CVE-2020-15227 nette/application RCE in-place patch
<?php | |
# In-place apply the CVE-2020-15227 nette/application patch | |
# This is a universal patcher for all affected versions. | |
# Run with `php patch-CVE-2020-15227.php` | |
# Inspiration: @spazef0rze | |
$dir = __DIR__; | |
$iterator = new RecursiveDirectoryIterator($dir); | |
$iterator = new RecursiveIteratorIterator($iterator); | |
// find all MicroPresenter.php files | |
foreach ($iterator as $file) { | |
if ($file->getFileName() !== 'MicroPresenter.php') { | |
continue; | |
} | |
$orig = file_get_contents((string) $file); | |
// apply patch to code | |
$patched = str_replace( | |
'if (!isset($params[\'callback\'])) {', | |
'if (!isset($params[\'callback\']) || !$params[\'callback\'] instanceof \Closure) { // patched to fix CVE-2020-15227', | |
$orig | |
); | |
if ($orig === $patched) { | |
continue; | |
} | |
// create a backup file with a suffix | |
file_put_contents("$file-nette-autoupdate-backup", $orig); | |
// replace original file | |
file_put_contents((string) $file, $patched); | |
echo "patched: $file\n"; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment