Last active
May 20, 2021 16:34
-
-
Save spaze/fb6d8cdc296e0314b50f8b484bcd1385 to your computer and use it in GitHub Desktop.
CVE-2020-15227 nette/application RCE in-place patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Find files in CVE-2020-15227 nette/application issue | |
# by @spazef0rze | |
# Run with `bash find-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4 | |
# This is a universal finder for all affected versions. | |
# Requirements: find, grep, bash (might work with your default shell but YMMV) | |
# The fixes: | |
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7 | |
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7 | |
# The steps: | |
# find the file | |
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {` | |
# echo the filename if yes | |
find . \ | |
-name MicroPresenter.php \ | |
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \ | |
-exec echo {} \; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# In-place apply the CVE-2020-15227 nette/application patch | |
# by @spazef0rze | |
# Run with `bash update-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4 | |
# This is a universal patcher for all affected versions. | |
# Requirements: find, grep, sed, bash (might work with your default shell but YMMV) | |
# The fixes: | |
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134 | |
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7 | |
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7 | |
# The steps: | |
# find the file (same as in the "find" script) | |
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {` (same as in the "find" script) | |
# echo the filename if yes (same as in the "find" script) | |
# create a backup file with a suffix, will create `MicroPresenter.php-nette-autoupdate-backup.<random digits>` | |
# replace the code above with `$callback = isset($params['callback']) ? $params['callback'] : null; if (!$callback instanceof \Closure) {` | |
# replace the error message because why not | |
# ... | |
# PROFIT! | |
# I love escaping single quotes inside single-quoted strings, '"'"' FTW HAHAHA NO | |
find . \ | |
-name MicroPresenter.php \ | |
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \ | |
-exec echo {} \; \ | |
-exec sed -i"-nette-autoupdate-backup.$RANDOM" 's/if (!isset($params\['"'"'callback'"'"'\])) {/$callback = isset($params\['"'"'callback'"'"'\]) ? $params\['"'"'callback'"'"'\] : null;\ if (!$callback instanceof \\Closure) { \/\/ patched to fix CVE-2020-15227/; s/Parameter callback is missing./Parameter callback is not a valid closure./' {} \; |
If you remove the extra \
at the end in update.sh, then it works on FreeBSD with the built in /bin/sh
shell (and there is no need for bash). With the exception that $RANDOM
won't work, but I don't care.
Works on FreeBSD 12.1 as well.
Thanks @mariancerny. I've removed the extra backslash, it wasn't there originally (there was one extra -exec
, after the -exec sed
one, without the trailing backslash). I've added a note that it might work with the default shell, and I'll leave the bash requirement there.
👍
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PHP version by @dg here https://gist.github.com/dg/be0f26b31be15a2f1b1208a1714bf415