Page MenuHomeMiraheze

Execute external commands on MediaWiki servers inside sandboxes
Open, NormalPublic


For extensions like 3D, Cargo, CreateWiki, FlaggedRevs, TimedMediaHandler, PagedTiffHandler, PdfHandler, Score, SyntaxHighlight_GeSHi, Translate and Timeline external commands may be executed (wfShellExec, exec, or Shell::command) to provide media to the extensions (e.g. timelines, videos) or alter other databases.

However, most extensions require third-party libraries to be installed and executed. Unlike MediaWiki extensions these libraries are harder to inspect and maintain for maximum security. A vulnerability in one of those libraries may be discovered anytime, which could lead to remote code execution:

Currently we execute all third-party libraries under the www-data user without further restrictions. Via software like firejail we can execute those libraries inside sandboxes which reduces the risk of a breach. Unfortunately firejail requires Linux >3.0 (looking at you, RamNode) and firejail is the only supported restriction method inside MediaWiki as well, so we preferably find an alternative to firejail for the time being.

Event Timeline

Southparkfan triaged this task as Normal priority.Jan 14 2019, 17:50
Southparkfan created this task.

Why do we have a task flagged as a security issue that is public? Should the tag be removed, or should this task be hidden?

It’s a task related to security but not exploitable because we review all extensions to minimise all risks

Noting for when the time comes to read over and ensure we won't face the same issues