Fedora 25: php-pear-PHP-CodeSniffer Security Update
Summary
PHP_CodeSniffer provides functionality to verify that code conforms to
certain standards, such as PEAR, or user-defined.
Update Information:
**Version 2.8.1** * This release contains a fix for a security advisory related
to the improper handling of shell commands * Uses of shell_exec() and exec()
were not escaping filenames and configuration settings in most cases * A
properly crafted filename or configuration option would allow for arbitrary code
execution when using some features * All users are encouraged to upgrade to
this version, especially if you are checking 3rd-party code * e.g., you
run PHPCS over libraries that you did not write * e.g., you provide a
web service that runs PHPCS over user-uploaded files or 3rd-party repositories
* e.g., you allow external tool paths to be set by user-defined values * If
you are unable to upgrade but you check 3rd-party code, ensure you are not using
the following features: * The diff report * The notify-send
report * The Generic.PHP.Syntax sniff * The
Generic.Debug.CSSLint sniff * The Generic.Debug.ClosureLinter sniff
* The Generic.Debug.JSHint sniff * The Squiz.Debug.JSLint sniff
* The Squiz.Debug.JavaScriptLint sniff * The Zend.Debug.CodeAnalyzer
sniff * Thanks to Klaus Purer for the report * The PHP-supplied
T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2 *
PEAR.Functions.FunctionDeclaration now reports an error for blank lines found
inside a function declaration * PEAR.Functions.FunctionDeclaration no longer
reports indent errors for blank lines in a function declaration *
Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank
lines in a function declaration * It would previously report that only one
argument is allowed per line * Squiz.Commenting.FunctionComment now corrects
multi-line param comment padding more accurately *
Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types *
Squiz.Commenting.FunctionComment now works correctly when function return types
also contain a comment * Thanks to Juliette Reinders Folmer for the patch *
Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
* As this is not a real PHP operator, it enforces no spaces between ? and : when
the THEN statement is empty * Squiz.ControlStructures.InlineIfDeclaration is now
able to fix the spacing errors it reports * Fixed bug #1340 : STDIN file
contents not being populated in some cases * Thanks to David Bi?ovec for the
patch * Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error
for blank comment lines * Fixed bug #1347 : PSR2.Methods.FunctionCallSignature
strips some comments during fixing * Thanks to Algirdas Gurevicius for the
patch * Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is
badly formatted when string contains a CR newline char * Thanks to Algirdas
Gurevicius for the patch * Fixed bug #1350 : Invalid
Squiz.Formatting.OperatorBracket error when using namespaces * Fixed bug #1369 :
Empty line in multi-line function declaration cause infinite loop
Change Log
References
Fedora Update Notification FEDORA-2017-ca3f01bd37 2017-03-10 09:58:41.332121 Name : php-pear-PHP-CodeSniffer Product : Fedora 25 Version : 2.8.1 Release : 1.fc25 URL : https://pear.php.net/package/PHP_CodeSniffer Summary : PHP coding standards enforcement tool Description : PHP_CodeSniffer provides functionality to verify that code conforms to certain standards, such as PEAR, or user-defined.
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade php-pear-PHP-CodeSniffer' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html
