Closed chalbert-edr closed 5 years ago
Here's a PR with the changes: https://github.com/ezyang/htmlpurifier/pull/193
I replaced flush.php with a shell script, and renamed release1-update.php without a php extension, for defense in depth. (I don't think there was actually any vulnerability.)
There were a couple of vulnerabilities found during a scan of htmlpurifier pertaining to command injection. While these may not be vulnerabilities with the src, we can remove these flags safely and thus making this package secure in the eyes of security experts.
These permit command injection:
There are few options on addressing: whitelist commands, remove, refactor the code or a combination.