Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-PHP-CZPROJECTGITPHP-2421349
- published 25 Apr 2022
- disclosed 11 Mar 2022
- credit Alessio Della Libera of Snyk Research Team
How to fix?
czproject/git-php to version 4.0.3 or higher.
czproject/git-php is a Library for work with Git repository in PHP.
Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the
isRemoteUrlReadable($url, array $refs = NULL) function, both the
refs parameters are passed to the
git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
<?php require('./vendor/autoload.php'); $git = new CzProject\GitPhp\Git; $url = "--upload-pack=touch ./HELLO"; $git->isRemoteUrlReadable($url, ["refs"]); ?>