Prevent the settings phan.phpExecutablePath, phan.phanScriptPath,
phan.analyzedProjectDirectory, phan.additionalCLIFlags,
and phan.connectToServerWithStdio from being overridden in VS Code workspace or folder settings.
(i.e. configure them with "scope": "machine" for https://github.com/microsoft/vscode/blob/1.55.2/src/vs/workbench/api/common/configurationExtensionPoint.ts#L50-L55) (CVE-2021-31416)
(checking in connectToServerWithStdio in workplace settings is harmless
but may break the workflows of other developers working on different machines.)
(vscode-php-phan is only intended for use with projects that a developer
has manually trusted and enabled through analyzedProjectDirectory,
although more convenient ways to securely trust php projects may be added
in the future (e.g. using Memento).
This is because phan allows executable paths or executable PHP code in
third party plugins and InvokePHPNativeSyntaxCheckPlugin,
as well as phan config files and due to certain CLI flags and config settings.)
The VS code extension version can be
downgraded to 3.0.0 if you rely on the ability to set those workspace settings.
Fixes CVE-2021-31416
Prevent the settings
phan.phpExecutablePath
,phan.phanScriptPath
,phan.analyzedProjectDirectory
,phan.additionalCLIFlags
, andphan.connectToServerWithStdio
from being overridden in VS Code workspace or folder settings. (i.e. configure them with"scope": "machine"
for https://github.com/microsoft/vscode/blob/1.55.2/src/vs/workbench/api/common/configurationExtensionPoint.ts#L50-L55) (CVE-2021-31416) (checking in connectToServerWithStdio in workplace settings is harmless but may break the workflows of other developers working on different machines.) (vscode-php-phan is only intended for use with projects that a developer has manually trusted and enabled through analyzedProjectDirectory, although more convenient ways to securely trust php projects may be added in the future (e.g. using Memento). This is because phan allows executable paths or executable PHP code in third party plugins and InvokePHPNativeSyntaxCheckPlugin, as well as phan config files and due to certain CLI flags and config settings.)The VS code extension version can be downgraded to 3.0.0 if you rely on the ability to set those workspace settings.
Update Phan from 4.0.2 to 4.0.4