1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Remove dot/Graphviz Remarkup rule

Summary: Ref T9408. This rule is unsafe in principle, and a practical vulnerability has been found by a security researcher.

Test Plan: `grep`

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9408

Differential Revision: https://secure.phabricator.com/D14103
This commit is contained in:
epriestley 2015-09-13 12:27:23 -07:00
parent d199560a6b
commit c02f750267
2 changed files with 0 additions and 67 deletions

View file

@ -2694,7 +2694,6 @@ phutil_register_library_map(array(
'PhabricatorRemarkupCustomBlockRule' => 'infrastructure/markup/rule/PhabricatorRemarkupCustomBlockRule.php',
'PhabricatorRemarkupCustomInlineRule' => 'infrastructure/markup/rule/PhabricatorRemarkupCustomInlineRule.php',
'PhabricatorRemarkupFigletBlockInterpreter' => 'infrastructure/markup/interpreter/PhabricatorRemarkupFigletBlockInterpreter.php',
'PhabricatorRemarkupGraphvizBlockInterpreter' => 'infrastructure/markup/interpreter/PhabricatorRemarkupGraphvizBlockInterpreter.php',
'PhabricatorRemarkupUIExample' => 'applications/uiexample/examples/PhabricatorRemarkupUIExample.php',
'PhabricatorRepositoriesSetupCheck' => 'applications/config/check/PhabricatorRepositoriesSetupCheck.php',
'PhabricatorRepository' => 'applications/repository/storage/PhabricatorRepository.php',
@ -6749,7 +6748,6 @@ phutil_register_library_map(array(
'PhabricatorRemarkupCustomBlockRule' => 'PhutilRemarkupBlockRule',
'PhabricatorRemarkupCustomInlineRule' => 'PhutilRemarkupRule',
'PhabricatorRemarkupFigletBlockInterpreter' => 'PhutilRemarkupBlockInterpreter',
'PhabricatorRemarkupGraphvizBlockInterpreter' => 'PhutilRemarkupBlockInterpreter',
'PhabricatorRemarkupUIExample' => 'PhabricatorUIExample',
'PhabricatorRepositoriesSetupCheck' => 'PhabricatorSetupCheck',
'PhabricatorRepository' => array(

View file

@ -1,65 +0,0 @@
<?php
final class PhabricatorRemarkupGraphvizBlockInterpreter
extends PhutilRemarkupBlockInterpreter {
public function getInterpreterName() {
return 'dot';
}
public function markupContent($content, array $argv) {
if (!Filesystem::binaryExists('dot')) {
return $this->markupError(
pht(
'Unable to locate the `%s` binary. Install Graphviz.',
'dot'));
}
$width = $this->parseDimension(idx($argv, 'width'));
$future = id(new ExecFuture('dot -T%s', 'png'))
->setTimeout(15)
->write(trim($content));
list($err, $stdout, $stderr) = $future->resolve();
if ($err) {
return $this->markupError(
pht(
'Execution of `%s` failed (#%d), check your syntax: %s',
'dot',
$err,
$stderr));
}
$file = PhabricatorFile::buildFromFileDataOrHash(
$stdout,
array(
'name' => 'graphviz.png',
));
if ($this->getEngine()->isTextMode()) {
return '<'.$file->getBestURI().'>';
}
$img = phutil_tag(
'img',
array(
'src' => $file->getBestURI(),
'width' => nonempty($width, null),
));
return phutil_tag_div('phabricator-remarkup-embed-image-full', $img);
}
// TODO: This is duplicated from PhabricatorEmbedFileRemarkupRule since they
// do not share a base class.
private function parseDimension($string) {
$string = trim($string);
if (preg_match('/^(?:\d*\\.)?\d+%?$/', $string)) {
return $string;
}
return null;
}
}