CVE-2020-15227 nette/application RCE in-place patch

find-cve-2020-15227.sh

#!/bin/bash
# Find files in CVE-2020-15227 nette/application issue
# by @spazef0rze
# Run with `bash find-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4

# This is a universal finder for all affected versions.

# Requirements: find, grep, bash (might work with your default shell but YMMV)

# The fixes:
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7

# The steps:
# find the file
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {`
# echo the filename if yes

find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \;

update-cve-2020-15227.sh

#!/bin/bash
# In-place apply the CVE-2020-15227 nette/application patch
# by @spazef0rze
# Run with `bash update-cve-2020-15227.sh`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4

# This is a universal patcher for all affected versions.

# Requirements: find, grep, sed, bash (might work with your default shell but YMMV)

# The fixes:
# https://github.com/nette/application/compare/v3.0.5...v3.0.6#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.4.15...v2.4.16#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.3.13...v2.3.14#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/application/compare/v2.2.9...v2.2.10#diff-3206dd78561d1e8268bc318718c02134
# https://github.com/nette/nette/compare/v2.1.12...v2.1.13#diff-0886800d8d2410f8fcffea5b2e996ee7
# https://github.com/nette/nette/compare/v2.0.18...v2.0.19#diff-0886800d8d2410f8fcffea5b2e996ee7

# The steps:
# find the file (same as in the "find" script)
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {` (same as in the "find" script)
# echo the filename if yes (same as in the "find" script)
# create a backup file with a suffix, will create `MicroPresenter.php-nette-autoupdate-backup.<random digits>`
# replace the code above with `$callback = isset($params['callback']) ? $params['callback'] : null; if (!$callback instanceof \Closure) {`
# replace the error message because why not
# ...
# PROFIT!
# I love escaping single quotes inside single-quoted strings, '"'"' FTW HAHAHA NO

find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \; \
-exec sed -i"-nette-autoupdate-backup.$RANDOM" 's/if (!isset($params\['"'"'callback'"'"'\])) {/$callback = isset($params\['"'"'callback'"'"'\]) ? $params\['"'"'callback'"'"'\] : null;\ if (!$callback instanceof \\Closure) { \/\/ patched to fix CVE-2020-15227/; s/Parameter callback is missing./Parameter callback is not a valid closure./' {} \;

PHP version by @dg here https://gist.github.com/dg/be0f26b31be15a2f1b1208a1714bf415

If you remove the extra \ at the end in update.sh, then it works on FreeBSD with the built in /bin/sh shell (and there is no need for bash). With the exception that $RANDOM won't work, but I don't care.
Works on FreeBSD 12.1 as well.

Thanks @mariancerny. I've removed the extra backslash, it wasn't there originally (there was one extra -exec, after the -exec sed one, without the trailing backslash). I've added a note that it might work with the default shell, and I'll leave the bash requirement there.

👍