Page MenuHomeMiraheze

Execute external commands on MediaWiki servers inside sandboxes
Open, NormalPublic

Description

For extensions like 3D, Cargo, CreateWiki, FlaggedRevs, TimedMediaHandler, PagedTiffHandler, PdfHandler, Score, SyntaxHighlight_GeSHi, Translate and Timeline external commands may be executed (wfShellExec, exec, or Shell::command) to provide media to the extensions (e.g. timelines, videos) or alter other databases.

However, most extensions require third-party libraries to be installed and executed. Unlike MediaWiki extensions these libraries are harder to inspect and maintain for maximum security. A vulnerability in one of those libraries may be discovered anytime, which could lead to remote code execution: https://imagetragick.com/

Currently we execute all third-party libraries under the www-data user without further restrictions. Via software like firejail we can execute those libraries inside sandboxes which reduces the risk of a breach. Unfortunately firejail requires Linux >3.0 (looking at you, RamNode) and firejail is the only supported restriction method inside MediaWiki as well, so we preferably find an alternative to firejail for the time being.

https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions

Event Timeline

Southparkfan triaged this task as Normal priority.Jan 14 2019, 17:50
Southparkfan created this task.
Corey added a subscriber: Corey.Jan 15 2019, 03:14

Why do we have a task flagged as a security issue that is public? Should the tag be removed, or should this task be hidden?

John added a subscriber: John.May 20 2019, 18:11

It’s a task related to security but not exploitable because we review all extensions to minimise all risks