Skip to content

Commit

Permalink
Hopefully prevent execution of this script in a webserver context.
Browse files Browse the repository at this point in the history 
This check should not be required ... yet here it is.

If you upload PHPUnit to a production webserver then your deployment process is broken.

If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken.

*sigh*
  • Loading branch information
@sebastianbergmann
sebastianbergmann committed Dec 10, 2019
1 parent 7a46cf1 commit 33585d9
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/Util/PHP/eval-stdin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,8 @@
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
if (\PHP_SAPI !== 'cli' && \PHP_SAPI !== 'phpdbg') {
exit;

This comment has been minimized.

Sign in to view

Copy link
@stof

stof Dec 10, 2019
edited
Loading

Contributor

wouldn't it be a bit better with exit(1) ?
}

eval('?>' . \file_get_contents('php://stdin'));

4 comments on commit 33585d9

@sebastianbergmann
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure.

@sebastianbergmann
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done: 6aab040

@PierreRambaud
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain us why it's required? πŸ€”
Is there a simple way to exploit the php://stdin in a webserver context?

@PierreRambaud
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: It can be exploit when running under CGI / FastCGI context :)

Please sign in to comment.