Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix remote code execution
See CVE ID CVE-2021-30124
  • Loading branch information
sandhje committed Apr 6, 2021
1 parent 392f09b commit c462bf5
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Expand Up @@ -40,6 +40,7 @@ Or to use your own PHPMD PHAR on a custom location:
```
"phpmd.command": "php C:/path/to/phpmd.phar"`
```
***Security fix in version 1.3.0:*** *Before version 1.3.0 it was possible to set `phpmd.command` through workspace settings. This unfortunately opened possibilities for a remote code execution attack. Although I recognize that some users used this workspace setting in their day to day work I feel it is more important that anyone can use this extension without worrying about their system's security. As such, since version 1.3.0, this setting is disabled at workspace level to address this issue.*

### phpmd.rules:

Expand Down Expand Up @@ -112,3 +113,4 @@ See client/CHANGELOG.md
* The Microsoft VSCode team for [VSCode](https://code.visualstudio.com/) and [vscode-languageserver-node](https://github.com/Microsoft/vscode-languageserver-node).
* Quentin Dreyer for his OS homedir replacement solution (https://github.com/qkdreyer)
* Shane Smith for his spelling fixes (https://github.com/shane-smith)
* Ryotek for reporting the phpmd.command security issue (https://twitter.com/ryotkak)
1 change: 1 addition & 0 deletions package.json
Expand Up @@ -44,6 +44,7 @@
},
"phpmd.command": {
"type": "string",
"scope": "machine",
"default": "",
"description": "The phpmd command. Leave empty to use the shipped phpmd phar (local php executable is required)"
},
Expand Down

0 comments on commit c462bf5

Please sign in to comment.