MediaWiki  master
MediaWiki\Shell\FirejailCommand Class Reference

Restricts execution of shell commands using firejail. More...

Inheritance diagram for MediaWiki\Shell\FirejailCommand:
Collaboration diagram for MediaWiki\Shell\FirejailCommand:

Public Member Functions

 __construct (string $firejail)
 
 params (... $args)
 Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368) More...
 
 whitelistPaths (array $paths)
 If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted
Parameters
string[]$paths
Returns
$this
More...
 
- Public Member Functions inherited from MediaWiki\Shell\Command
 __construct ()
 Don't call directly, instead use Shell::command() More...
 
 __destruct ()
 Makes sure the programmer didn't forget to execute the command after all. More...
 
 __toString ()
 Returns the final command line before environment/limiting, etc are applied. More...
 
 cgroup ( $cgroup)
 Sets cgroup for this command. More...
 
 environment (array $env)
 Sets environment variables which should be added to the executed command environment. More...
 
 execute ()
 Executes command. More...
 
 forwardStderr (bool $yesno=true)
 If this is set to true, text written to stderr by the command will be passed through to PHP's stderr. More...
 
 includeStderr (bool $yesno=true)
 Controls whether stderr should be included in stdout, including errors from limit.sh. More...
 
 input (string $inputString)
 Sends the provided input to the command. More...
 
 limits (array $limits)
 Sets execution limits. More...
 
 logStderr (bool $yesno=true)
 When enabled, text sent to stderr will be logged with a level of 'error'. More...
 
 passStdin (bool $yesno=true)
 Controls whether stdin is passed through to the command, so that the user can interact with the command when it is run in CLI mode. More...
 
 profileMethod (string $method)
 Sets calling function for profiler. More...
 
 restrict (int $restrictions)
 Set restrictions for this request, overwriting any previously set restrictions. More...
 
 unsafeParams (... $args)
 Adds unsafe parameters to the command. More...
 

Protected Member Functions

 buildFinalCommand (string $command)
 String together all the options and build the final command to execute.
Parameters
string$commandAlready-escaped command to run
Returns
array [ command, whether to use log pipe ]
More...
 
- Protected Member Functions inherited from MediaWiki\Shell\Command
 hasRestriction (int $restriction)
 Bitfield helper on whether a specific restriction is enabled. More...
 

Private Attributes

string $firejail
 Path to firejail. More...
 
string[] $whitelistedPaths = []
 

Additional Inherited Members

- Protected Attributes inherited from MediaWiki\Shell\Command
string $command = ''
 
int $restrictions = 0
 Bitfield with restrictions. More...
 

Detailed Description

Restricts execution of shell commands using firejail.

See also
https://firejail.wordpress.com/
Since
1.31

Definition at line 31 of file FirejailCommand.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Shell\FirejailCommand::__construct ( string  $firejail)
Parameters
string$firejailPath to firejail

Definition at line 46 of file FirejailCommand.php.

References MediaWiki\Shell\FirejailCommand\$firejail.

Member Function Documentation

◆ buildFinalCommand()

MediaWiki\Shell\FirejailCommand::buildFinalCommand ( string  $command)
protected

String together all the options and build the final command to execute.

Parameters
string$commandAlready-escaped command to run
Returns
array [ command, whether to use log pipe ]

Reimplemented from MediaWiki\Shell\Command.

Definition at line 94 of file FirejailCommand.php.

References MediaWiki\Shell\Command\$command, MediaWiki\Shell\FirejailCommand\$firejail, $IP, MediaWiki\Shell\Command\hasRestriction(), MediaWiki\Shell\Shell\NO_EXECVE, MediaWiki\Shell\Shell\NO_LOCALSETTINGS, MediaWiki\Shell\Shell\NO_NETWORK, MediaWiki\Shell\Shell\NO_ROOT, MediaWiki\Shell\Shell\PRIVATE_DEV, and MediaWiki\Shell\Shell\SECCOMP.

◆ params()

MediaWiki\Shell\FirejailCommand::params (   $args)

Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368)

Parameters
string|string[]...$args
Returns
$this

Reimplemented from MediaWiki\Shell\Command.

Definition at line 58 of file FirejailCommand.php.

References $args.

◆ whitelistPaths()

MediaWiki\Shell\FirejailCommand::whitelistPaths ( array  $paths)

If called, only the files/directories that are whitelisted will be available to the shell command.limit.sh will always be whitelisted

Parameters
string[]$paths
Returns
$this

Reimplemented from MediaWiki\Shell\Command.

Definition at line 86 of file FirejailCommand.php.

Member Data Documentation

◆ $firejail

string MediaWiki\Shell\FirejailCommand::$firejail
private

◆ $whitelistedPaths

string [] MediaWiki\Shell\FirejailCommand::$whitelistedPaths = []
private

Definition at line 41 of file FirejailCommand.php.


The documentation for this class was generated from the following file: