Fix possible arbitrary code execution on misconfigured deployments

When `upload_validation` is enabled, and when VLD isn't installed, an attacker
sending a multipart POST is able to get arbitrary PHP content executed.

Reported-By: thomas-chauchefoin-tob

2 files changed, 2 insertions, 0 deletions

diff --git a/scripts/upload_validation.php b/scripts/upload_validation.php
index 6788d57..6480f20 100755
--- a/scripts/upload_validation.php
+++ b/scripts/upload_validation.php
@@ -16,6 +16,7 @@ function check($filename) {
                 "-d", "vld.col_sep=@",
                 "-d", "log_errors=0",
                 "-d", "error_log=/dev/null",
+                "-l",
                 escapeshellarg($filename),
                 '2>&1',
                 ];
diff --git a/scripts/upload_validation.py b/scripts/upload_validation.py
index 1152804..e7ba195 100755
--- a/scripts/upload_validation.py
+++ b/scripts/upload_validation.py
@@ -15,6 +15,7 @@ def check(filename):
             "-d", "vld.col_sep=@",
             "-d", "log_errors=0",
             "-d", "error_log=/dev/null",
+            "-l",
             filename],
             stderr=subprocess.STDOUT)
     except subprocess.CalledProcessError as e: