@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Add a setup issue to detect systems vulnerable to "Shellshock"
Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators.
Test Plan: Ran on my (unpatched, local) system, got a setup warning.
Reviewers: btrahan, chad
Reviewed By: chad
Subscribers: epriestley
Maniphest Tasks: T6185
Differential Revision: https://secure.phabricator.com/D10561
+51
+2
src/__phutil_library_map__.php
+2
src/__phutil_library_map__.php
···
2256
2256
'PhabricatorSetupCheckPath' => 'applications/config/check/PhabricatorSetupCheckPath.php',
2257
2257
'PhabricatorSetupCheckPygment' => 'applications/config/check/PhabricatorSetupCheckPygment.php',
2258
2258
'PhabricatorSetupCheckRepositories' => 'applications/config/check/PhabricatorSetupCheckRepositories.php',
2259
+
'PhabricatorSetupCheckSecurity' => 'applications/config/check/PhabricatorSetupCheckSecurity.php',
2259
2260
'PhabricatorSetupCheckStorage' => 'applications/config/check/PhabricatorSetupCheckStorage.php',
2260
2261
'PhabricatorSetupCheckTimezone' => 'applications/config/check/PhabricatorSetupCheckTimezone.php',
2261
2262
'PhabricatorSetupIssue' => 'applications/config/issue/PhabricatorSetupIssue.php',
···
5240
5241
'PhabricatorSetupCheckPath' => 'PhabricatorSetupCheck',
5241
5242
'PhabricatorSetupCheckPygment' => 'PhabricatorSetupCheck',
5242
5243
'PhabricatorSetupCheckRepositories' => 'PhabricatorSetupCheck',
5244
+
'PhabricatorSetupCheckSecurity' => 'PhabricatorSetupCheck',
5243
5245
'PhabricatorSetupCheckStorage' => 'PhabricatorSetupCheck',
5244
5246
'PhabricatorSetupCheckTimezone' => 'PhabricatorSetupCheck',
5245
5247
'PhabricatorSetupIssueExample' => 'PhabricatorUIExample',
+49
src/applications/config/check/PhabricatorSetupCheckSecurity.php
+49
src/applications/config/check/PhabricatorSetupCheckSecurity.php
···
1
+
<?php
2
+
3
+
final class PhabricatorSetupCheckSecurity extends PhabricatorSetupCheck {
4
+
5
+
protected function executeChecks() {
6
+
7
+
// This checks for a version of bash with the "Shellshock" vulnerability.
8
+
// For details, see T6185.
9
+
10
+
$payload = array(
11
+
'SHELLSHOCK_PAYLOAD' => '() { :;} ; echo VULNERABLE',
12
+
);
13
+
14
+
list($err, $stdout) = id(new ExecFuture('echo shellshock-test'))
15
+
->setEnv($payload, $wipe_process_env = true)
16
+
->resolve();
17
+
18
+
if (!$err && preg_match('/VULNERABLE/', $stdout)) {
19
+
$summary = pht(
20
+
'This system has an unpatched version of Bash with a severe, widely '.
21
+
'disclosed vulnerability.');
22
+
23
+
$message = pht(
24
+
'The version of %s on this system is out of date and contains a '.
25
+
'major, widely disclosed vulnerability (the "Shellshock" '.
26
+
'vulnerability).'.
27
+
"\n\n".
28
+
'Upgrade %s to a patched version.'.
29
+
"\n\n".
30
+
'To learn more about how this issue affects Phabricator, see %s.',
31
+
phutil_tag('tt', array(), 'bash'),
32
+
phutil_tag('tt', array(), 'bash'),
33
+
phutil_tag(
34
+
'a',
35
+
array(
36
+
'href' => 'https://secure.phabricator.com/T6185',
37
+
'target' => '_blank',
38
+
),
39
+
pht('T6185 "Shellshock" Bash Vulnerability')));
40
+
41
+
$this
42
+
->newIssue('security.shellshock')
43
+
->setName(pht('Severe Security Vulnerability: Unpatched Bash'))
44
+
->setSummary($summary)
45
+
->setMessage($message);
46
+
}
47
+
48
+
}
49
+
}