From 68d62e670f9ccc24572f110e6c0f2e0643476678 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Mon, 20 May 2013 22:46:14 -0400 Subject: [PATCH 1/2] Sanitize filenames before executing shell_exec --- console | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/console b/console index f62a3aac..4a0c8120 100755 --- a/console +++ b/console @@ -16,11 +16,11 @@ define('PHPCI_DIR', dirname(__FILE__) . '/'); if (!file_exists(PHPCI_DIR . 'vendor/autoload.php') || !file_exists(PHPCI_DIR . 'composer.phar')) { print 'INSTALLING: Composer' . PHP_EOL; file_put_contents(PHPCI_DIR . 'composerinstaller.php', file_get_contents('https://getcomposer.org/installer')); - shell_exec('php ' . PHPCI_DIR . 'composerinstaller.php'); + shell_exec('php ' . escapeshellarg(PHPCI_DIR . 'composerinstaller.php')); unlink(PHPCI_DIR . 'composerinstaller.php'); print 'RUNNING: Composer' . PHP_EOL; - shell_exec('php '.PHPCI_DIR.'composer.phar install'); + shell_exec('php '.escapeshellarg(PHPCI_DIR.'composer.phar').' install'); } require('bootstrap.php'); From c38b2c72687745959a0d6f573bcda72d4e88f9f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Cianfarani?= Date: Tue, 21 May 2013 10:42:02 +0200 Subject: [PATCH 2/2] Add info in Pre-requisites section Php-openssl must be available because of file_get_contents("https:...") calls during the install. --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c1f44c2..fe84080d 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,8 @@ _**Please be aware that this is a brand new project, in an alpha state, so there * PHP 5.3.3+ * A web server. We prefer nginx. * A MySQL server to connect to (doesn't have to be on the same server.) -* PHPCI needs to be able to run `exec()`, so make sure this is not disabled. +* PHPCI needs to be able to run `exec()`, so make sure this is not disabled +* Php-openssl must be available. ####Installing from Github: