MediaWiki REL1_34
|
Restricts execution of shell commands using firejail. More...
Public Member Functions | ||||
__construct ( $firejail) | ||||
params (... $args) | ||||
Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368) | ||||
whitelistPaths (array $paths) | ||||
If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted
| ||||
Public Member Functions inherited from MediaWiki\Shell\Command | ||||
__construct () | ||||
Don't call directly, instead use Shell::command() | ||||
__destruct () | ||||
Makes sure the programmer didn't forget to execute the command after all. | ||||
__toString () | ||||
Returns the final command line before environment/limiting, etc are applied. | ||||
cgroup ( $cgroup) | ||||
Sets cgroup for this command. | ||||
environment (array $env) | ||||
Sets environment variables which should be added to the executed command environment. | ||||
execute () | ||||
Executes command. | ||||
includeStderr ( $yesno=true) | ||||
Controls whether stderr should be included in stdout, including errors from limit.sh. | ||||
input ( $inputString) | ||||
Sends the provided input to the command. | ||||
limits (array $limits) | ||||
Sets execution limits. | ||||
logStderr ( $yesno=true) | ||||
When enabled, text sent to stderr will be logged with a level of 'error'. | ||||
profileMethod ( $method) | ||||
Sets calling function for profiler. | ||||
restrict ( $restrictions) | ||||
Set restrictions for this request, overwriting any previously set restrictions. | ||||
unsafeParams (... $args) | ||||
Adds unsafe parameters to the command. | ||||
Protected Member Functions | ||||
buildFinalCommand ( $command) | ||||
String together all the options and build the final command to execute.
| ||||
Protected Member Functions inherited from MediaWiki\Shell\Command | ||||
hasRestriction ( $restriction) | ||||
Bitfield helper on whether a specific restriction is enabled. | ||||
Private Attributes | |
string | $firejail |
Path to firejail. | |
string[] | $whitelistedPaths = [] |
Additional Inherited Members | |
Protected Attributes inherited from MediaWiki\Shell\Command | |
string | $command = '' |
int | $restrictions = 0 |
Bitfield with restrictions. | |
Restricts execution of shell commands using firejail.
Definition at line 31 of file FirejailCommand.php.
MediaWiki\Shell\FirejailCommand::__construct | ( | $firejail | ) |
string | $firejail | Path to firejail |
Definition at line 46 of file FirejailCommand.php.
References MediaWiki\Shell\FirejailCommand\$firejail.
|
protected |
String together all the options and build the final command to execute.
string | $command | Already-escaped command to run |
Reimplemented from MediaWiki\Shell\Command.
Definition at line 94 of file FirejailCommand.php.
MediaWiki\Shell\FirejailCommand::params | ( | $args | ) |
Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368)
string|string[] | ...$args |
Reimplemented from MediaWiki\Shell\Command.
Definition at line 58 of file FirejailCommand.php.
References $args.
MediaWiki\Shell\FirejailCommand::whitelistPaths | ( | array | $paths | ) |
If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted
string[] | $paths |
Reimplemented from MediaWiki\Shell\Command.
Definition at line 86 of file FirejailCommand.php.
|
private |
Path to firejail.
Definition at line 36 of file FirejailCommand.php.
Referenced by MediaWiki\Shell\FirejailCommand\__construct().
|
private |
Definition at line 41 of file FirejailCommand.php.