namespace MediaWiki\Shell;
+use Hooks;
use MediaWiki\MediaWikiServices;
/**
*
* Use call chaining with this class for expressiveness:
* $result = Shell::command( 'some command' )
+ * ->input( 'foo' )
* ->environment( [ 'ENVIRONMENT_VARIABLE' => 'VALUE' ] )
* ->limits( [ 'time' => 300 ] )
* ->execute();
* Apply a default set of restrictions for improved
* security out of the box.
*
- * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+ * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
*
* @note This value will change over time to provide increased security
* by default, and is not guaranteed to be backwards-compatible.
* @since 1.31
*/
- const RESTRICT_DEFAULT = 7;
+ const RESTRICT_DEFAULT = 39;
/**
* Disallow any root access. Any setuid binaries
*/
const NO_EXECVE = 16;
+ /**
+ * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+ *
+ * @since 1.31
+ */
+ const NO_LOCALSETTINGS = 32;
+
+ /**
+ * Don't apply any restrictions
+ *
+ * @since 1.31
+ */
+ const RESTRICT_NONE = 0;
+
/**
* Returns a new instance of Command class
*
}
return $retVal;
}
+
+ /**
+ * Generate a Command object to run a MediaWiki CLI script.
+ * Note that $parameters should be a flat array and an option with an argument
+ * should consist of two consecutive items in the array (do not use "--option value").
+ *
+ * @param string $script MediaWiki CLI script with full path
+ * @param string[] $parameters Arguments and options to the script
+ * @param array $options Associative array of options:
+ * 'php': The path to the php executable
+ * 'wrapper': Path to a PHP wrapper to handle the maintenance script
+ * @return Command
+ */
+ public static function makeScriptCommand( $script, $parameters, $options = [] ) {
+ global $wgPhpCli;
+ // Give site config file a chance to run the script in a wrapper.
+ // The caller may likely want to call wfBasename() on $script.
+ Hooks::run( 'wfShellWikiCmd', [ &$script, &$parameters, &$options ] );
+ $cmd = isset( $options['php'] ) ? [ $options['php'] ] : [ $wgPhpCli ];
+ if ( isset( $options['wrapper'] ) ) {
+ $cmd[] = $options['wrapper'];
+ }
+ $cmd[] = $script;
+
+ return self::command( $cmd )
+ ->params( $parameters )
+ ->restrict( self::RESTRICT_DEFAULT & ~self::NO_LOCALSETTINGS );
+ }
}