From 9278dc77bab2a219e770a1b31dd6797bc9070e37 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 31 Dec 2025 00:45:46 +0100
Subject: Fix possible arbitrary code execution on misconfigured deployments

When `upload_validation` is enabled, and when VLD isn't installed, an attacker
sending a multipart POST is able to get arbitrary PHP content executed.

Reported-By: thomas-chauchefoin-tob
---
 scripts/upload_validation.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'scripts/upload_validation.php')

diff --git a/scripts/upload_validation.php b/scripts/upload_validation.php
index 6788d57..6480f20 100755
--- a/scripts/upload_validation.php
+++ b/scripts/upload_validation.php
@@ -16,6 +16,7 @@ function check($filename) {
 		"-d", "vld.col_sep=@",
 		"-d", "log_errors=0",
 		"-d", "error_log=/dev/null",
+		"-l",
 		escapeshellarg($filename),
 		'2>&1',
 		];
-- 
cgit v1.3