php-peg icon indicating copy to clipboard operation
php-peg copied to clipboard

Published 20 hours ago verified publisher icon hafriedlander

Secure cli.php to be available from CLI only

Open tmuras opened this issue 5 years ago • 0 comments

php-peg library is included by other projects, for example: https://github.com/maths/moodle-qtype_stack/tree/master/thirdparty/php-peg

In this example, the other library is deployed on available on a web server. This leads to opportunity to run any PHP script contained there using web URL - including https://github.com/maths/moodle-qtype_stack/blob/master/thirdparty/php-peg/cli.php .

If register_argc_argv is set in php.ini, then $_SERVER['argv'] is populated with $_GET so the data could be passed into Compiler::cli( $_SERVER['argv'] ) ; .

I don't think that in the current form cli.php can be exploited in any way but it may be a good idea to protect this script and make sure it only runs as CLI. This could be done with:

if (php_sapi_name() != "cli") {
    die();
}

tmuras avatar Nov 08 '19 09:11 tmuras