You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
do you mean bugs like https://bugs.php.net/bug.php?id=70121 which leads to remote code execution?
we download the version list from php.net directly with https enabled, where I think the data should be safe. ( if php.net was hacked and the data were modified, I think the sources were not reliabed as well)
btw, I found two more extra problems / something may be can be improved:
if we use WgetCommandDownload, we pass --no-check-certificate to the wget command, I know that it was me that wrote that class, but I think I was just copying those code from somewhere else in the project, so I'm wondering if there is some special reason for doing so?
ReleaseList::downloadReleaseListFromOfficialSite will throw exception if openssl extension not found. IMO it's not required any more as we support downloader like WgetCommandDownloader or CurlCommandDownloader.
php.net/release offers two version data:
http://php.net/releases/index.php?serialize
and
http://php.net/releases/index.php?json
I think we can switch to the serialized version so we no longer relay on the json module.
The text was updated successfully, but these errors were encountered: