View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0012130mantisbtplug-inspublic2010-07-01 13:382013-05-22 11:09
Reporterharuka Assigned Tograngeway  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionwon't fix 
Summary0012130: plugin_cli.php
Description

I would like to have something like the attached file(*) in the mantis core.
I think calling plugins just from commandline (without wget) would raise the security of plugins called by cronjobs.

With the attached file you can call a plugin by:
php /path/to/mantis/plugin_cli.php page=MyPlugin/pluginPage

(* It's just a modified copy of plugin.php)

TagsNo tags attached.
Attached Files
plugin_cli.php (824 bytes)    
<?php
require_once( 'core.php' );

$t_plugin_path = config_get( 'plugin_path' );

if ($argv != null) {
	foreach ($argv as $arg) {
		if (strpos($arg, "page=") === 0) {
			$f_page = str_replace("page=", "", $arg);
		}
	}
}
$t_matches = array();

if ( !preg_match( '/^([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_-]+[\/a-zA-Z0-9_-]*)/', $f_page, $t_matches ) ) {
	trigger_error( ERROR_GENERIC, ERROR );
}

$t_basename = $t_matches[1];
$t_action = $t_matches[2];

global $g_plugin_cache;
if ( !isset( $g_plugin_cache[$t_basename] ) ) {
	trigger_error( ERROR_PLUGIN_NOT_REGISTERED, ERROR );
}

$t_page = $t_plugin_path.$t_basename.DIRECTORY_SEPARATOR.
		'pages'.DIRECTORY_SEPARATOR.$t_action.'.php';

if ( !is_file( $t_page ) ) {
		trigger_error( ERROR_PLUGIN_PAGE_NOT_FOUND, ERROR );
}

plugin_push_current( $t_basename );
include( $t_page );
plugin_cli.php (824 bytes)   
plugin_cli2.php (1,003 bytes)    
<?php
# Make sure this script doesn't run via the webserver
if ( php_sapi_name() != 'cli' ) {
   echo "plugin_cli.php is not allowed to run through the webserver.\n";
   exit( 1 );
} 

require_once( 'core.php' );

$t_plugin_path = config_get( 'plugin_path' );

if ($argv != null) {
	foreach ($argv as $arg) {
		if (strpos($arg, "page=") === 0) {
			$f_page = str_replace("page=", "", $arg);
		}
	}
}
$t_matches = array();

if ( !preg_match( '/^([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_-]+[\/a-zA-Z0-9_-]*)/', $f_page, $t_matches ) ) {
	trigger_error( ERROR_GENERIC, ERROR );
}

$t_basename = $t_matches[1];
$t_action = $t_matches[2];

global $g_plugin_cache;
if ( !isset( $g_plugin_cache[$t_basename] ) ) {
	trigger_error( ERROR_PLUGIN_NOT_REGISTERED, ERROR );
}

$t_page = $t_plugin_path.$t_basename.DIRECTORY_SEPARATOR.
		'pages'.DIRECTORY_SEPARATOR.$t_action.'.php';

if ( !is_file( $t_page ) ) {
		trigger_error( ERROR_PLUGIN_PAGE_NOT_FOUND, ERROR );
}

plugin_push_current( $t_basename );
include( $t_page );
plugin_cli2.php (1,003 bytes)   

Activities

haruka

haruka

2010-08-18 06:38

reporter   ~0026349

Mh, just for information... am I the only one who is interested in a feature like this?
dhx

dhx

2010-08-18 10:33

reporter   ~0026351

I've just had a quick look. It's missing checks to ensure that the script is being executed from the command line. See scripts/send_emails.php for an example check.

However more to the point, can you please explain how this approach increases security?
haruka

haruka

2010-08-20 14:55

reporter   ~0026387

I've just had a quick look. It's missing checks to ensure that the script is being executed from the command line. See scripts/send_emails.php for an example check.

Added this check. I thought my script more as an idea/example than a finished script.

However more to the point, can you please explain how this approach increases security?

  • There is currently no way to run a plugin from cli when you want to use the mantis environment easily (correct me, if I'm wrong)
  • Using wget/w3m/lynx means, not only the crond can start my cronjob (ok, I could configure my webserver to prevent this. But does every mantis user know how to do this?)
  • I have a plugin which sends mails. An abuser could start this a thousend times from web -> bad.
  • A plugin which can't be called from web, can not show usable possible bugs to everyone. (e.g. an exploit or something else)

Ok, I have to add a CLI-Check in the plugin to be save, too. But I don't see this as a problem.
atrol

atrol

2013-04-27 18:46

developer   ~0036713

Removed assignment. dhx will not contribute to this issue in near future.
grangeway

grangeway

2013-05-07 18:03

reporter   ~0036801

Hi,

I don't think this is something that we would include in the core distribution.

If a plugin needed to implement a cron job, it would be better providing a cron job + setup steps for it.

If someone wants to write a 'cronjob-scheduler' type engine, where someone could set 'cronjob.php' to run every 5 minutes, and then check to see what tasks should be run at this time, that would make more sense. A plugin could then "register" a cronjob task - for the mantis cron job scheduler to pick up.

At the same time, given that someone might want to write a cronjob in a different language etc, I'm still probably inclined to think it's something that should be configured by the server admin outside of mantis.

Paul