Skip to content
Permalink
Browse files
Hopefully prevent execution of this script in a webserver context.
This check should not be required ... yet here it is.

If you upload PHPUnit to a production webserver then your deployment process is broken.

If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken.

*sigh*
  • Loading branch information
sebastianbergmann committed Dec 10, 2019
1 parent 7a46cf1 commit 33585d982b1e469a921020aa62446f64df63b900
Showing 1 changed file with 4 additions and 0 deletions.
@@ -7,4 +7,8 @@
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
if (\PHP_SAPI !== 'cli' && \PHP_SAPI !== 'phpdbg') {
exit;

This comment has been minimized.

Copy link
@stof

stof Dec 10, 2019

Contributor

wouldn't it be a bit better with exit(1) ?

}

eval('?>' . \file_get_contents('php://stdin'));

4 comments on commit 33585d9

@sebastianbergmann
Copy link
Owner Author

@sebastianbergmann sebastianbergmann commented on 33585d9 Dec 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure.

@sebastianbergmann
Copy link
Owner Author

@sebastianbergmann sebastianbergmann commented on 33585d9 Dec 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done: 6aab040

@PierreRambaud
Copy link

@PierreRambaud PierreRambaud commented on 33585d9 Jan 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain us why it's required? 🤔
Is there a simple way to exploit the php://stdin in a webserver context?

@PierreRambaud
Copy link

@PierreRambaud PierreRambaud commented on 33585d9 Jan 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: It can be exploit when running under CGI / FastCGI context :)

Please sign in to comment.