Remove dot/Graphviz Remarkup rule · recaptime.dev/phorge@c02f750

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork atom

Remove dot/Graphviz Remarkup rule

Summary: Ref T9408. This rule is unsafe in principle, and a practical vulnerability has been found by a security researcher.

Test Plan: `grep`

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9408

Differential Revision: https://secure.phabricator.com/D14103

epriestley 10 years ago c02f7502 d199560a

-67

2 changed files

expand all

src

__phutil_library_map__.php

infrastructure

markup

interpreter

PhabricatorRemarkupGraphvizBlockInterpreter.php

-2

src/__phutil_library_map__.php

··· 2694 2694 'PhabricatorRemarkupCustomBlockRule' => 'infrastructure/markup/rule/PhabricatorRemarkupCustomBlockRule.php', 2695 2695 'PhabricatorRemarkupCustomInlineRule' => 'infrastructure/markup/rule/PhabricatorRemarkupCustomInlineRule.php', 2696 2696 'PhabricatorRemarkupFigletBlockInterpreter' => 'infrastructure/markup/interpreter/PhabricatorRemarkupFigletBlockInterpreter.php', 2697 - 'PhabricatorRemarkupGraphvizBlockInterpreter' => 'infrastructure/markup/interpreter/PhabricatorRemarkupGraphvizBlockInterpreter.php', 2698 2697 'PhabricatorRemarkupUIExample' => 'applications/uiexample/examples/PhabricatorRemarkupUIExample.php', 2699 2698 'PhabricatorRepositoriesSetupCheck' => 'applications/config/check/PhabricatorRepositoriesSetupCheck.php', 2700 2699 'PhabricatorRepository' => 'applications/repository/storage/PhabricatorRepository.php', ··· 6749 6748 'PhabricatorRemarkupCustomBlockRule' => 'PhutilRemarkupBlockRule', 6750 6749 'PhabricatorRemarkupCustomInlineRule' => 'PhutilRemarkupRule', 6751 6750 'PhabricatorRemarkupFigletBlockInterpreter' => 'PhutilRemarkupBlockInterpreter', 6752 - 'PhabricatorRemarkupGraphvizBlockInterpreter' => 'PhutilRemarkupBlockInterpreter', 6753 6751 'PhabricatorRemarkupUIExample' => 'PhabricatorUIExample', 6754 6752 'PhabricatorRepositoriesSetupCheck' => 'PhabricatorSetupCheck', 6755 6753 'PhabricatorRepository' => array(

-65

src/infrastructure/markup/interpreter/PhabricatorRemarkupGraphvizBlockInterpreter.php

··· 1 - <?php 2 - 3 - final class PhabricatorRemarkupGraphvizBlockInterpreter 4 - extends PhutilRemarkupBlockInterpreter { 5 - 6 - public function getInterpreterName() { 7 - return 'dot'; 8 - } 9 - 10 - public function markupContent($content, array $argv) { 11 - if (!Filesystem::binaryExists('dot')) { 12 - return $this->markupError( 13 - pht( 14 - 'Unable to locate the `%s` binary. Install Graphviz.', 15 - 'dot')); 16 - } 17 - 18 - $width = $this->parseDimension(idx($argv, 'width')); 19 - 20 - $future = id(new ExecFuture('dot -T%s', 'png')) 21 - ->setTimeout(15) 22 - ->write(trim($content)); 23 - 24 - list($err, $stdout, $stderr) = $future->resolve(); 25 - 26 - if ($err) { 27 - return $this->markupError( 28 - pht( 29 - 'Execution of `%s` failed (#%d), check your syntax: %s', 30 - 'dot', 31 - $err, 32 - $stderr)); 33 - } 34 - 35 - $file = PhabricatorFile::buildFromFileDataOrHash( 36 - $stdout, 37 - array( 38 - 'name' => 'graphviz.png', 39 - )); 40 - 41 - if ($this->getEngine()->isTextMode()) { 42 - return '<'.$file->getBestURI().'>'; 43 - } 44 - 45 - $img = phutil_tag( 46 - 'img', 47 - array( 48 - 'src' => $file->getBestURI(), 49 - 'width' => nonempty($width, null), 50 - )); 51 - return phutil_tag_div('phabricator-remarkup-embed-image-full', $img); 52 - } 53 - 54 - // TODO: This is duplicated from PhabricatorEmbedFileRemarkupRule since they 55 - // do not share a base class. 56 - private function parseDimension($string) { 57 - $string = trim($string); 58 - 59 - if (preg_match('/^(?:\d*\\.)?\d+%?$/', $string)) { 60 - return $string; 61 - } 62 - 63 - return null; 64 - } 65 - }