New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
patch CVE-2020-13619 #426
patch CVE-2020-13619 #426
Conversation
missing a space if nothing else
Thank you! Merged and released as |
Appreciated, will check them out 👍 |
https://locutus.io/php/exec/escapeshellarg/ still displays the vulnerable version, can someone fix that? ping @kvz wouldn't surprise me if you're the web admin |
Hey, thanks, I fixed some issues and the website should be updated |
@kvz hmm, at 2020-11-19T15:09:19+00:00 it's still displaying the vulnerable version |
Ah thanks for catching, fixed for real now! |
fixes #420
Description
see #420
(also it's technically possible to create a smaller command with the same data,
\'\'
and''\'''\'''
compiles to the exact same string, but given the security-sensitive aspect if we get the optimization wrong, and the fact that even the php core developers didn't try to optimize this part, we probably shouldn't try to do that either. i suspect it was such an optimization gone wrong that lead to CVE-2020-13619 in the first place.)