X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2Fshell%2FShell.php;h=6e4fd02a13b9960722c0ff0a2f3ede9d997a228b;hp=a660a22314537eb2c83da19afc16cb8d46346c1f;hb=bdb5b592f444f4670070808048afcb0bb1adcc5a;hpb=31bc1e9c3546a97220cd7c550c57fad3d4f4304d diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php index a660a22314..6e4fd02a13 100644 --- a/includes/shell/Shell.php +++ b/includes/shell/Shell.php @@ -41,6 +41,57 @@ use MediaWiki\MediaWikiServices; */ class Shell { + /** + * Apply a default set of restrictions for improved + * security out of the box. + * + * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV + * + * @note This value will change over time to provide increased security + * by default, and is not guaranteed to be backwards-compatible. + * @since 1.31 + */ + const RESTRICT_DEFAULT = 7; + + /** + * Disallow any root access. Any setuid binaries + * will be run without elevated access. + * + * @since 1.31 + */ + const NO_ROOT = 1; + + /** + * Use seccomp to block dangerous syscalls + * @see + * + * @since 1.31 + */ + const SECCOMP = 2; + + /** + * Create a private /dev + * + * @since 1.31 + */ + const PRIVATE_DEV = 4; + + /** + * Restrict the request to have no + * network access + * + * @since 1.31 + */ + const NO_NETWORK = 8; + + /** + * Deny execve syscall with seccomp + * @see + * + * @since 1.31 + */ + const NO_EXECVE = 16; + /** * Returns a new instance of Command class * @@ -113,14 +164,12 @@ class Shell { if ( wfIsWindows() ) { // Escaping for an MSVC-style command line parser and CMD.EXE - // @codingStandardsIgnoreStart For long URLs // Refs: // * https://web.archive.org/web/20020708081031/http://mailman.lyra.org/pipermail/scite-interest/2002-March/000436.html // * https://technet.microsoft.com/en-us/library/cc723564.aspx // * T15518 // * CR r63214 // Double the backslashes before any double quotes. Escape the double quotes. - // @codingStandardsIgnoreEnd $tokens = preg_split( '/(\\\\*")/', $arg, -1, PREG_SPLIT_DELIM_CAPTURE ); $arg = ''; $iteration = 0;