1. 10 May, 2022 2 commits
    • Amin Vakil's avatar
      Remove unused or deprecated functions · 15ae144e
      Amin Vakil authored
      virtual "can" be used when served under apache2
      https://www.php.net/manual/en/function.virtual.php
      
      dl has been removed since php-fpm 7.0.0
      https://www.php.net/manual/en/function.dl.php
      
      Disable popen
      
      Disable escapeshellarg
      
      Disable pclose
      
      Disable symlink
      
      Disable shell_exec
      
      Disable proc_open
      
      Disable proc_get_status
      
      Reorder to less annoy jelle:(
      15ae144e
    • Amin Vakil's avatar
      Harden php configurations · 6a888886
      Amin Vakil authored
      Remove symlink from disable_functions
      
      archwiki/includes/media/SvgHandler.php:281:             $ok = symlink( $srcPath, $lnPath );
      
      Remove shell_exec from disable_functions
      
      archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:173:  * short of shell_exec('env'), but it's usually near-empty anyway. We add
      archwiki/maintenance/updateCredits.php:62:$lines = explode( "\n", shell_exec( 'git log --format="%aN"' ) );
      archwiki/maintenance/mwdocgen.php:139:          $this->doDot = shell_exec( 'which dot' );
      archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneEngine.php:85:                        self::$clockTick = intval( shell_exec( 'getconf CLK_TCK' ) );
      
      Remove popen from disable_functions
      
      flyspray/plugins/dokuwiki/inc/io.php:516:  $fh = popen($cmd, "r");
      archwiki/vendor/wikimedia/parsoid/bin/parse.php:409:                            $pipe = popen( "$fgPath > $fgOutDir/profile.svg", "w" );
      archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:254:            $cpp = popen("/usr/bin/cpp $tmpfile", "r");
      archwiki/maintenance/populateImageSha1.php:117:                 $pipe = popen( $cmd, 'w' );
      archwiki/maintenance/includes/SevenZipStream.php:68:            $this->stream = popen( $command, $mode[0] );
      archwiki/includes/libs/filebackend/FSFileBackend.php:781:                       $pipes[$index] = popen( $fileOpHandle->cmd, 'r' );
      archwiki/includes/GlobalFunctions.php:2202:     $handle = popen( $cmd, 'r' );
      archwiki/includes/GlobalFunctions.php:2219:     $handle = popen( $cmd, 'r' );
      archwiki/includes/GlobalFunctions.php:2284:     $h = popen( $cmd, 'r' );
      archwiki/includes/GlobalFunctions.php:2288:             throw new Exception( __FUNCTION__ . '(): popen() failed' );
      archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:196:          $handle = popen( $cmd, 'r' );
      
      Remove pclose from disable_functions
      
      flyspray/plugins/dokuwiki/inc/io.php:522:  pclose($fh);
      archwiki/vendor/pear/pear-core-minimal/src/OS/Guess.php:264:            pclose($cpp);
      archwiki/vendor/pear/mail/Mail/sendmail.php:184:        $result = pclose($mail);
      
      Remove proc_open from disable_functions
      
      aurweb/web/lib/pkgbasefuncs.inc.php:101:        $p = proc_open($cmd, $descspec, $pipes);
      aurweb/web/lib/acctfuncs.inc.php:1334:  $p = proc_open($cmd, $descspec, $pipes);
      archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:223:         $proc = proc_open( $cmd, $desc, $pipes,
      archwiki/vendor/wikimedia/parsoid/tools/regression-testing.php:86:              $process = proc_open(
      archwiki/vendor/monolog/monolog/src/Monolog/Handler/ProcessHandler.php:118:        $this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);
      archwiki/tests/parser/editTests.php:293:                $proc = proc_open( '/usr/bin/dwdiff -Pc --diff-input',
      archwiki/maintenance/storage/recompressTracked.php:253:                 $proc = proc_open( "$cmd --child-id $i", $spec, $pipes );
      archwiki/maintenance/mysql.php:169:             $proc = proc_open( Shell::escape( $args ), $desc, $pipes );
      archwiki/maintenance/includes/TextPassDumper.php:793:           $this->spawnProc = proc_open( $cmd, $spec, $pipes );
      archwiki/includes/resourceloader/ResourceLoaderImage.php:429:                   $process = proc_open(
      archwiki/includes/export/DumpPipeOutput.php:74:         $this->procOpenResource = proc_open( $command, $spec, $pipes );
      archwiki/includes/exception/ShellDisabledError.php:35:          parent::__construct( 'Unable to run external programs, proc_open() is disabled' );
      archwiki/includes/GlobalFunctions.php:2076:             return 'Unable to run external programs, proc_open() is disabled.';
      archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:147:          $this->proc = proc_open(
      
      Remove proc_get_status from disable_functions
      
      archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:270:                         $status = proc_get_status( $proc );
      archwiki/vendor/wikimedia/shellbox/src/Command/UnboxedExecutor.php:358:                 $status = proc_get_status( $proc );
      archwiki/extensions/Scribunto/includes/engines/LuaStandalone/LuaStandaloneInterpreter.php:626:                  $status = proc_get_status( $this->proc );
      
      Remove escapeshellarg from disable_functions
      
      flyspray/includes/class.flyspray.php:1477:               $type = @exec(sprintf('file -bi %s', escapeshellarg($fname)));
      aurweb/web/lib/acctfuncs.inc.php:1247:  $cmd = "/usr/bin/ssh-keygen -l -f " . escapeshellarg($tmpfile);
      aurweb/web/lib/acctfuncs.inc.php:1326:          $cmd .= ' ' . escapeshellarg($param);
      archwiki/vendor/wikimedia/shellbox/src/Shellbox.php:148:                                $retVal .= escapeshellarg( $arg );
      archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:32:                      $cmd = '/bin/bash ' . escapeshellarg( __DIR__ . '/limit.sh' ) . ' ' .
      archwiki/vendor/wikimedia/shellbox/src/Command/BashWrapper.php:37:                                      'SB_CGROUP=' . escapeshellarg( $this->cgroup ) . '; ' .
      archwiki/vendor/pear/pear-core-minimal/src/System.php:81:                $escape = escapeshellarg($b);
      archwiki/vendor/pear/mail/Mail/sendmail.php:172:        $from = escapeshellarg($from); // Security bug #16200
      archwiki/includes/libs/filebackend/FSFileBackend.php:825:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
      archwiki/includes/libs/filebackend/FSFileBackend.php:826:               $encStage = escapeshellarg( $this->cleanPathSlashes( $fsStagePath ) );
      archwiki/includes/libs/filebackend/FSFileBackend.php:827:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
      archwiki/includes/libs/filebackend/FSFileBackend.php:857:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsSrcPath ) );
      archwiki/includes/libs/filebackend/FSFileBackend.php:858:               $encDst = escapeshellarg( $this->cleanPathSlashes( $fsDstPath ) );
      archwiki/includes/libs/filebackend/FSFileBackend.php:878:               $encSrc = escapeshellarg( $this->cleanPathSlashes( $fsPath ) );
      
      Address jelle's comments
      6a888886
  2. 09 May, 2022 7 commits
  3. 08 May, 2022 1 commit
  4. 07 May, 2022 10 commits
  5. 04 May, 2022 2 commits
  6. 29 Apr, 2022 3 commits
  7. 28 Apr, 2022 1 commit
  8. 27 Apr, 2022 3 commits
  9. 26 Apr, 2022 4 commits
  10. 23 Apr, 2022 1 commit
  11. 22 Apr, 2022 1 commit
  12. 20 Apr, 2022 5 commits