The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named eval-stdin.php
that ships used to ship with PHPUnit.
// eval-stdin.php
eval ('?>'. \file_get_contents('php://input'));
Even though the eval-stdin.php
file itself indeed was vulnerable, it never should have been actively exploitable because:
- PHPUnit is a dev dependency, and should never be installed in production.
- One should never make their
vendor
folder publicly accessible. If it is placed in the wwwroot, use.htaccess
or the like to prevent direct access to it.
Eventually a fix landed in PHPUnit, accompanied by this nice commit message:
This check should not be required ... yet here it is.
If you upload PHPUnit to a production webserver then your deployment process is broken.
If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken.
*sigh*