dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "mw.rcfilters.ui.SaveFiltersPopupButtonWidget: Remove pointless option"
[lhc/web/wiklou.git] / includes / shell / Shell.php
1 <?php
2 /**
3 * Class used for executing shell commands
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 namespace MediaWiki\Shell;
24
25 use MediaWiki\MediaWikiServices;
26
27 /**
28 * Executes shell commands
29 *
30 * @since 1.30
31 *
32 * Use call chaining with this class for expressiveness:
33 * $result = Shell::command( 'some command' )
34 * ->environment( [ 'ENVIRONMENT_VARIABLE' => 'VALUE' ] )
35 * ->limits( [ 'time' => 300 ] )
36 * ->execute();
37 *
38 * ... = $result->getExitCode();
39 * ... = $result->getStdout();
40 * ... = $result->getStderr();
41 */
42 class Shell {
43
44 /**
45 * Apply a default set of restrictions for improved
46 * security out of the box.
47 *
48 * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
49 *
50 * @note This value will change over time to provide increased security
51 * by default, and is not guaranteed to be backwards-compatible.
52 * @since 1.31
53 */
54 const RESTRICT_DEFAULT = 39;
55
56 /**
57 * Disallow any root access. Any setuid binaries
58 * will be run without elevated access.
59 *
60 * @since 1.31
61 */
62 const NO_ROOT = 1;
63
64 /**
65 * Use seccomp to block dangerous syscalls
66 * @see <https://en.wikipedia.org/wiki/seccomp>
67 *
68 * @since 1.31
69 */
70 const SECCOMP = 2;
71
72 /**
73 * Create a private /dev
74 *
75 * @since 1.31
76 */
77 const PRIVATE_DEV = 4;
78
79 /**
80 * Restrict the request to have no
81 * network access
82 *
83 * @since 1.31
84 */
85 const NO_NETWORK = 8;
86
87 /**
88 * Deny execve syscall with seccomp
89 * @see <https://en.wikipedia.org/wiki/exec_(system_call)>
90 *
91 * @since 1.31
92 */
93 const NO_EXECVE = 16;
94
95 /**
96 * Deny access to LocalSettings.php (MW_CONFIG_FILE)
97 *
98 * @since 1.31
99 */
100 const NO_LOCALSETTINGS = 32;
101
102 /**
103 * Returns a new instance of Command class
104 *
105 * @param string|string[] $command String or array of strings representing the command to
106 * be executed, each value will be escaped.
107 * Example: [ 'convert', '-font', 'font name' ] would produce "'convert' '-font' 'font name'"
108 * @return Command
109 */
110 public static function command( $command ) {
111 $args = func_get_args();
112 if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
113 // If only one argument has been passed, and that argument is an array,
114 // treat it as a list of arguments
115 $args = reset( $args );
116 }
117 $command = MediaWikiServices::getInstance()
118 ->getShellCommandFactory()
119 ->create();
120
121 return $command->params( $args );
122 }
123
124 /**
125 * Check if this class is effectively disabled via php.ini config
126 *
127 * @return bool
128 */
129 public static function isDisabled() {
130 static $disabled = null;
131
132 if ( is_null( $disabled ) ) {
133 if ( !function_exists( 'proc_open' ) ) {
134 wfDebug( "proc_open() is disabled\n" );
135 $disabled = true;
136 } else {
137 $disabled = false;
138 }
139 }
140
141 return $disabled;
142 }
143
144 /**
145 * Version of escapeshellarg() that works better on Windows.
146 *
147 * Originally, this fixed the incorrect use of single quotes on Windows
148 * (https://bugs.php.net/bug.php?id=26285) and the locale problems on Linux in
149 * PHP 5.2.6+ (bug backported to earlier distro releases of PHP).
150 *
151 * @param string $args,... strings to escape and glue together, or a single array of
152 * strings parameter. Null values are ignored.
153 * @return string
154 */
155 public static function escape( /* ... */ ) {
156 $args = func_get_args();
157 if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
158 // If only one argument has been passed, and that argument is an array,
159 // treat it as a list of arguments
160 $args = reset( $args );
161 }
162
163 $first = true;
164 $retVal = '';
165 foreach ( $args as $arg ) {
166 if ( $arg === null ) {
167 continue;
168 }
169 if ( !$first ) {
170 $retVal .= ' ';
171 } else {
172 $first = false;
173 }
174
175 if ( wfIsWindows() ) {
176 // Escaping for an MSVC-style command line parser and CMD.EXE
177 // Refs:
178 // * https://web.archive.org/web/20020708081031/http://mailman.lyra.org/pipermail/scite-interest/2002-March/000436.html
179 // * https://technet.microsoft.com/en-us/library/cc723564.aspx
180 // * T15518
181 // * CR r63214
182 // Double the backslashes before any double quotes. Escape the double quotes.
183 $tokens = preg_split( '/(\\\\*")/', $arg, -1, PREG_SPLIT_DELIM_CAPTURE );
184 $arg = '';
185 $iteration = 0;
186 foreach ( $tokens as $token ) {
187 if ( $iteration % 2 == 1 ) {
188 // Delimiter, a double quote preceded by zero or more slashes
189 $arg .= str_replace( '\\', '\\\\', substr( $token, 0, -1 ) ) . '\\"';
190 } elseif ( $iteration % 4 == 2 ) {
191 // ^ in $token will be outside quotes, need to be escaped
192 $arg .= str_replace( '^', '^^', $token );
193 } else { // $iteration % 4 == 0
194 // ^ in $token will appear inside double quotes, so leave as is
195 $arg .= $token;
196 }
197 $iteration++;
198 }
199 // Double the backslashes before the end of the string, because
200 // we will soon add a quote
201 $m = [];
202 if ( preg_match( '/^(.*?)(\\\\+)$/', $arg, $m ) ) {
203 $arg = $m[1] . str_replace( '\\', '\\\\', $m[2] );
204 }
205
206 // Add surrounding quotes
207 $retVal .= '"' . $arg . '"';
208 } else {
209 $retVal .= escapeshellarg( $arg );
210 }
211 }
212 return $retVal;
213 }
214 }
Wiklou, le Wiki du Wiklou