| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Change-Id: I315f0bb2746ccf7249b8d622a153162dd634ff2e
|
| |
|
|
|
|
|
| |
This is a very limited value class created in just one place, so it
looks like a good candidate for experimenting with strict types.
Change-Id: I777c713f8b3be6688c327f7e6fcf97cc9b7ab66e
|
| |
|
|
| |
Change-Id: Ic1285b34fe8ef3efd3d5515e917f4fad7494b9a2
|
| |
|
|
|
| |
Bug: T103671
Change-Id: I15c95962b198a0b46631c4d9a1b8fb55f37ae949
|
| |
|
|
|
|
|
|
| |
This allows us to remove many suppressions for phan false positives.
Bug: T231636
Depends-On: I82a279e1f7b0fdefd3bb712e46c7d0665429d065
Change-Id: I5c251e9584a1ae9fb1577afcafb5001e0dcd41c7
|
| |
|
|
|
|
| |
Bug: T231636
Depends-On: I50377746f01749b058c39fd8229f9d566224cc43
Change-Id: I2cd24e73726394e3200a570c45d5e86b6849bfa9
|
| |
|
|
|
|
| |
Bug: T231636
Depends-On: I78354bf5f0c831108c8f606e50c87cf6bc00d8bd
Change-Id: I58e67c2b38389df874438deada4239510d21654f
|
| |
|
|
|
| |
Bug: T26159
Change-Id: I973cc607fd909d47faf2773a02835af83bbc301f
|
| |
|
|
| |
Change-Id: I924453f683f058586516bb12e54940449d29cfd9
|
| |
|
|
|
|
|
|
| |
https://github.com/wikimedia/at-ease/releases/tag/v2.0.0
https://github.com/wikimedia/at-ease/compare/v1.2.0...v2.0.0
Change-Id: Ia49a156e76d0a4e257e91cc6a51050848bcb9a5e
Depends-On: If40364e2590e3c23035838f8ed26c4f69e730602
|
| |
|
|
| |
Change-Id: I3ab0a6409088c86581d9d50a340e82b0ea354814
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HHVM does not support variadic arguments with type hints. This is
mostly not a big problem, because we can just drop the type hint, but
for some reason PHPUnit adds a type hint of "array" when it creates
mocks, so a class with a variadic method can't be mocked (at least in
some cases). As such, I left alone all the classes that seem like
someone might like to mock them, like Title and User. If anyone wants
to mock them in the future, they'll have to switch back to
func_get_args(). Some of the changes are definitely safe, like
functions and test classes.
In most cases, func_get_args() (and/or func_get_arg(), func_num_args() )
were only present because the code was written before we required PHP
5.6, and writing them as variadic functions is strictly superior. In
some cases I left them alone, aside from HHVM compatibility:
* Forwarding all arguments to another function. It's useful to keep
func_get_args() here where we want to keep the list of expected
arguments and their meanings in the function signature line for
documentation purposes, but don't want to copy-paste a long line of
argument names.
* Handling deprecated calling conventions.
* One or two miscellaneous cases where we're basically using the
arguments individually but want to use them as an array as well for
some reason.
Change-Id: I066ec95a7beb7c0665146195a08e7cce1222c788
|
| |
|
|
| |
Change-Id: I0acca592c6909e91b28b904da49dcbd6a43cd2a5
|
| |
|
|
|
|
| |
Helps ease migration (stops vendor patch failing)
Change-Id: I9a985b341e1c3664c4ced6f793b19149067a580a
|
| |
|
|
|
|
| |
Introduces a stringifier for Command, useful for debugging.
Change-Id: Ifcfccaef5a609e0cf30186e39a6bd0fa971c2dbd
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The @ sign requires a phpcs:ignore.
\MediaWiki\suppressWarnings() doesn't need a phpcs:ignore.
Bug: T191247
Change-Id: I6ef1e706f4f2a4192dde7a668b3b97086a4a8a68
|
| | |
| |
| |
| | |
Change-Id: If9d4be5d88c8927f63cbb84dfc8181baf62ea3eb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Now that all our supported PHP versions have array_filter()
with a third parameter, these functions aren't needed anymore.
Depends-On: I3b097a1a048baabcaca15dc214a3a1bb06e746cc
Depends-On: I0187e27ac47cbab099249572201d1a649226a734
Change-Id: I7cabd0252691a083cb749cf9d3a7a23f1d076c39
|
| | |
| |
| |
| |
| |
| |
| | |
And check it in the FirejailCommandTest (integration) for completeness,
even though it will make no practical difference.
Change-Id: Ieb130a888ef8a8162cb0a049ab9c20eac3f58217
|
| | |
| |
| |
| | |
Change-Id: I5670b8482e8d3bcb0b3a2b4d2ce9834cfc37e171
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Change-Id: I84e13dc6019c429359df3395f0731d17859be06c
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
|
| |/
|
|
|
|
|
|
|
|
|
| |
* https://www.unicode.org/ instead of http://www.unicode.org/ or
http://unicode.org/
* https://secure.php.net/ instead of http://www.php.net/ or
http://php.net/
* https://hhvm.com/ instead of http://hhvm.com/
* https://www.iis.net/ instead of http://www.iis.net/
Change-Id: I84d818a7e0ced5ffb9485ec89a75efb28a77c1e0
|
| |
|
|
|
|
|
|
|
|
| |
Before it's too late, let's boil the oceans
and just do it. This patch assumes that old code
calling wfShellExec() doesn't know about restrictions
so it doesn't restrict anything. New code, however,
needs to specify its restrictions or deal with defaults.
Change-Id: I58963901087202d4a405bcdb6bd12758bb6b0ff7
|
| |
|
|
|
|
| |
Bug: T184339
Change-Id: Ic86a451e0e9d609e06865a4969560d151efa844c
|
| |
|
|
|
|
|
| |
Just using a plain `--seccomp` automatically enables the default list.
Bug: T183680
Change-Id: I623db943eeb5c3e9d4f7a553fb6a17a60d659dce
|
| |
|
|
|
|
|
|
| |
If the write buffer for a file descriptor is empty, don't try to write
to it. Just close it and continue on.
Bug: T188019
Change-Id: Ie5b5ac1ef1aec4ae763cf4d0d58d3a28e42b7d2a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The select(2) system call only guarantees a "sufficiently small write"
can be made without blocking. It doesn't define what that means.
And on Linux the read might block too in certain cases, although I don't
know if any of them can occur here.
Regardless, set all the pipes to non-blocking, which avoids the blocking
that's behind T184171.
And then, since a non-blocking read might validly return empty-string or
a non-blocking write might validly return 0, use feof() to check for EOF
and actually close the write pipe when it runs out of data.
Bug: T184171
Change-Id: I403235a328630112b6920905730f933777e2d453
|
| |
|
|
| |
Change-Id: I31e983d7ac287158101b18ad95779d83537302a2
|
| |
|
|
|
| |
Bug: T182463
Change-Id: Ib68180c7af12558686f4864c24fd85f01201d6fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up use of @codingStandardsIgnore
- @codingStandardsIgnoreFile -> phpcs:ignoreFile
- @codingStandardsIgnoreLine -> phpcs:ignore
- @codingStandardsIgnoreStart -> phpcs:disable
- @codingStandardsIgnoreEnd -> phpcs:enable
For phpcs:disable always the necessary sniffs are provided.
Some start/end pairs are changed to line ignore
Change-Id: I92ef235849bcc349c69e53504e664a155dd162c8
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most secret information like database passwords are kept in LocalSettings.php,
so blacklisting that file by default would take away a lot of information an
attacker would want.
Since most commands shouldn't need to read the PHP configuration, add it to
RESTRICT_DEFAULT. People can still use:
$cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS );
if they need to still access LocalSettings.php
Bug: T182484
Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Assume the first part of the command is the binary, and include it directly
in the message to make grouping work on a per-binary basis. Includ the rest
of the params as log context just in case it is useful.
Change-Id: Ibfff7b1fee083efffae833b9bfa71ae9806c1bbd
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
NO_EXECVE doesn't work because limit.sh needs to execute the main
command, and does so through the execve syscall. Eventually we should be
able to replace limit.sh with firejail functionality entirely (T179021),
but in the meantime we can run firejail inside limit.sh.
We also need to stop firejail from running the command in a bash shell
via --shell=none, since that shell would also use the execve syscall.
Bug: T182489
Change-Id: I3fc8ad2f9e5eb5bf13b49d0bccd6094668a5ec55
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now they're treated as empty strings, however
this doesn't allow skipping parameters in the middle like
$params = [
'foo',
$x ? '--bar' : null,
'--baz',
];
In some cases this matters, e.g. `ls` works while `ls ''` doesn't.
Also, fix spacing problems the new tests uncovered:
* Extra space when using params()
* Missing space when combining params() and unsafeParams()
Change-Id: Icb29d4c48ae7f92fb5635e3865346c98f47abb01
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduces a FirejailCommand class, which can be used to add additional
restrictions to a command, for increased security. For now, firejail
containment needs to be enabled on a per-command basis.
The following restrictions are implemented:
* NO_ROOT - disallows any root access, including via setuid binaries
* SECCOMP - block dangerous syscalls with seccomp
* PRIVATE_DEV - create a private /dev
* NO_NETWORK - deny all network access
* NO_EXECVE - block the execve syscall
A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT | SECCOMP
| PRIVATE_DEV, with the expectation that more restrictions may be added
to it in the future.
In addition, specific paths can be whitelisted with
Command::whitelistPaths(). Any file/directory that isn't whitelisted in
that top level directory (e.g. /srv) won't exist inside the firejail.
$wgShellRestrictionMethod can be set to false for no restriction system,
'firejail' to explicitly use it, or 'autodetect' to autodetect whatever
system is available. In the future the default should be changed to
autodetection once firejail is tested more.
Bug: T173370
Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5
|
| |
|
|
| |
Change-Id: I1495fe2aba10102d7e36c3a3e5fdabf97f14546b
|
| |
|
|
|
|
|
|
|
| |
Breaks some line where the ignore is not needed.
The sniff was changed upstream to be okay
with long unbreakable lines in comments
Change-Id: I2bbe2be7cedd4d3c0ce8dc3e62d0e268bc171876
|
| |
|
|
| |
Change-Id: I6aae209fd0b20057b5f7f7129db92c184ec945f8
|
| |
|
|
|
| |
Bug: T177038
Change-Id: Id875e68ea1fa72b44a463f977ab52270fe1e7088
|
| |
|
|
| |
Change-Id: Id29da4f21a44ccb18d8a2ae11348d69ca3233aa5
|
| |
|
|
| |
Change-Id: I92ea55d7a5b6a71a6f6b944f377215c08ea3b096
|
| |
|
|
|
|
|
|
| |
Previously, it assumed that the only way times could be overridden is to
reduce the limits - which isn't the case for video transcoding.
Bug: T178314
Change-Id: I492a44f280a36ee666e9963788caac2bbc6bc6f3
|
| |
|
|
|
|
| |
Also reduce indenting.
Change-Id: I33f83786c38bba0919372df0d5cdfa806d4361fc
|
| |
|
|
| |
Change-Id: I5551ae4bbe7b539b528a734aa82198b11f103871
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Command uses a certain error message to detect and ignore
EINTR in stream_select, and uses trigger_error to clear
the message from get_last_error (clear_last_error is PHP7 only).
This works rather poorly with a system config that does not catch
or ignore most errors; specifically it breaks database tests
on Vagrant with the warnings_as_errors role on.
Change-Id: I9c8f922bc0a8f5ee6b8e7501b22223cce4f98ecb
|
