Skip to content

Instantly share code, notes, and snippets.

Last active December 22, 2020 16:28
What would you like to do?
CVE-2020-15227 nette/application RCE in-place patch
# In-place apply the CVE-2020-15227 nette/application patch
# This is a universal patcher for all affected versions.
# Run with `php patch-CVE-2020-15227.php`
# Inspiration: @spazef0rze
$dir = __DIR__;
$iterator = new RecursiveDirectoryIterator($dir);
$iterator = new RecursiveIteratorIterator($iterator);
// find all MicroPresenter.php files
foreach ($iterator as $file) {
if ($file->getFileName() !== 'MicroPresenter.php') {
$orig = file_get_contents((string) $file);
// apply patch to code
$patched = str_replace(
'if (!isset($params[\'callback\'])) {',
'if (!isset($params[\'callback\']) || !$params[\'callback\'] instanceof \Closure) { // patched to fix CVE-2020-15227',
if ($orig === $patched) {
// create a backup file with a suffix
file_put_contents("$file-nette-autoupdate-backup", $orig);
// replace original file
file_put_contents((string) $file, $patched);
echo "patched: $file\n";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment