chalbert-edr
commented
5 years ago Here's a PR with the changes: https://github.com/ezyang/htmlpurifier/pull/193
Closed chalbert-edr closed 5 years ago
chalbert-edr
commented
5 years ago Here's a PR with the changes: https://github.com/ezyang/htmlpurifier/pull/193
ezyang
commented
5 years ago I replaced flush.php with a shell script, and renamed release1-update.php without a php extension, for defense in depth. (I don't think there was actually any vulnerability.)
There were a couple of vulnerabilities found during a scan of htmlpurifier pertaining to command injection. While these may not be vulnerabilities with the src, we can remove these flags safely and thus making this package secure in the eyes of security experts.
These permit command injection:
There are few options on addressing: whitelist commands, remove, refactor the code or a combination.