first commit

7 files changed, 1285 insertions, 0 deletions

diff --git a/www/wiki/includes/shell/Command.php b/www/wiki/includes/shell/Command.php
new file mode 100644
index 00000000..d9fa82df
--- /dev/null
+++ b/www/wiki/includes/shell/Command.php
@@ -0,0 +1,555 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+namespace MediaWiki\Shell;
+
+use Exception;
+use MediaWiki\ProcOpenError;
+use MediaWiki\ShellDisabledError;
+use Profiler;
+use Psr\Log\LoggerAwareTrait;
+use Psr\Log\NullLogger;
+
+/**
+ * Class used for executing shell commands
+ *
+ * @since 1.30
+ */
+class Command {
+	use LoggerAwareTrait;
+
+	/** @var string */
+	protected $command = '';
+
+	/** @var array */
+	private $limits = [
+		// seconds
+		'time' => 180,
+		// seconds
+		'walltime' => 180,
+		// KB
+		'memory' => 307200,
+		// KB
+		'filesize' => 102400,
+	];
+
+	/** @var string[] */
+	private $env = [];
+
+	/** @var string */
+	private $method;
+
+	/** @var string|null */
+	private $inputString;
+
+	/** @var bool */
+	private $doIncludeStderr = false;
+
+	/** @var bool */
+	private $doLogStderr = false;
+
+	/** @var bool */
+	private $everExecuted = false;
+
+	/** @var string|false */
+	private $cgroup = false;
+
+	/**
+	 * bitfield with restrictions
+	 *
+	 * @var int
+	 */
+	protected $restrictions = 0;
+
+	/**
+	 * Constructor. Don't call directly, instead use Shell::command()
+	 *
+	 * @throws ShellDisabledError
+	 */
+	public function __construct() {
+		if ( Shell::isDisabled() ) {
+			throw new ShellDisabledError();
+		}
+
+		$this->setLogger( new NullLogger() );
+	}
+
+	/**
+	 * Destructor. Makes sure programmer didn't forget to execute the command after all
+	 */
+	public function __destruct() {
+		if ( !$this->everExecuted ) {
+			$context = [ 'command' => $this->command ];
+			$message = __CLASS__ . " was instantiated, but execute() was never called.";
+			if ( $this->method ) {
+				$message .= ' Calling method: {method}.';
+				$context['method'] = $this->method;
+			}
+			$message .= ' Command: {command}';
+			$this->logger->warning( $message, $context );
+		}
+	}
+
+	/**
+	 * Adds parameters to the command. All parameters are sanitized via Shell::escape().
+	 * Null values are ignored.
+	 *
+	 * @param string|string[] $args,...
+	 * @return $this
+	 */
+	public function params( /* ... */ ) {
+		$args = func_get_args();
+		if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+			// If only one argument has been passed, and that argument is an array,
+			// treat it as a list of arguments
+			$args = reset( $args );
+		}
+		$this->command = trim( $this->command . ' ' . Shell::escape( $args ) );
+
+		return $this;
+	}
+
+	/**
+	 * Adds unsafe parameters to the command. These parameters are NOT sanitized in any way.
+	 * Null values are ignored.
+	 *
+	 * @param string|string[] $args,...
+	 * @return $this
+	 */
+	public function unsafeParams( /* ... */ ) {
+		$args = func_get_args();
+		if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+			// If only one argument has been passed, and that argument is an array,
+			// treat it as a list of arguments
+			$args = reset( $args );
+		}
+		$args = array_filter( $args,
+			function ( $value ) {
+				return $value !== null;
+			}
+		);
+		$this->command = trim( $this->command . ' ' . implode( ' ', $args ) );
+
+		return $this;
+	}
+
+	/**
+	 * Sets execution limits
+	 *
+	 * @param array $limits Associative array of limits. Keys (all optional):
+	 *   filesize (for ulimit -f), memory, time, walltime.
+	 * @return $this
+	 */
+	public function limits( array $limits ) {
+		if ( !isset( $limits['walltime'] ) && isset( $limits['time'] ) ) {
+			// Emulate the behavior of old wfShellExec() where walltime fell back on time
+			// if the latter was overridden and the former wasn't
+			$limits['walltime'] = $limits['time'];
+		}
+		$this->limits = $limits + $this->limits;
+
+		return $this;
+	}
+
+	/**
+	 * Sets environment variables which should be added to the executed command environment
+	 *
+	 * @param string[] $env array of variable name => value
+	 * @return $this
+	 */
+	public function environment( array $env ) {
+		$this->env = $env;
+
+		return $this;
+	}
+
+	/**
+	 * Sets calling function for profiler. By default, the caller for execute() will be used.
+	 *
+	 * @param string $method
+	 * @return $this
+	 */
+	public function profileMethod( $method ) {
+		$this->method = $method;
+
+		return $this;
+	}
+
+	/**
+	 * Sends the provided input to the command.
+	 * When set to null (default), the command will use the standard input.
+	 * @param string|null $inputString
+	 * @return $this
+	 */
+	public function input( $inputString ) {
+		$this->inputString = is_null( $inputString ) ? null : (string)$inputString;
+
+		return $this;
+	}
+
+	/**
+	 * Controls whether stderr should be included in stdout, including errors from limit.sh.
+	 * Default: don't include.
+	 *
+	 * @param bool $yesno
+	 * @return $this
+	 */
+	public function includeStderr( $yesno = true ) {
+		$this->doIncludeStderr = $yesno;
+
+		return $this;
+	}
+
+	/**
+	 * When enabled, text sent to stderr will be logged with a level of 'error'.
+	 *
+	 * @param bool $yesno
+	 * @return $this
+	 */
+	public function logStderr( $yesno = true ) {
+		$this->doLogStderr = $yesno;
+
+		return $this;
+	}
+
+	/**
+	 * Sets cgroup for this command
+	 *
+	 * @param string|false $cgroup Absolute file path to the cgroup, or false to not use a cgroup
+	 * @return $this
+	 */
+	public function cgroup( $cgroup ) {
+		$this->cgroup = $cgroup;
+
+		return $this;
+	}
+
+	/**
+	 * Set additional restrictions for this request
+	 *
+	 * @since 1.31
+	 * @param int $restrictions
+	 * @return $this
+	 */
+	public function restrict( $restrictions ) {
+		$this->restrictions |= $restrictions;
+
+		return $this;
+	}
+
+	/**
+	 * Bitfield helper on whether a specific restriction is enabled
+	 *
+	 * @param int $restriction
+	 *
+	 * @return bool
+	 */
+	protected function hasRestriction( $restriction ) {
+		return ( $this->restrictions & $restriction ) === $restriction;
+	}
+
+	/**
+	 * If called, only the files/directories that are
+	 * whitelisted will be available to the shell command.
+	 *
+	 * limit.sh will always be whitelisted
+	 *
+	 * @param string[] $paths
+	 *
+	 * @return $this
+	 */
+	public function whitelistPaths( array $paths ) {
+		// Default implementation is a no-op
+		return $this;
+	}
+
+	/**
+	 * String together all the options and build the final command
+	 * to execute
+	 *
+	 * @param string $command Already-escaped command to run
+	 * @return array [ command, whether to use log pipe ]
+	 */
+	protected function buildFinalCommand( $command ) {
+		$envcmd = '';
+		foreach ( $this->env as $k => $v ) {
+			if ( wfIsWindows() ) {
+				/* Surrounding a set in quotes (method used by wfEscapeShellArg) makes the quotes themselves
+				 * appear in the environment variable, so we must use carat escaping as documented in
+				 * https://technet.microsoft.com/en-us/library/cc723564.aspx
+				 * Note however that the quote isn't listed there, but is needed, and the parentheses
+				 * are listed there but doesn't appear to need it.
+				 */
+				$envcmd .= "set $k=" . preg_replace( '/([&|()<>^"])/', '^\\1', $v ) . '&& ';
+			} else {
+				/* Assume this is a POSIX shell, thus required to accept variable assignments before the command
+				 * http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_09_01
+				 */
+				$envcmd .= "$k=" . escapeshellarg( $v ) . ' ';
+			}
+		}
+
+		$useLogPipe = false;
+		$cmd = $envcmd . trim( $command );
+
+		if ( is_executable( '/bin/bash' ) ) {
+			$time = intval( $this->limits['time'] );
+			$wallTime = intval( $this->limits['walltime'] );
+			$mem = intval( $this->limits['memory'] );
+			$filesize = intval( $this->limits['filesize'] );
+
+			if ( $time > 0 || $mem > 0 || $filesize > 0 || $wallTime > 0 ) {
+				$cmd = '/bin/bash ' . escapeshellarg( __DIR__ . '/limit.sh' ) . ' ' .
+					escapeshellarg( $cmd ) . ' ' .
+					escapeshellarg(
+						"MW_INCLUDE_STDERR=" . ( $this->doIncludeStderr ? '1' : '' ) . ';' .
+						"MW_CPU_LIMIT=$time; " .
+						'MW_CGROUP=' . escapeshellarg( $this->cgroup ) . '; ' .
+						"MW_MEM_LIMIT=$mem; " .
+						"MW_FILE_SIZE_LIMIT=$filesize; " .
+						"MW_WALL_CLOCK_LIMIT=$wallTime; " .
+						"MW_USE_LOG_PIPE=yes"
+					);
+				$useLogPipe = true;
+			}
+		}
+		if ( !$useLogPipe && $this->doIncludeStderr ) {
+			$cmd .= ' 2>&1';
+		}
+
+		return [ $cmd, $useLogPipe ];
+	}
+
+	/**
+	 * Executes command. Afterwards, getExitCode() and getOutput() can be used to access execution
+	 * results.
+	 *
+	 * @return Result
+	 * @throws Exception
+	 * @throws ProcOpenError
+	 * @throws ShellDisabledError
+	 */
+	public function execute() {
+		$this->everExecuted = true;
+
+		$profileMethod = $this->method ?: wfGetCaller();
+
+		list( $cmd, $useLogPipe ) = $this->buildFinalCommand( $this->command );
+
+		$this->logger->debug( __METHOD__ . ": $cmd" );
+
+		// Don't try to execute commands that exceed Linux's MAX_ARG_STRLEN.
+		// Other platforms may be more accomodating, but we don't want to be
+		// accomodating, because very long commands probably include user
+		// input. See T129506.
+		if ( strlen( $cmd ) > SHELL_MAX_ARG_STRLEN ) {
+			throw new Exception( __METHOD__ .
+				'(): total length of $cmd must not exceed SHELL_MAX_ARG_STRLEN' );
+		}
+
+		$desc = [
+			0 => $this->inputString === null ? [ 'file', 'php://stdin', 'r' ] : [ 'pipe', 'r' ],
+			1 => [ 'pipe', 'w' ],
+			2 => [ 'pipe', 'w' ],
+		];
+		if ( $useLogPipe ) {
+			$desc[3] = [ 'pipe', 'w' ];
+		}
+		$pipes = null;
+		$scoped = Profiler::instance()->scopedProfileIn( __FUNCTION__ . '-' . $profileMethod );
+		$proc = proc_open( $cmd, $desc, $pipes );
+		if ( !$proc ) {
+			$this->logger->error( "proc_open() failed: {command}", [ 'command' => $cmd ] );
+			throw new ProcOpenError();
+		}
+
+		$buffers = [
+			0 => $this->inputString, // input
+			1 => '', // stdout
+			2 => null, // stderr
+			3 => '', // log
+		];
+		$emptyArray = [];
+		$status = false;
+		$logMsg = false;
+
+		/* According to the documentation, it is possible for stream_select()
+		 * to fail due to EINTR. I haven't managed to induce this in testing
+		 * despite sending various signals. If it did happen, the error
+		 * message would take the form:
+		 *
+		 * stream_select(): unable to select [4]: Interrupted system call (max_fd=5)
+		 *
+		 * where [4] is the value of the macro EINTR and "Interrupted system
+		 * call" is string which according to the Linux manual is "possibly"
+		 * localised according to LC_MESSAGES.
+		 */
+		$eintr = defined( 'SOCKET_EINTR' ) ? SOCKET_EINTR : 4;
+		$eintrMessage = "stream_select(): unable to select [$eintr]";
+
+		/* The select(2) system call only guarantees a "sufficiently small write"
+		 * can be made without blocking. And on Linux the read might block too
+		 * in certain cases, although I don't know if any of them can occur here.
+		 * Regardless, set all the pipes to non-blocking to avoid T184171.
+		 */
+		foreach ( $pipes as $pipe ) {
+			stream_set_blocking( $pipe, false );
+		}
+
+		$running = true;
+		$timeout = null;
+		$numReadyPipes = 0;
+
+		while ( $pipes && ( $running === true || $numReadyPipes !== 0 ) ) {
+			if ( $running ) {
+				$status = proc_get_status( $proc );
+				// If the process has terminated, switch to nonblocking selects
+				// for getting any data still waiting to be read.
+				if ( !$status['running'] ) {
+					$running = false;
+					$timeout = 0;
+				}
+			}
+
+			// clear get_last_error without actually raising an error
+			// from http://php.net/manual/en/function.error-get-last.php#113518
+			// TODO replace with clear_last_error when requirements are bumped to PHP7
+			set_error_handler( function () {
+			}, 0 );
+			// phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged
+			@trigger_error( '' );
+			restore_error_handler();
+
+			$readPipes = wfArrayFilterByKey( $pipes, function ( $fd ) use ( $desc ) {
+				return $desc[$fd][0] === 'pipe' && $desc[$fd][1] === 'r';
+			} );
+			$writePipes = wfArrayFilterByKey( $pipes, function ( $fd ) use ( $desc ) {
+				return $desc[$fd][0] === 'pipe' && $desc[$fd][1] === 'w';
+			} );
+			// stream_select parameter names are from the POV of us being able to do the operation;
+			// proc_open desriptor types are from the POV of the process doing it.
+			// So $writePipes is passed as the $read parameter and $readPipes as $write.
+			// phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged
+			$numReadyPipes = @stream_select( $writePipes, $readPipes, $emptyArray, $timeout );
+			if ( $numReadyPipes === false ) {
+				$error = error_get_last();
+				if ( strncmp( $error['message'], $eintrMessage, strlen( $eintrMessage ) ) == 0 ) {
+					continue;
+				} else {
+					trigger_error( $error['message'], E_USER_WARNING );
+					$logMsg = $error['message'];
+					break;
+				}
+			}
+			foreach ( $writePipes + $readPipes as $fd => $pipe ) {
+				// True if a pipe is unblocked for us to write into, false if for reading from
+				$isWrite = array_key_exists( $fd, $readPipes );
+
+				if ( $isWrite ) {
+					// Don't bother writing if the buffer is empty
+					if ( $buffers[$fd] === '' ) {
+						fclose( $pipes[$fd] );
+						unset( $pipes[$fd] );
+						continue;
+					}
+					$res = fwrite( $pipe, $buffers[$fd], 65536 );
+				} else {
+					$res = fread( $pipe, 65536 );
+				}
+
+				if ( $res === false ) {
+					$logMsg = 'Error ' . ( $isWrite ? 'writing to' : 'reading from' ) . ' pipe';
+					break 2;
+				}
+
+				if ( $res === '' || $res === 0 ) {
+					// End of file?
+					if ( feof( $pipe ) ) {
+						fclose( $pipes[$fd] );
+						unset( $pipes[$fd] );
+					}
+				} elseif ( $isWrite ) {
+					$buffers[$fd] = (string)substr( $buffers[$fd], $res );
+					if ( $buffers[$fd] === '' ) {
+						fclose( $pipes[$fd] );
+						unset( $pipes[$fd] );
+					}
+				} else {
+					$buffers[$fd] .= $res;
+					if ( $fd === 3 && strpos( $res, "\n" ) !== false ) {
+						// For the log FD, every line is a separate log entry.
+						$lines = explode( "\n", $buffers[3] );
+						$buffers[3] = array_pop( $lines );
+						foreach ( $lines as $line ) {
+							$this->logger->info( $line );
+						}
+					}
+				}
+			}
+		}
+
+		foreach ( $pipes as $pipe ) {
+			fclose( $pipe );
+		}
+
+		// Use the status previously collected if possible, since proc_get_status()
+		// just calls waitpid() which will not return anything useful the second time.
+		if ( $running ) {
+			$status = proc_get_status( $proc );
+		}
+
+		if ( $logMsg !== false ) {
+			// Read/select error
+			$retval = -1;
+			proc_close( $proc );
+		} elseif ( $status['signaled'] ) {
+			$logMsg = "Exited with signal {$status['termsig']}";
+			$retval = 128 + $status['termsig'];
+			proc_close( $proc );
+		} else {
+			if ( $status['running'] ) {
+				$retval = proc_close( $proc );
+			} else {
+				$retval = $status['exitcode'];
+				proc_close( $proc );
+			}
+			if ( $retval == 127 ) {
+				$logMsg = "Possibly missing executable file";
+			} elseif ( $retval >= 129 && $retval <= 192 ) {
+				$logMsg = "Probably exited with signal " . ( $retval - 128 );
+			}
+		}
+
+		if ( $logMsg !== false ) {
+			$this->logger->warning( "$logMsg: {command}", [ 'command' => $cmd ] );
+		}
+
+		if ( $buffers[2] && $this->doLogStderr ) {
+			$this->logger->error( "Error running {command}: {error}", [
+				'command' => $cmd,
+				'error' => $buffers[2],
+				'exitcode' => $retval,
+				'exception' => new Exception( 'Shell error' ),
+			] );
+		}
+
+		return new Result( $retval, $buffers[1], $buffers[2] );
+	}
+}
diff --git a/www/wiki/includes/shell/CommandFactory.php b/www/wiki/includes/shell/CommandFactory.php
new file mode 100644
index 00000000..b4b9b921
--- /dev/null
+++ b/www/wiki/includes/shell/CommandFactory.php
@@ -0,0 +1,114 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+namespace MediaWiki\Shell;
+
+use ExecutableFinder;
+use Psr\Log\LoggerAwareTrait;
+use Psr\Log\NullLogger;
+
+/**
+ * Factory facilitating dependency injection for Command
+ *
+ * @since 1.30
+ */
+class CommandFactory {
+	use LoggerAwareTrait;
+
+	/** @var array */
+	private $limits;
+
+	/** @var string|bool */
+	private $cgroup;
+
+	/** @var bool */
+	private $doLogStderr = false;
+
+	/**
+	 * @var string|bool
+	 */
+	private $restrictionMethod;
+
+	/**
+	 * @var string|bool
+	 */
+	private $firejail;
+
+	/**
+	 * Constructor
+	 *
+	 * @param array $limits See {@see Command::limits()}
+	 * @param string|bool $cgroup See {@see Command::cgroup()}
+	 * @param string|bool $restrictionMethod
+	 */
+	public function __construct( array $limits, $cgroup, $restrictionMethod ) {
+		$this->limits = $limits;
+		$this->cgroup = $cgroup;
+		if ( $restrictionMethod === 'autodetect' ) {
+			// On Linux systems check for firejail
+			if ( PHP_OS === 'Linux' && $this->findFirejail() !== false ) {
+				$this->restrictionMethod = 'firejail';
+			} else {
+				$this->restrictionMethod = false;
+			}
+		} else {
+			$this->restrictionMethod = $restrictionMethod;
+		}
+		$this->setLogger( new NullLogger() );
+	}
+
+	private function findFirejail() {
+		if ( $this->firejail === null ) {
+			$this->firejail = ExecutableFinder::findInDefaultPaths( 'firejail' );
+		}
+
+		return $this->firejail;
+	}
+
+	/**
+	 * When enabled, text sent to stderr will be logged with a level of 'error'.
+	 *
+	 * @param bool $yesno
+	 * @see Command::logStderr
+	 */
+	public function logStderr( $yesno = true ) {
+		$this->doLogStderr = $yesno;
+	}
+
+	/**
+	 * Instantiates a new Command
+	 *
+	 * @return Command
+	 */
+	public function create() {
+		if ( $this->restrictionMethod === 'firejail' ) {
+			$command = new FirejailCommand( $this->findFirejail() );
+			$command->restrict( Shell::RESTRICT_DEFAULT );
+		} else {
+			$command = new Command();
+		}
+		$command->setLogger( $this->logger );
+
+		return $command
+			->limits( $this->limits )
+			->cgroup( $this->cgroup )
+			->logStderr( $this->doLogStderr );
+	}
+}
diff --git a/www/wiki/includes/shell/FirejailCommand.php b/www/wiki/includes/shell/FirejailCommand.php
new file mode 100644
index 00000000..d8189304
--- /dev/null
+++ b/www/wiki/includes/shell/FirejailCommand.php
@@ -0,0 +1,160 @@
+<?php
+/**
+ * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+namespace MediaWiki\Shell;
+
+use RuntimeException;
+
+/**
+ * Restricts execution of shell commands using firejail
+ *
+ * @see https://firejail.wordpress.com/
+ * @since 1.31
+ */
+class FirejailCommand extends Command {
+
+	/**
+	 * @var string Path to firejail
+	 */
+	private $firejail;
+
+	/**
+	 * @var string[]
+	 */
+	private $whitelistedPaths = [];
+
+	/**
+	 * @param string $firejail Path to firejail
+	 */
+	public function __construct( $firejail ) {
+		parent::__construct();
+		$this->firejail = $firejail;
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function whitelistPaths( array $paths ) {
+		$this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths );
+		return $this;
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	protected function buildFinalCommand( $command ) {
+		// If there are no restrictions, don't use firejail
+		if ( $this->restrictions === 0 ) {
+			$splitCommand = explode( ' ', $command, 2 );
+			$this->logger->debug(
+				"firejail: Command {$splitCommand[0]} {params} has no restrictions",
+				[ 'params' => isset( $splitCommand[1] ) ? $splitCommand[1] : '' ]
+			);
+			return parent::buildFinalCommand( $command );
+		}
+
+		if ( $this->firejail === false ) {
+			throw new RuntimeException( 'firejail is enabled, but cannot be found' );
+		}
+		// quiet has to come first to prevent firejail from adding
+		// any output.
+		$cmd = [ $this->firejail, '--quiet' ];
+		// Use a profile that allows people to add local overrides
+		// if their system is setup in an incompatible manner. Also it
+		// prevents any default profiles from running.
+		// FIXME: Doesn't actually override command-line switches?
+		$cmd[] = '--profile=' . __DIR__ . '/firejail.profile';
+
+		// By default firejail hides all other user directories, so if
+		// MediaWiki is inside a home directory (/home) but not the
+		// current user's home directory, pass --allusers to whitelist
+		// the home directories again.
+		static $useAllUsers = null;
+		if ( $useAllUsers === null ) {
+			global $IP;
+			// In case people are doing funny things with symlinks
+			// or relative paths, resolve them all.
+			$realIP = realpath( $IP );
+			$currentUser = posix_getpwuid( posix_geteuid() );
+			$useAllUsers = ( strpos( $realIP, '/home/' ) === 0 )
+				&& ( strpos( $realIP, $currentUser['dir'] ) !== 0 );
+			if ( $useAllUsers ) {
+				$this->logger->warning( 'firejail: MediaWiki is located ' .
+					'in a home directory that does not belong to the ' .
+					'current user, so allowing access to all home ' .
+					'directories (--allusers)' );
+			}
+		}
+
+		if ( $useAllUsers ) {
+			$cmd[] = '--allusers';
+		}
+
+		if ( $this->whitelistedPaths ) {
+			// Always whitelist limit.sh
+			$cmd[] = '--whitelist=' . __DIR__ . '/limit.sh';
+			foreach ( $this->whitelistedPaths as $whitelistedPath ) {
+				$cmd[] = "--whitelist={$whitelistedPath}";
+			}
+		}
+
+		if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+			$cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+		}
+
+		if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
+			$cmd[] = '--noroot';
+		}
+
+		$useSeccomp = $this->hasRestriction( Shell::SECCOMP );
+		$extraSeccomp = [];
+
+		if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
+			$extraSeccomp[] = 'execve';
+			// Normally firejail will run commands in a bash shell,
+			// but that won't work if we ban the execve syscall, so
+			// run the command without a shell.
+			$cmd[] = '--shell=none';
+		}
+
+		if ( $useSeccomp ) {
+			$seccomp = '--seccomp';
+			if ( $extraSeccomp ) {
+				// The "@default" seccomp group will always be enabled
+				$seccomp .= '=' . implode( ',', $extraSeccomp );
+			}
+			$cmd[] = $seccomp;
+		}
+
+		if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {
+			$cmd[] = '--private-dev';
+		}
+
+		if ( $this->hasRestriction( Shell::NO_NETWORK ) ) {
+			$cmd[] = '--net=none';
+		}
+
+		$builtCmd = implode( ' ', $cmd );
+
+		// Prefix the firejail command in front of the wanted command
+		return parent::buildFinalCommand( "$builtCmd -- {$command}" );
+	}
+
+}
diff --git a/www/wiki/includes/shell/Result.php b/www/wiki/includes/shell/Result.php
new file mode 100644
index 00000000..a105cd12
--- /dev/null
+++ b/www/wiki/includes/shell/Result.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+namespace MediaWiki\Shell;
+
+/**
+ * Returned by MediaWiki\Shell\Command::execute()
+ *
+ * @since 1.30
+ */
+class Result {
+	/** @var int */
+	private $exitCode;
+
+	/** @var string */
+	private $stdout;
+
+	/** @var string|null */
+	private $stderr;
+
+	/**
+	 * @param int $exitCode
+	 * @param string $stdout
+	 * @param string|null $stderr
+	 */
+	public function __construct( $exitCode, $stdout, $stderr = null ) {
+		$this->exitCode = $exitCode;
+		$this->stdout = $stdout;
+		$this->stderr = $stderr;
+	}
+
+	/**
+	 * Returns exit code of the process
+	 *
+	 * @return int
+	 */
+	public function getExitCode() {
+		return $this->exitCode;
+	}
+
+	/**
+	 * Returns stdout of the process
+	 *
+	 * @return string
+	 */
+	public function getStdout() {
+		return $this->stdout;
+	}
+
+	/**
+	 * Returns stderr of the process or null if the Command was configured to add stderr to stdout
+	 * with includeStderr( true )
+	 *
+	 * @return string|null
+	 */
+	public function getStderr() {
+		return $this->stderr;
+	}
+}
diff --git a/www/wiki/includes/shell/Shell.php b/www/wiki/includes/shell/Shell.php
new file mode 100644
index 00000000..742e1424
--- /dev/null
+++ b/www/wiki/includes/shell/Shell.php
@@ -0,0 +1,251 @@
+<?php
+/**
+ * Class used for executing shell commands
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+namespace MediaWiki\Shell;
+
+use Hooks;
+use MediaWiki\MediaWikiServices;
+
+/**
+ * Executes shell commands
+ *
+ * @since 1.30
+ *
+ * Use call chaining with this class for expressiveness:
+ *  $result = Shell::command( 'some command' )
+ *       ->input( 'foo' )
+ *       ->environment( [ 'ENVIRONMENT_VARIABLE' => 'VALUE' ] )
+ *       ->limits( [ 'time' => 300 ] )
+ *       ->execute();
+ *
+ *  ... = $result->getExitCode();
+ *  ... = $result->getStdout();
+ *  ... = $result->getStderr();
+ */
+class Shell {
+
+	/**
+	 * Apply a default set of restrictions for improved
+	 * security out of the box.
+	 *
+	 * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
+	 *
+	 * @note This value will change over time to provide increased security
+	 *       by default, and is not guaranteed to be backwards-compatible.
+	 * @since 1.31
+	 */
+	const RESTRICT_DEFAULT = 39;
+
+	/**
+	 * Disallow any root access. Any setuid binaries
+	 * will be run without elevated access.
+	 *
+	 * @since 1.31
+	 */
+	const NO_ROOT = 1;
+
+	/**
+	 * Use seccomp to block dangerous syscalls
+	 * @see <https://en.wikipedia.org/wiki/seccomp>
+	 *
+	 * @since 1.31
+	 */
+	const SECCOMP = 2;
+
+	/**
+	 * Create a private /dev
+	 *
+	 * @since 1.31
+	 */
+	const PRIVATE_DEV = 4;
+
+	/**
+	 * Restrict the request to have no
+	 * network access
+	 *
+	 * @since 1.31
+	 */
+	const NO_NETWORK = 8;
+
+	/**
+	 * Deny execve syscall with seccomp
+	 * @see <https://en.wikipedia.org/wiki/exec_(system_call)>
+	 *
+	 * @since 1.31
+	 */
+	const NO_EXECVE = 16;
+
+	/**
+	 * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+	 *
+	 * @since 1.31
+	 */
+	const NO_LOCALSETTINGS = 32;
+
+	/**
+	 * Don't apply any restrictions
+	 *
+	 * @since 1.31
+	 */
+	const RESTRICT_NONE = 0;
+
+	/**
+	 * Returns a new instance of Command class
+	 *
+	 * @param string|string[] $command String or array of strings representing the command to
+	 * be executed, each value will be escaped.
+	 *   Example:   [ 'convert', '-font', 'font name' ] would produce "'convert' '-font' 'font name'"
+	 * @return Command
+	 */
+	public static function command( $command ) {
+		$args = func_get_args();
+		if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+			// If only one argument has been passed, and that argument is an array,
+			// treat it as a list of arguments
+			$args = reset( $args );
+		}
+		$command = MediaWikiServices::getInstance()
+			->getShellCommandFactory()
+			->create();
+
+		return $command->params( $args );
+	}
+
+	/**
+	 * Check if this class is effectively disabled via php.ini config
+	 *
+	 * @return bool
+	 */
+	public static function isDisabled() {
+		static $disabled = null;
+
+		if ( is_null( $disabled ) ) {
+			if ( !function_exists( 'proc_open' ) ) {
+				wfDebug( "proc_open() is disabled\n" );
+				$disabled = true;
+			} else {
+				$disabled = false;
+			}
+		}
+
+		return $disabled;
+	}
+
+	/**
+	 * Version of escapeshellarg() that works better on Windows.
+	 *
+	 * Originally, this fixed the incorrect use of single quotes on Windows
+	 * (https://bugs.php.net/bug.php?id=26285) and the locale problems on Linux in
+	 * PHP 5.2.6+ (bug backported to earlier distro releases of PHP).
+	 *
+	 * @param string $args,... strings to escape and glue together, or a single array of
+	 *     strings parameter. Null values are ignored.
+	 * @return string
+	 */
+	public static function escape( /* ... */ ) {
+		$args = func_get_args();
+		if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+			// If only one argument has been passed, and that argument is an array,
+			// treat it as a list of arguments
+			$args = reset( $args );
+		}
+
+		$first = true;
+		$retVal = '';
+		foreach ( $args as $arg ) {
+			if ( $arg === null ) {
+				continue;
+			}
+			if ( !$first ) {
+				$retVal .= ' ';
+			} else {
+				$first = false;
+			}
+
+			if ( wfIsWindows() ) {
+				// Escaping for an MSVC-style command line parser and CMD.EXE
+				// Refs:
+				//  * https://web.archive.org/web/20020708081031/http://mailman.lyra.org/pipermail/scite-interest/2002-March/000436.html
+				//  * https://technet.microsoft.com/en-us/library/cc723564.aspx
+				//  * T15518
+				//  * CR r63214
+				// Double the backslashes before any double quotes. Escape the double quotes.
+				$tokens = preg_split( '/(\\\\*")/', $arg, -1, PREG_SPLIT_DELIM_CAPTURE );
+				$arg = '';
+				$iteration = 0;
+				foreach ( $tokens as $token ) {
+					if ( $iteration % 2 == 1 ) {
+						// Delimiter, a double quote preceded by zero or more slashes
+						$arg .= str_replace( '\\', '\\\\', substr( $token, 0, -1 ) ) . '\\"';
+					} elseif ( $iteration % 4 == 2 ) {
+						// ^ in $token will be outside quotes, need to be escaped
+						$arg .= str_replace( '^', '^^', $token );
+					} else { // $iteration % 4 == 0
+						// ^ in $token will appear inside double quotes, so leave as is
+						$arg .= $token;
+					}
+					$iteration++;
+				}
+				// Double the backslashes before the end of the string, because
+				// we will soon add a quote
+				$m = [];
+				if ( preg_match( '/^(.*?)(\\\\+)$/', $arg, $m ) ) {
+					$arg = $m[1] . str_replace( '\\', '\\\\', $m[2] );
+				}
+
+				// Add surrounding quotes
+				$retVal .= '"' . $arg . '"';
+			} else {
+				$retVal .= escapeshellarg( $arg );
+			}
+		}
+		return $retVal;
+	}
+
+	/**
+	 * Generate a Command object to run a MediaWiki CLI script.
+	 * Note that $parameters should be a flat array and an option with an argument
+	 * should consist of two consecutive items in the array (do not use "--option value").
+	 *
+	 * @param string $script MediaWiki CLI script with full path
+	 * @param string[] $parameters Arguments and options to the script
+	 * @param array $options Associative array of options:
+	 *     'php': The path to the php executable
+	 *     'wrapper': Path to a PHP wrapper to handle the maintenance script
+	 * @return Command
+	 */
+	public static function makeScriptCommand( $script, $parameters, $options = [] ) {
+		global $wgPhpCli;
+		// Give site config file a chance to run the script in a wrapper.
+		// The caller may likely want to call wfBasename() on $script.
+		Hooks::run( 'wfShellWikiCmd', [ &$script, &$parameters, &$options ] );
+		$cmd = isset( $options['php'] ) ? [ $options['php'] ] : [ $wgPhpCli ];
+		if ( isset( $options['wrapper'] ) ) {
+			$cmd[] = $options['wrapper'];
+		}
+		$cmd[] = $script;
+
+		return self::command( $cmd )
+			->params( $parameters )
+			->restrict( self::RESTRICT_DEFAULT & ~self::NO_LOCALSETTINGS );
+	}
+}
diff --git a/www/wiki/includes/shell/firejail.profile b/www/wiki/includes/shell/firejail.profile
new file mode 100644
index 00000000..07f059ba
--- /dev/null
+++ b/www/wiki/includes/shell/firejail.profile
@@ -0,0 +1,7 @@
+# Firejail profile used by MediaWiki when shelling out
+# See <https://firejail.wordpress.com/features-3/man-firejail-profile/> for
+# syntax documentation
+# Persistent local customizations
+include /etc/firejail/mediawiki.local
+# Persistent global definitions
+include /etc/firejail/globals.local
diff --git a/www/wiki/includes/shell/limit.sh b/www/wiki/includes/shell/limit.sh
new file mode 100755
index 00000000..d71e6603
--- /dev/null
+++ b/www/wiki/includes/shell/limit.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+#
+# Resource limiting wrapper for command execution
+#
+# Why is this in shell script? Because bash has a setrlimit() wrapper
+# and is available on most Linux systems. If Perl was distributed with
+# BSD::Resource included, we would happily use that instead, but it isn't.
+
+# Clean up cgroup
+cleanup() {
+	# First we have to move the current task into a "garbage" group, otherwise
+	# the cgroup will not be empty, and attempting to remove it will fail with
+	# "Device or resource busy"
+	if [ -w "$MW_CGROUP"/tasks ]; then
+		GARBAGE="$MW_CGROUP"
+	else
+		GARBAGE="$MW_CGROUP"/garbage-`id -un`
+		if [ ! -e "$GARBAGE" ]; then
+			mkdir -m 0700 "$GARBAGE"
+		fi
+	fi
+	echo $BASHPID > "$GARBAGE"/tasks
+
+	# Suppress errors in case the cgroup has disappeared due to a release script
+	rmdir "$MW_CGROUP"/$$ 2>/dev/null
+}
+
+updateTaskCount() {
+	# There are lots of ways to count lines in a file in shell script, but this
+	# is one of the few that doesn't create another process, which would
+	# increase the returned number of tasks.
+	readarray < "$MW_CGROUP"/$$/tasks
+	NUM_TASKS=${#MAPFILE[*]}
+}
+
+log() {
+	echo limit.sh: "$*" >&3
+	echo limit.sh: "$*" >&2
+}
+
+MW_INCLUDE_STDERR=
+MW_USE_LOG_PIPE=
+MW_CPU_LIMIT=0
+MW_CGROUP=
+MW_MEM_LIMIT=0
+MW_FILE_SIZE_LIMIT=0
+MW_WALL_CLOCK_LIMIT=0
+
+# Override settings
+eval "$2"
+
+if [ -n "$MW_INCLUDE_STDERR" ]; then
+	exec 2>&1
+fi
+if [ -z "$MW_USE_LOG_PIPE" ]; then
+	# Open a dummy log FD
+	exec 3>/dev/null
+fi
+
+if [ "$MW_CPU_LIMIT" -gt 0 ]; then
+	ulimit -t "$MW_CPU_LIMIT"
+fi
+if [ "$MW_MEM_LIMIT" -gt 0 ]; then
+	if [ -n "$MW_CGROUP" ]; then
+		# Create cgroup
+		if ! mkdir -m 0700 "$MW_CGROUP"/$$; then
+			log "failed to create the cgroup."
+			MW_CGROUP=""
+		fi
+	fi
+	if [ -n "$MW_CGROUP" ]; then
+		echo $$ > "$MW_CGROUP"/$$/tasks
+		if [ -n "$MW_CGROUP_NOTIFY" ]; then
+			echo "1" > "$MW_CGROUP"/$$/notify_on_release
+		fi
+		# Memory
+		echo $(($MW_MEM_LIMIT*1024)) > "$MW_CGROUP"/$$/memory.limit_in_bytes
+		# Memory+swap
+		# This will be missing if there is no swap
+		if [ -e "$MW_CGROUP"/$$/memory.memsw.limit_in_bytes ]; then
+			echo $(($MW_MEM_LIMIT*1024)) > "$MW_CGROUP"/$$/memory.memsw.limit_in_bytes
+		fi
+	else
+		ulimit -v "$MW_MEM_LIMIT"
+	fi
+else
+	MW_CGROUP=""
+fi
+if [ "$MW_FILE_SIZE_LIMIT" -gt 0 ]; then
+	ulimit -f "$MW_FILE_SIZE_LIMIT"
+fi
+if [ "$MW_WALL_CLOCK_LIMIT" -gt 0 -a -x "/usr/bin/timeout" ]; then
+	/usr/bin/timeout $MW_WALL_CLOCK_LIMIT /bin/bash -c "$1" 3>&-
+	STATUS="$?"
+	if [ "$STATUS" == 124 ]; then
+		log "timed out executing command \"$1\""
+	fi
+else
+	eval "$1" 3>&-
+	STATUS="$?"
+fi
+
+if [ -n "$MW_CGROUP" ]; then
+	updateTaskCount
+
+	if [ $NUM_TASKS -gt 1 ]; then
+		# Spawn a monitor process which will continue to poll for completion
+		# of all processes in the cgroup after termination of the parent shell
+		(
+			while [ $NUM_TASKS -gt 1 ]; do
+				sleep 10
+				updateTaskCount
+			done
+			cleanup
+		) >&/dev/null < /dev/null 3>&- &
+		disown -a
+	else
+		cleanup
+	fi
+fi
+exit "$STATUS"
+