r65085 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r65084‎ \| r65085 \| r65086 >
Date:	19:28, 15 April 2010
Author:	maxsem
Status:	resolved (Comments)
Tags:
Comment:	new-installer: don't allow uploads if uploaded in some way scripts are executable
Modified paths:	/branches/new-installer/phase3/includes/installer/Installer.php (modified) (history) /branches/new-installer/phase3/includes/installer/WebInstaller.php (modified) (history) /branches/new-installer/phase3/languages/messages/MessagesEn.php (modified) (history) /branches/new-installer/phase3/maintenance/language/messages.inc (modified) (history)

Diff [purge]

Index: branches/new-installer/phase3/maintenance/language/messages.inc
—	—	@@ -3211,6 +3211,8 @@
3212	3212	'config-dir-not-writable',
3213	3213	'config-file-extension',
3214	3214	'config-shell-locale',
	3215	+ 'config-uploads-safe',
	3216	+ 'config-uploads-not-safe',
3215	3217	'config-db-type',
3216	3218	'config-db-host',
3217	3219	'config-db-host-help',
—	—	@@ -3336,6 +3338,7 @@
3337	3339	'config-upload-settings',
3338	3340	'config-upload-enable',
3339	3341	'config-upload-help',
	3342	+ 'config-upload-disabled',
3340	3343	'config-upload-deleted',
3341	3344	'config-upload-deleted-help',
3342	3345	'config-logo',
Index: branches/new-installer/phase3/includes/installer/WebInstaller.php
—	—	@@ -1362,27 +1362,33 @@
1363	1363	$this->addHTML( $extHtml );
1364	1364	}
1365	1365
	1366	+ # Uploading
	1367	+ $this->addHTML( $this->parent->getFieldsetStart( 'config-upload-settings' ) );
	1368	+ if ( $this->getVar( '_UploadsAreSafe' ) ) {
	1369	+ $this->addHTML(
	1370	+ $this->parent->getCheckBox( array(
	1371	+ 'var' => 'wgEnableUploads',
	1372	+ 'label' => 'config-upload-enable',
	1373	+ 'attribs' => array( 'class' => 'showHideRadio', 'rel' => 'uploadwrapper' ),
	1374	+ ) ) .
	1375	+ $this->parent->getHelpBox( 'config-upload-help' ) .
	1376	+ '<div id="uploadwrapper" style="display: none;">' .
	1377	+ $this->parent->getTextBox( array(
	1378	+ 'var' => 'wgDeletedDirectory',
	1379	+ 'label' => 'config-upload-deleted',
	1380	+ ) ) .
	1381	+ $this->parent->getHelpBox( 'config-upload-deleted-help' ) .
	1382	+ '</div>'
	1383	+ );
	1384	+ } else {
	1385	+ $this->parent->showError( 'config-upload-disabled' );
	1386	+ }
1366	1387	$this->addHTML(
1367		~~- # Uploading~~
1368		~~- $this->parent->getFieldsetStart( 'config-upload-settings' ) .~~
1369		~~- $this->parent->getCheckBox( array(~~
1370		~~- 'var' => 'wgEnableUploads',~~
1371		~~- 'label' => 'config-upload-enable',~~
1372		~~- 'attribs' => array( 'class' => 'showHideRadio', 'rel' => 'uploadwrapper' ),~~
1373		~~- ) ) .~~
1374		~~- $this->parent->getHelpBox( 'config-upload-help' ) .~~
1375		~~- '<div id="uploadwrapper" style="display: none;">' .~~
1376		~~- $this->parent->getTextBox( array(~~
1377		~~- 'var' => 'wgDeletedDirectory',~~
1378		~~- 'label' => 'config-upload-deleted',~~
1379		~~- ) ) .~~
1380		~~- $this->parent->getHelpBox( 'config-upload-deleted-help' ) .~~
1381	1388	$this->parent->getTextBox( array(
1382	1389	'var' => 'wgLogo',
1383	1390	'label' => 'config-logo'
1384	1391	) ) .
1385	1392	$this->parent->getHelpBox( 'config-logo-help' ) .
1386		~~- '</div>' .~~
1387	1393	$this->parent->getFieldsetEnd()
1388	1394	);
1389	1395
—	—	@@ -1500,7 +1506,7 @@
1501	1507
1502	1508	function submit() {
1503	1509	$this->parent->setVarsFromRequest( array( '_RightsProfile', '_LicenseCode',
1504		~~- 'wgEnableEmail', 'wgPasswordSender', 'wgEnableUpload', 'wgLogo',~~
	1510	+ 'wgEnableEmail', 'wgPasswordSender', 'wgLogo',
1505	1511	'wgEnableUserEmail', 'wgEnotifUserTalk', 'wgEnotifWatchlist',
1506	1512	'wgEmailAuthentication', 'wgMainCacheType', '_MemCachedServers' ) );
1507	1513
—	—	@@ -1532,6 +1538,10 @@
1533	1539	$this->setVar( 'wgRightsIcon', '' );
1534	1540	}
1535	1541
	1542	+ $this->setVar( 'wgEnableUploads',
	1543	+ $this->getVar( 'wgEnableUploads' ) && $this->getVar( '_UploadsAreSafe' )
	1544	+ );
	1545	+
1536	1546	$exts = $this->parent->getVar( '_Extensions' );
1537	1547	foreach( $exts as $key => $ext ) {
1538	1548	if( !$this->parent->request->getCheck( 'config_ext-' . $ext ) ) {
Index: branches/new-installer/phase3/includes/installer/Installer.php
—	—	@@ -70,6 +70,7 @@
71	71	'_CCDone' => false,
72	72	'_Extensions' => array(),
73	73	'_MemCachedServers' => '',
	74	+ '_UploadsAreSafe' => false,
74	75	);
75	76
76	77	/**
—	—	@@ -123,6 +124,7 @@
124	125	'envCheckWriteableDir',
125	126	'envCheckExtension',
126	127	'envCheckShellLocale',
	128	+ 'envCheckUploadsDirectory',
127	129	);
128	130
129	131	var $installSteps = array(
—	—	@@ -699,8 +701,52 @@
700	702	# Give up
701	703	return true;
702	704	}
	705	+
	706	+ function envCheckUploadsDirectory() {
	707	+ global $IP, $wgServer;
	708	+ $dir = $IP . '/images/';
	709	+ $url = $wgServer . $this->getVar( 'wgScriptPath' ) . '/images/';
	710	+ $safe = !$this->dirIsExecutable( $dir, $url );
	711	+ if ( $safe ) {
	712	+ $this->showMessage( 'config-uploads-safe' );
	713	+ } else {
	714	+ $this->showMessage( 'config-uploads-not-safe', $dir );
	715	+ }
	716	+ $this->setVar( '_UploadsAreSafe', $safe );
	717	+ }
703	718
704	719	/**
	720	+ * Checks if scripts located in the given directory can be executed via the given URL
	721	+ */
	722	+ function dirIsExecutable( $dir, $url ) {
	723	+ $scriptTypes = array(
	724	+ 'php' => array(
	725	+ "<?php echo 'ex' . 'ec';",
	726	+ "#!/var/env php5\n<?php echo 'ex' . 'ec';",
	727	+ ),
	728	+ );
	729	+ // it would be good to check other popular languages here, but it'll be slow
	730	+
	731	+ wfSuppressWarnings();
	732	+ foreach ( $scriptTypes as $ext => $contents ) {
	733	+ foreach ( $contents as $source ) {
	734	+ $file = 'exectest.' . $ext;
	735	+ if ( !file_put_contents( $dir . $file, $source ) ) {
	736	+ break;
	737	+ }
	738	+ $text = Http::get( $url . $file );
	739	+ unlink( $dir . $file );
	740	+ if ( $text == 'exec' ) {
	741	+ wfRestoreWarnings();
	742	+ return $ext;
	743	+ }
	744	+ }
	745	+ }
	746	+ wfRestoreWarnings();
	747	+ return false;
	748	+ }
	749	+
	750	+ /**
705	751	* Convert wikitext $text to HTML.
706	752	*
707	753	* This is potentially error prone since many parser features require a complete
Index: branches/new-installer/phase3/languages/messages/MessagesEn.php
—	—	@@ -4365,6 +4365,9 @@
4366	4366	</pre>",
4367	4367	'config-file-extension' => 'Installing MediaWiki with <tt>$1</tt> file extensions',
4368	4368	'config-shell-locale' => 'Detected shell locale, $1',
	4369	+'config-uploads-safe' => 'Default uploads directory is safe from arbitrary scripts execution.',
	4370	+'config-uploads-not-safe' => '<strong>Warning:</strong> Your default uploads directory <tt>$1</tt> is vulnerable to arbitrary scripts execution.
	4371	+Uploads will be disabled.',
4369	4372	'config-db-type' => 'Database type:',
4370	4373	'config-db-host' => 'Database host:',
4371	4374	'config-db-host-help' => 'If your database server is on different server, enter the host name or IP address here.
—	—	@@ -4552,6 +4555,7 @@
4553	4556	For more information, read the [http://www.mediawiki.org/wiki/Manual:Security security section] in the manual.
4554	4557
4555	4558	To enable file uploads, change the mode on the <tt>images</tt> subdirectory under MediaWiki's root directory so that the web server can write to it. Then enable this option.",
	4559	+'config-upload-disabled' => 'Because your web server is configured to execute scripts from the default uploads directory, uploads will be disabled.',
4556	4560	'config-upload-deleted' => 'Directory for deleted files :',
4557	4561	'config-upload-deleted-help' => 'Choose a directory in which to archive deleted files.
4558	4562	Ideally, this should not be accessible from the web.',

Follow-up revisions

Revision	Commit summary	Author	Date
r65403	Per Brion, reverted part of r65085, now we just warn people instead of disabl...	maxsem	16:18, 21 April 2010

Comments

#Comment by Brion VIBBER (talk | contribs) 20:43, 15 April 2010

This is quite clever, but unfortunately it'll just kill the ability to use uploads for most installs; unless we add the ability to store uploads into DB as an alternative I'd probably recommend toning it down for the moment.

We should definitely check whether PHP code in a file *without* a ".php" extension is executable (a possible and very scary configuration).

Actually what might be a really good idea is to see whether we can add an .htaccess file to disable PHP execution and have it work. (The reason we don't just ship one that way is that an .htaccess that does things that aren't allowed in the Apache configuration will just kill all access to that directory.) Of course if PHP can write the .htaccess, an attacker might be able to change it again. ;)

#Comment by Simetrical (talk | contribs) 21:59, 28 April 2010

Having the ability to store uploads in the DB would also avoid safe mode problems, and allow uploads to be enabled by default for all installs. As well as avoiding all security problems. Would be great if someone did that at some point, it's probably one of the best cost/benefit ratio enhancements for third parties that we could do right now. (Unless it would be harder to implement than I think!)

#Comment by 😂 (talk | contribs) 18:54, 30 April 2010

Actual issue of blocking uploads unconditionally was fixed in r65403, so I'm marking this resolved. Storing uploads in the DB is a bigger issue outside the scope of this revision :)

#Comment by MaxSem (talk | contribs) 15:22, 29 April 2010

Hmm, last time I heard about a website storing images in DB was TheDailyWTF XD

#Comment by Simetrical (talk | contribs) 17:19, 29 April 2010

It's the only sane thing to do on cruddy shared hosting where you can't necessarily write in the web root, and certainly can't write outside it. vBulletin uses the DB by default for user-uploaded files, for example. I'm pretty sure most software does the same. Of course, this is crazy if you have an installer that can set up proper write access to both web-accessible and non-web-accessible upload directories, but that's not usually the case for web apps.

Status & tagging log

18:54, 30 April 2010 😂 (talk | contribs) changed the status of r65085 [removed: new added: resolved]