Skip to content

3.0.0RC4

Pre-release
Pre-release
Compare
Choose a tag to compare
@gsherwood gsherwood released this 01 Mar 22:42
· 2951 commits to master since this release

Security Advisory

  • This release contains a fix for a security advisory related to the improper handling of shell commands
    • Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
    • A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
    • All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
      • e.g., you run PHPCS over libraries that you did not write
      • e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
      • e.g., you allow external tool paths to be set by user-defined values
    • If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
      • The diff report
      • The notify-send report
      • The Generic.PHP.Syntax sniff
      • The Generic.Debug.CSSLint sniff
      • The Generic.Debug.ClosureLinter sniff
      • The Generic.Debug.JSHint sniff
      • The Squiz.Debug.JSLint sniff
      • The Squiz.Debug.JavaScriptLint sniff
      • The Zend.Debug.CodeAnalyzer sniff
    • Thanks to Klaus Purer for the report

Other Changes

  • The indent property of PEAR.Classes.ClassDeclaration has been removed
    • Instead of calculating the indent of the brace, it just ensures the brace is aligned with the class keyword
    • Other sniffs can be used to ensure the class itself is indented correctly
  • Invalid exclude rules inside a ruleset.xml file are now ignored instead of potentially causing out of memory errors
    • Using the -vv command line argument now also shows the invalid exclude rule as XML
  • Includes all changes from the 2.8.1 release
  • Fixed bug #1333 : The new autoloader breaks some frameworks with custom autoloaders
  • Fixed bug #1334 : Undefined offset when explaining standard with custom sniffs