Add a setup issue to detect systems vulnerable to "Shellshock"

Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators. Test Plan: Ran on my (unpatched, local) system, got a setup warning. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6185 Differential Revision: https://secure.phabricator.com/D10561
2024-11-19 05:12:41 +01:00 · 2014-09-25 11:21:11 -07:00 · 2014-09-25 11:21:11 -07:00 · 3c527cc472
commit 3c527cc472
parent e64612f0d0
2 changed files with 51 additions and 0 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -2256,6 +2256,7 @@ phutil_register_library_map(array(
    'PhabricatorSetupCheckPath' => 'applications/config/check/PhabricatorSetupCheckPath.php',
    'PhabricatorSetupCheckPygment' => 'applications/config/check/PhabricatorSetupCheckPygment.php',
    'PhabricatorSetupCheckRepositories' => 'applications/config/check/PhabricatorSetupCheckRepositories.php',
+    'PhabricatorSetupCheckSecurity' => 'applications/config/check/PhabricatorSetupCheckSecurity.php',
    'PhabricatorSetupCheckStorage' => 'applications/config/check/PhabricatorSetupCheckStorage.php',
    'PhabricatorSetupCheckTimezone' => 'applications/config/check/PhabricatorSetupCheckTimezone.php',
    'PhabricatorSetupIssue' => 'applications/config/issue/PhabricatorSetupIssue.php',
@ -5240,6 +5241,7 @@ phutil_register_library_map(array(
    'PhabricatorSetupCheckPath' => 'PhabricatorSetupCheck',
    'PhabricatorSetupCheckPygment' => 'PhabricatorSetupCheck',
    'PhabricatorSetupCheckRepositories' => 'PhabricatorSetupCheck',
+    'PhabricatorSetupCheckSecurity' => 'PhabricatorSetupCheck',
    'PhabricatorSetupCheckStorage' => 'PhabricatorSetupCheck',
    'PhabricatorSetupCheckTimezone' => 'PhabricatorSetupCheck',
    'PhabricatorSetupIssueExample' => 'PhabricatorUIExample',
--- a/src/applications/config/check/PhabricatorSetupCheckSecurity.php
+++ b/src/applications/config/check/PhabricatorSetupCheckSecurity.php
@ -0,0 +1,49 @@
+<?php
+
+final class PhabricatorSetupCheckSecurity extends PhabricatorSetupCheck {
+
+  protected function executeChecks() {
+
+    // This checks for a version of bash with the "Shellshock" vulnerability.
+    // For details, see T6185.
+
+    $payload = array(
+      'SHELLSHOCK_PAYLOAD' => '() { :;} ; echo VULNERABLE',
+    );
+
+    list($err, $stdout) = id(new ExecFuture('echo shellshock-test'))
+      ->setEnv($payload, $wipe_process_env = true)
+      ->resolve();
+
+    if (!$err && preg_match('/VULNERABLE/', $stdout)) {
+      $summary = pht(
+        'This system has an unpatched version of Bash with a severe, widely '.
+        'disclosed vulnerability.');
+
+      $message = pht(
+        'The version of %s on this system is out of date and contains a '.
+        'major, widely disclosed vulnerability (the "Shellshock" '.
+        'vulnerability).'.
+        "\n\n".
+        'Upgrade %s to a patched version.'.
+        "\n\n".
+        'To learn more about how this issue affects Phabricator, see %s.',
+        phutil_tag('tt', array(), 'bash'),
+        phutil_tag('tt', array(), 'bash'),
+        phutil_tag(
+          'a',
+          array(
+            'href' => 'https://secure.phabricator.com/T6185',
+            'target' => '_blank',
+          ),
+          pht('T6185 "Shellshock" Bash Vulnerability')));
+
+      $this
+        ->newIssue('security.shellshock')
+        ->setName(pht('Severe Security Vulnerability: Unpatched Bash'))
+        ->setSummary($summary)
+        ->setMessage($message);
+    }
+
+  }
+}