Sicherheit: Ausführen beliebiger Kommandos in php-pear-PHP-CodeSniffer
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in php-pear-PHP-CodeSniffer
ID: FEDORA-2017-ca3f01bd37
Distribution: Fedora
Plattformen: Fedora 25
Datum: Sa, 11. März 2017, 01:00
Referenzen: Keine Angabe
Applikationen: php-pear-PHP-CodeSniffer


Name        : php-pear-PHP-CodeSniffer
Product : Fedora 25
Version : 2.8.1
Release : 1.fc25
URL : http://pear.php.net/package/PHP_CodeSniffer
Summary : PHP coding standards enforcement tool
Description :
PHP_CodeSniffer provides functionality to verify that code conforms to
certain standards, such as PEAR, or user-defined.

Update Information:

**Version 2.8.1** * This release contains a fix for a security advisory
to the improper handling of shell commands * Uses of shell_exec() and
were not escaping filenames and configuration settings in most cases * A
properly crafted filename or configuration option would allow for arbitrary
execution when using some features * All users are encouraged to upgrade to
this version, especially if you are checking 3rd-party code * e.g., you
run PHPCS over libraries that you did not write * e.g., you provide a
web service that runs PHPCS over user-uploaded files or 3rd-party repositories
* e.g., you allow external tool paths to be set by user-defined values * If
you are unable to upgrade but you check 3rd-party code, ensure you are not
the following features: * The diff report * The notify-send
report * The Generic.PHP.Syntax sniff * The
Generic.Debug.CSSLint sniff * The Generic.Debug.ClosureLinter sniff
* The Generic.Debug.JSHint sniff * The Squiz.Debug.JSLint sniff
* The Squiz.Debug.JavaScriptLint sniff * The Zend.Debug.CodeAnalyzer
sniff * Thanks to Klaus Purer for the report * The PHP-supplied
T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2 *
PEAR.Functions.FunctionDeclaration now reports an error for blank lines found
inside a function declaration * PEAR.Functions.FunctionDeclaration no longer
reports indent errors for blank lines in a function declaration *
Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank
lines in a function declaration * It would previously report that only one
argument is allowed per line * Squiz.Commenting.FunctionComment now corrects
multi-line param comment padding more accurately *
Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
Squiz.Commenting.FunctionComment now works correctly when function return types
also contain a comment * Thanks to Juliette Reinders Folmer for the patch *
Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
* As this is not a real PHP operator, it enforces no spaces between ? and :
the THEN statement is empty * Squiz.ControlStructures.InlineIfDeclaration is
able to fix the spacing errors it reports * Fixed bug #1340 : STDIN file
contents not being populated in some cases * Thanks to David Bi?ovec for
patch * Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws
for blank comment lines * Fixed bug #1347 : PSR2.Methods.FunctionCallSignature
strips some comments during fixing * Thanks to Algirdas Gurevicius for the
patch * Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is
badly formatted when string contains a CR newline char * Thanks to Algirdas
Gurevicius for the patch * Fixed bug #1350 : Invalid
Squiz.Formatting.OperatorBracket error when using namespaces * Fixed bug #1369
Empty line in multi-line function declaration cause infinite loop

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade php-pear-PHP-CodeSniffer' at the command line.
For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten