Skip to content
Permalink
Browse files

Hopefully prevent execution of this script in a webserver context.

This check should not be required ... yet here it is.

If you upload PHPUnit to a production webserver then your deployment process is broken.

If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken.

*sigh*
  • Loading branch information
sebastianbergmann committed Dec 10, 2019
1 parent 7a46cf1 commit 33585d982b1e469a921020aa62446f64df63b900
Showing with 4 additions and 0 deletions.
  1. +4 −0 src/Util/PHP/eval-stdin.php
@@ -7,4 +7,8 @@
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
if (\PHP_SAPI !== 'cli' && \PHP_SAPI !== 'phpdbg') {
exit;

This comment has been minimized.

Copy link
@stof

stof Dec 10, 2019

Contributor

wouldn't it be a bit better with exit(1) ?

}

eval('?>' . \file_get_contents('php://stdin'));

4 comments on commit 33585d9

@sebastianbergmann

This comment has been minimized.

Copy link
Owner Author

@sebastianbergmann sebastianbergmann replied Dec 10, 2019

Sure.

@sebastianbergmann

This comment has been minimized.

Copy link
Owner Author

@sebastianbergmann sebastianbergmann replied Dec 10, 2019

Done: 6aab040

@PierreRambaud

This comment has been minimized.

Copy link

@PierreRambaud PierreRambaud replied Jan 6, 2020

Could you explain us why it's required? 🤔
Is there a simple way to exploit the php://stdin in a webserver context?

@PierreRambaud

This comment has been minimized.

Copy link

@PierreRambaud PierreRambaud replied Jan 6, 2020

FYI: It can be exploit when running under CGI / FastCGI context :)

Please sign in to comment.
You can’t perform that action at this time.