The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named
ships with PHPUnit.
// eval-stdin.php eval ('?>'. \file_get_contents('php://input'));
Even though the
eval-stdin.php file itself indeed was vulnerable, it never should have been actively exploitable because:
- PHPUnit is a dev dependency, and should never be installed in production.
- One should never make their
vendorfolder publicly accessible. If it is placed in the wwwroot, use
.htaccessor the like to prevent direct access to it.
Eventually a fix landed in PHPUnit, accompanied by this nice commit message:
This check should not be required ... yet here it is. If you upload PHPUnit to a production webserver then your deployment process is broken. If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken. *sigh*