed Description

Restricts execution of shell commands using firejail.

See also
https://firejail.wordpress.com/
Since
1.31

Definition at line 31 of file FirejailCommand.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Shell\FirejailCommand::__construct ( $firejail)
Parameters
string$firejailPath to firejail

Definition at line 46 of file FirejailCommand.php.

References MediaWiki\Shell\FirejailCommand\$firejail.

Member Function Documentation

◆ buildFinalCommand()

MediaWiki\Shell\FirejailCommand::buildFinalCommand ( $command)
protected

String together all the options and build the final command to execute.

Parameters
string$commandAlready-escaped command to run
Returns
array [ command, whether to use log pipe ]

Reimplemented from MediaWiki\Shell\Command.

Definition at line 94 of file FirejailCommand.php.

References $command, and $IP.

◆ params()

MediaWiki\Shell\FirejailCommand::params ( $args)

Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368)

Parameters
string|string[]...$args
Returns
$this

Reimplemented from MediaWiki\Shell\Command.

Definition at line 58 of file FirejailCommand.php.

References $args.

◆ whitelistPaths()

MediaWiki\Shell\FirejailCommand::whitelistPaths ( array $paths)

If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted

Parameters
string[]$paths
Returns
$this

Reimplemented from MediaWiki\Shell\Command.

Definition at line 86 of file FirejailCommand.php.

Member Data Documentation

◆ $firejail

string MediaWiki\Shell\FirejailCommand::$firejail
private

Path to firejail.

Definition at line 36 of file FirejailCommand.php.

Referenced by MediaWiki\Shell\FirejailCommand\__construct().

◆ $whitelistedPaths

string [] MediaWiki\Shell\FirejailCommand::$whitelistedPaths = []
private

Definition at line 41 of file FirejailCommand.php.


The documentation for this class was generated from the following file: