escapeshellcmd does not work properly with php security update
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• bzimport
	Jul 27 2008, 11:34 AM

Description

Author: daniel

Description:
Debian and Ubuntu are shipping updated php-packages with the following patch:

debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete multibyte chars inside escapeshellcmd()

For this reason the escapeshellcmd calls for converting images (imagemagick) in GlobalFunctions.php fail if there is a non-ascii character in filename. I discovered this failure on rezeptewiki.org after updating php from the ubuntu security repository.

To fix the problem we added the following in GlobalFunctions.php in the lines before escapeshellarg():

setlocale(LC_CTYPE, "UTF8", "de_DE.UTF-8");

The locale depends on the installed locales on the system.

Version: 1.13.x
Severity: blocker

Details

Reference: bz14944

Related Objects

Mentioned In: T291234: Locale dependence of strtolower() and strtoupper()
T268515: Upgrade wiki.wikimedia.it from 1.26.4 to latest LTS
T107128: Scribunto string comparison works case insensitive while the standard Lua case sensitive

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:09 PM

• bzimport added a project: MediaWiki-File-management.

• bzimport set Reference to bz14944.

• bzimport created this task.Jul 27 2008, 11:34 AM

ayg wrote:

I suggest that the fix for this block the release of 1.13, since this is a pretty big regression (even if it's not our fault). CC'ing Tim, who's release manager for 1.13 and also might have some idea about whether the suggested fix actually makes any sense, which I don't. :)

daniel wrote:

My "fix" is a quick and dirty workaround for my installation and was not intended to fix this bug generally. I also think there must be a better solution to fix it.

Assigning this to Tim to check status on before 1.13 final release.

I commented on http://bugs.php.net/bug.php?id=45132

Fixed in r38833, will be backported to 1.13.0rc2.

daniel wrote:

Your workaround is limited to php versions >= 5.2.6, but nearly all linux distributors backported the patch to earlier php versions. I have php 5.2.1 on my server. So the workaround should not depend on the php version.

Maybe the distros should have made sure it worked before they backported it. The patch is insecure, and will have to be rewritten, see my post to php.internals: http://news.php.net/php.internals/39747

Fixed in r38869.

daniel wrote:

The actual solution in MW 1.13.1 will only work if locale en_US is installed on the server. In my envirenment i had to change the locale to de_DE in includes/Setup.php, lines 121 and 122.

(In reply to comment #8)

The actual solution in MW 1.13.1 will only work if locale en_US is installed on
the server. In my envirenment i had to change the locale to de_DE in
includes/Setup.php, lines 121 and 122.

I know, that's what I said to php.internals. There's no better way to do this.

Try r41379.

daniel wrote:

This works for me. Thank you for fixing!

• Gilles added a project: Multimedia.Dec 4 2014, 10:44 AM

• Gilles moved this task from Untriaged to Done on the Multimedia board.

Anomie mentioned this in T107128: Scribunto string comparison works case insensitive while the standard Lua case sensitive.Jul 28 2015, 3:58 PM

Nemo_bis mentioned this in T268515: Upgrade wiki.wikimedia.it from 1.26.4 to latest LTS.Jun 13 2021, 5:54 AM

Maintenance_bot added a project: Commons.Jun 13 2021, 6:45 AM

• tstarling mentioned this in T291234: Locale dependence of strtolower() and strtoupper().Sep 21 2021, 2:30 AM