Last modified: 2010-05-15 16:03:53 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T16944, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 14944 - escapeshellcmd does not work properly with php security update
escapeshellcmd does not work properly with php security update
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
File management (Other open bugs)
1.13.x
All All
: Normal blocker with 1 vote (vote)
: ---
Assigned To: Tim Starling
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-27 11:34 UTC by Daniel Beyer
Modified: 2010-05-15 16:03 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Beyer 2008-07-27 11:34:08 UTC 
Debian and Ubuntu are shipping updated php-packages with the following patch:

  * debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
    multibyte chars inside escapeshellcmd()

For this reason the escapeshellcmd calls for converting images (imagemagick) in GlobalFunctions.php fail if there is a non-ascii character in filename. I discovered this failure on rezeptewiki.org after updating php from the ubuntu security repository.

To fix the problem we added the following in GlobalFunctions.php in the lines before escapeshellarg():

  setlocale(LC_CTYPE, "UTF8", "de_DE.UTF-8");

The locale depends on the installed locales on the system.
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-07-29 21:36:50 UTC 
I suggest that the fix for this block the release of 1.13, since this is a pretty big regression (even if it's not our fault).  CC'ing Tim, who's release manager for 1.13 and also might have some idea about whether the suggested fix actually makes any sense, which I don't.  :)
Comment 2 Daniel Beyer 2008-07-30 06:44:16 UTC 
My "fix" is a quick and dirty workaround for my installation and was not intended to fix this bug generally. I also think there must be a better solution to fix it.
Comment 3 Brion Vibber 2008-08-01 22:08:08 UTC 
Assigning this to Tim to check status on before 1.13 final release.
Comment 4 Tim Starling 2008-08-07 06:24:08 UTC 
I commented on http://bugs.php.net/bug.php?id=45132
Comment 5 Tim Starling 2008-08-08 03:52:03 UTC 
Fixed in r38833, will be backported to 1.13.0rc2.
Comment 6 Daniel Beyer 2008-08-08 06:03:54 UTC 
Your workaround is limited to php versions >= 5.2.6, but nearly all linux distributors backported the patch to earlier php versions. I have php 5.2.1 on my server. So the workaround should not depend on the php version.
Comment 7 Tim Starling 2008-08-08 09:41:55 UTC 
Maybe the distros should have made sure it worked before they backported it. The patch is insecure, and will have to be rewritten, see my post to php.internals: http://news.php.net/php.internals/39747

Fixed in r38869.
Comment 8 Daniel Beyer 2008-09-13 14:40:53 UTC 
The actual solution in MW 1.13.1 will only work if locale en_US is installed on the server. In my envirenment i had to change the locale to de_DE in includes/Setup.php, lines 121 and 122.
Comment 9 Tim Starling 2008-09-14 00:34:35 UTC 
(In reply to comment #8)
> The actual solution in MW 1.13.1 will only work if locale en_US is installed on
> the server. In my envirenment i had to change the locale to de_DE in
> includes/Setup.php, lines 121 and 122.

I know, that's what I said to php.internals. There's no better way to do this.
Comment 10 Tim Starling 2008-09-29 10:20:18 UTC 
Try r41379.
Comment 11 Daniel Beyer 2008-10-05 11:51:31 UTC 
This works for me. Thank you for fixing!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links