patch CVE-2020-13619 #426
Merged
patch CVE-2020-13619 #426
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
missing a space if nothing else
kvz
approved these changes
Oct 2, 2020
|
Thank you! Merged and released as |
|
Appreciated, will check them out 👍 |
|
https://locutus.io/php/exec/escapeshellarg/ still displays the vulnerable version, can someone fix that? ping @kvz wouldn't surprise me if you're the web admin |
|
Hey, thanks, I fixed some issues and the website should be updated |
|
@kvz hmm, at 2020-11-19T15:09:19+00:00 it's still displaying the vulnerable version |
|
Ah thanks for catching, fixed for real now! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #420
Description
see #420
(also it's technically possible to create a smaller command with the same data,
\'\'and''\'''\'''compiles to the exact same string, but given the security-sensitive aspect if we get the optimization wrong, and the fact that even the php core developers didn't try to optimize this part, we probably shouldn't try to do that either. i suspect it was such an optimization gone wrong that lead to CVE-2020-13619 in the first place.)