Security Advisory
- This release contains a fix for a security advisory related to the improper handling of shell commands
- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
- e.g., you run PHPCS over libraries that you did not write
- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
- e.g., you allow external tool paths to be set by user-defined values
- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
- The diff report
- The notify-send report
- The Generic.PHP.Syntax sniff
- The Generic.Debug.CSSLint sniff
- The Generic.Debug.ClosureLinter sniff
- The Generic.Debug.JSHint sniff
- The Squiz.Debug.JSLint sniff
- The Squiz.Debug.JavaScriptLint sniff
- The Zend.Debug.CodeAnalyzer sniff
- Thanks to Klaus Purer for the report
Other Changes
- The indent property of PEAR.Classes.ClassDeclaration has been removed
- Instead of calculating the indent of the brace, it just ensures the brace is aligned with the class keyword
- Other sniffs can be used to ensure the class itself is indented correctly
- Invalid exclude rules inside a ruleset.xml file are now ignored instead of potentially causing out of memory errors
- Using the -vv command line argument now also shows the invalid exclude rule as XML
- Includes all changes from the 2.8.1 release
- Fixed bug #1333 : The new autoloader breaks some frameworks with custom autoloaders
- Fixed bug #1334 : Undefined offset when explaining standard with custom sniffs