Last active January 2, 2025 00:11
CVE-2020-15227 nette/application RCE in-place patch
# Find files in CVE-2020-15227 nette/application issue
# by @spazef0rze
# Run with `bash`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4
# This is a universal finder for all affected versions.
# Requirements: find, grep, bash (might work with your default shell but YMMV)
# The fixes:
# The steps:
# find the file
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {`
# echo the filename if yes
find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \;
# In-place apply the CVE-2020-15227 nette/application patch
# by @spazef0rze
# Run with `bash`, works on Linux, FreeBSD, tested on Ubuntu 18.04, FreeBSD 11.4
# This is a universal patcher for all affected versions.
# Requirements: find, grep, sed, bash (might work with your default shell but YMMV)
# The fixes:
# The steps:
# find the file (same as in the "find" script)
# check if it has the code to be fixed, search for `if (!isset($params['callback'])) {` (same as in the "find" script)
# echo the filename if yes (same as in the "find" script)
# create a backup file with a suffix, will create `MicroPresenter.php-nette-autoupdate-backup.<random digits>`
# replace the code above with `$callback = isset($params['callback']) ? $params['callback'] : null; if (!$callback instanceof \Closure) {`
# replace the error message because why not
# ...
# I love escaping single quotes inside single-quoted strings, '"'"' FTW HAHAHA NO
find . \
-name MicroPresenter.php \
-exec grep --silent "^[[:space:]]\+if (\!isset(\$params\['callback'\])) {" {} \; \
-exec echo {} \; \
-exec sed -i"-nette-autoupdate-backup.$RANDOM" 's/if (!isset($params\['"'"'callback'"'"'\])) {/$callback = isset($params\['"'"'callback'"'"'\]) ? $params\['"'"'callback'"'"'\] : null;\ if (!$callback instanceof \\Closure) { \/\/ patched to fix CVE-2020-15227/; s/Parameter callback is missing./Parameter callback is not a valid closure./' {} \;
spaze commented Oct 15, 2020

Thanks @mariancerny. I've removed the extra backslash, it wasn't there originally (there was one extra -exec, after the -exec sed one, without the trailing backslash). I've added a note that it might work with the default shell, and I'll leave the bash requirement there.

