Verified Commit 6a888886 authored by Amin Vakil's avatar Amin Vakil
Browse files

Harden php configurations

Remove symlink from disable_functions

archwiki/includes/media/SvgHandler.php:281:             $ok = symlink( $srcPath, $lnPath );

Remove shell_exec from disable_functions

archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:173:  * short of shell_exec('env'), but it's usually near-empty anyway. We add
archwiki/maintenance/updateCredits.php:62:$lines = explode( "\n", shell_exec( 'git log --format="%aN"' ) );
archwiki/maintenance/mwdocgen.php:139:          $this->doDot = shell_exec( 'which dot' );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneEngine.php:85:                        self::$clockTick = intval( shell_exec( 'getconf CLK_TCK' ) );

Remove popen from disable_functions

flyspray/plugins/dokuwiki/inc/io.php:516:  $fh = popen($cmd, "r");
archwiki/vendor/wikimedia/parsoid/bin/parse.php:409:                            $pipe = popen( "$fgPath > $fgOutDir/profile.svg", "w" );
archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:254:            $cpp = popen("/usr/bin/cpp $tmpfile", "r");
archwiki/maintenance/populateImageSha1.php:117:                 $pipe = popen( $cmd, 'w' );
archwiki/maintenance/includes/SevenZipStream.php:68:            $this->stream = popen( $command, $mode[0] );
archwiki/includes/libs/filebackend/FSFileBackend.php:781:                       $pipes[$index] = popen( $fileOpHandle->cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2202:     $handle = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2219:     $handle = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2284:     $h = popen( $cmd, 'r' );
archwiki/includes/GlobalFunctions.php:2288:             throw new Exception( __FUNCTION__ . '(): popen() failed' );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:196:          $handle = popen( $cmd, 'r' );

Remove pclose from disable_functions

flyspray/plugins/dokuwiki/inc/io.php:522:  pclose($fh);
archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:264:            pclose($cpp);
archwiki/vendor/pear/mail/Mail/sendmail.php:184:        $result = pclose($mail);

Remove proc_open from disable_functions

aurweb/web/lib/pkgbasefuncs.inc.php:101:        $p = proc_open($cmd, $descspec, $pipes);
aurweb/web/lib/acctfuncs.inc.php:1334:  $p = proc_open($cmd, $descspec, $pipes);
archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:223:         $proc = proc_open( $cmd, $desc, $pipes,
archwiki/vendor/wikimedia/parsoid/tools/regression-testing.php:86:              $process = proc_open(
archwiki/vendor/monolog/monolog/src/Monolog/Handler/ProcessHandler.php:118:        $this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);
archwiki/tests/parser/editTests.php:293:                $proc = proc_open( '/usr/bin/dwdiff -Pc --diff-input',
archwiki/maintenance/storage/recompressTracked.php:253:                 $proc = proc_open( "$cmd --child-id $i", $spec, $pipes );
archwiki/maintenance/mysql.php:169:             $proc = proc_open( Shell::escape( $args ), $desc, $pipes );
archwiki/maintenance/includes/TextPassDumper.php:793:           $this->spawnProc = proc_open( $cmd, $spec, $pipes );
archwiki/includes/resourceloader/ResourceLoaderImage.php:429:                   $process = proc_open(
archwiki/includes/export/DumpPipeOutput.php:74:         $this->procOpenResource = proc_open( $command, $spec, $pipes );
archwiki/includes/exception/ShellDisabledError.php:35:          parent::__construct( 'Unable to run external programs, proc_open() is disabled' );
archwiki/includes/GlobalFunctions.php:2076:             return 'Unable to run external programs, proc_open() is disabled.';
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:147:          $this->proc = proc_open(

Remove proc_get_status from disable_functions

archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:270:                         $status = proc_get_status( $proc );
archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:358:                 $status = proc_get_status( $proc );
archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:626:                  $status = proc_get_status( $this->proc );

Remove escapeshellarg from disable_functions

flyspray/includes/class.flyspray.php:1477:               $type = @exec(sprintf('file -bi %s', escapeshellarg($fname)));
aurweb/web/lib/acctfuncs.inc.php:1247:  $cmd = "/usr/bin/ssh-keygen -l -f " . escapeshellarg($tmpfile);
aurweb/web/lib/acctfuncs.inc.php:1326:          $cmd .= ' ' . escapeshellarg($param);
archwiki/vendor/wikimedia/shellbox/src/Shellbox.php:148:                                $retVal .= escapeshellarg( $arg );
archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:32:                      $cmd = '/bin/bash ' . escapeshellarg( __DIR__ . '/limit.sh' ) . ' ' .
archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:37:                                      'SB_CGROUP=' . escapeshellarg( $this->cgroup ) . '; ' .
archwiki/vendor/pear/pear-core-minimal/src/System.php:81:                $escape = escapeshellarg($b);
archwiki/vendor/pear/mail/Mail/sendmail.php:172:        $from = escapeshellarg($from); // Security bug #16200
archwiki/includes/libs/filebackend/FSFileBackend.php:825:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:826:               $encStage = escapeshellarg( $this->cleanPathSlashes( $fsStagePath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:827:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:857:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:858:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
archwiki/includes/libs/filebackend/FSFileBackend.php:878:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsPath ) );

Address jelle's comments
parent 511b6ca4
......@@ -24,4 +24,4 @@ php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 4000
php_admin_value[opcache.revalidate_freq] = 60
php_admin_value[opcache.fast_shutdown] = 1
php_admin_value[disable_functions] = passthru, exec, proc_open, shell_exec, system, popen
php_admin_value[disable_functions] = virtual, dl, suexec, system, proc_nice, proc_terminate, exec, passthru, show_source, escapeshellcmd
......@@ -18,4 +18,5 @@ pm.max_requests = 2000
php_admin_value[open_basedir] = {{aurweb_dir}}:/etc/aurweb/
php_admin_value[upload_tmp_dir] = {{ aurweb_dir }}/uploads
php_admin_value[session.save_path] = {{ aurweb_dir }}/sessions
php_admin_value[disable_functions] = virtual, dl, suexec, system, proc_nice, proc_terminate, exec, passthru, show_source, escapeshellcmd
env[TMPDIR] = {{ aurweb_dir }}/uploads
......@@ -25,7 +25,7 @@ php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 200
php_admin_value[opcache.revalidate_freq] = 60
php_admin_value[opcache.fast_shutdown] = 1
php_admin_value[disable_functions] = passthru, exec, proc_open, shell_exec, system, popen
php_admin_value[disable_functions] = virtual, dl, suexec, system, proc_nice, proc_terminate, exec, passthru, show_source, escapeshellcmd
php_admin_value[apc.shm_size] = 1024M
php_admin_value[apc.ttl] = 1800
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment