php-pear-PHP-CodeSniffer-2.8.1-1.fc24

**Version 2.8.1**

* This release contains a fix for a security advisory related to the improper handling of shell commands
* Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
* A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
* All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
* e.g., you run PHPCS over libraries that you did not write
* e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
* e.g., you allow external tool paths to be set by user-defined values
* If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
* The diff report
* The notify-send report
* The Generic.PHP.Syntax sniff
* The Generic.Debug.CSSLint sniff
* The Generic.Debug.ClosureLinter sniff
* The Generic.Debug.JSHint sniff
* The Squiz.Debug.JSLint sniff
* The Squiz.Debug.JavaScriptLint sniff
* The Zend.Debug.CodeAnalyzer sniff
* Thanks to Klaus Purer for the report
* The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
* PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
* PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
* Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
* It would previously report that only one argument is allowed per line
* Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
* Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
* Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
* Thanks to Juliette Reinders Folmer for the patch
* Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
* As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
* Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
* Fixed bug #1340 : STDIN file contents not being populated in some cases
* Thanks to David Bi?ovec for the patch
* Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
* Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
* Thanks to Algirdas Gurevicius for the patch
* Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
* Thanks to Algirdas Gurevicius for the patch
* Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
* Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop

php-pear-PHP-CodeSniffer-2.8.1-1.el7

**Version 2.8.1**

* This release contains a fix for a security advisory related to the improper handling of shell commands
* Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
* A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
* All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
* e.g., you run PHPCS over libraries that you did not write
* e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
* e.g., you allow external tool paths to be set by user-defined values
* If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
* The diff report
* The notify-send report
* The Generic.PHP.Syntax sniff
* The Generic.Debug.CSSLint sniff
* The Generic.Debug.ClosureLinter sniff
* The Generic.Debug.JSHint sniff
* The Squiz.Debug.JSLint sniff
* The Squiz.Debug.JavaScriptLint sniff
* The Zend.Debug.CodeAnalyzer sniff
* Thanks to Klaus Purer for the report
* The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
* PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
* PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
* Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
* It would previously report that only one argument is allowed per line
* Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
* Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
* Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
* Thanks to Juliette Reinders Folmer for the patch
* Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
* As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
* Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
* Fixed bug #1340 : STDIN file contents not being populated in some cases
* Thanks to David Bi?ovec for the patch
* Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
* Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
* Thanks to Algirdas Gurevicius for the patch
* Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
* Thanks to Algirdas Gurevicius for the patch
* Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
* Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop

CVE-2017-6393 (nagvis)

An issue was discovered in NagVis 1.9b12. The vulnerability exists due to insufficient filtration of user-supplied data passed to the “nagvis-master/share/userfiles/gadgets/std_table.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6394 (openemr)

An issue was discovered in OpenEMR 5.0.1-dev. The vulnerability exists due to insufficient filtration of user-supplied data passed to the “openemr-master/gacl/admin/object_search.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6392 (kaltura_server)

An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the “server-Lynx-12.11.0/admin_console/web/tools/XmlJWPlayer.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6391 (kaltura_server)

An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the “admin_console/web/tools/SimpleJWPlayer.php” URL, the “admin_console/web/tools/AkamaiBroadcaster.php” URL, the “admin_console/web/tools/bigRedButton.php” URL, and the “admin_console/web/tools/bigRedButtonPtsPoc.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6397

An issue was discovered in FlightAirMap v1.0-beta.10. The vulnerability exists due to insufficient filtration of user-supplied data in multiple parameters passed to several *-sub-menu.php pages. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6396

An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the “webpagetest-master/www/compare-cf.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-6395 (hashover)

An issue was discovered in HashOver 2.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the ‘hashover/scripts/widget-output.php’ URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.