drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in php-pear-PHP-CodeSniffer
Name: |
Ausführen beliebiger Kommandos in php-pear-PHP-CodeSniffer |
|
ID: |
FEDORA-2017-aaf92c483c |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 24 |
|
Datum: |
Sa, 11. März 2017, 00:57 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
php-pear-PHP-CodeSniffer |
|
Originalnachricht |
Name : php-pear-PHP-CodeSniffer Product : Fedora 24 Version : 2.8.1 Release : 1.fc24 URL : http://pear.php.net/package/PHP_CodeSniffer Summary : PHP coding standards enforcement tool Description : PHP_CodeSniffer provides functionality to verify that code conforms to certain standards, such as PEAR, or user-defined.
------------------------------------------------------------------------------- - Update Information:
**Version 2.8.1** * This release contains a fix for a security advisory related to the improper handling of shell commands * Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases * A properly crafted filename or configuration option would allow for arbitrary code execution when using some features * All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code * e.g., you run PHPCS over libraries that you did not write * e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories * e.g., you allow external tool paths to be set by user-defined values * If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features: * The diff report * The notify-send report * The Generic.PHP.Syntax sniff * The Generic.Debug.CSSLint sniff * The Generic.Debug.ClosureLinter sniff * The Generic.Debug.JSHint sniff * The Squiz.Debug.JSLint sniff * The Squiz.Debug.JavaScriptLint sniff * The Zend.Debug.CodeAnalyzer sniff * Thanks to Klaus Purer for the report * The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2 * PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration * PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration * Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration * It would previously report that only one argument is allowed per line * Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately * Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types * Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment * Thanks to Juliette Reinders Folmer for the patch * Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator * As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty * Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports * Fixed bug #1340 : STDIN file contents not being populated in some cases * Thanks to David Bi?ovec for the patch * Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines * Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing * Thanks to Algirdas Gurevicius for the patch * Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char * Thanks to Algirdas Gurevicius for the patch * Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces * Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop ------------------------------------------------------------------------------- -
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade php-pear-PHP-CodeSniffer' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
|
|
|
|