Куда?
or
The script, in essence, acts as a bridge between external process calls and in-memory PHP execution. When PHPUnit needs to run a piece of PHP code in a separate process (e.g., for isolation during tests of global state or exit calls), it cannot rely on include or require alone. Instead, it spawns a new PHP process, pipes code to its standard input, and lets eval-stdin.php execute that code. The core logic is minimal:
This is not a bug in PHPUnit itself. PHPUnit is a development dependency. The real issue is:
Because eval-stdin.php reads from the standard input stream of the HTTP request, an attacker sends a standard HTTP POST request. The body of the POST request contains the malicious PHP code they want the server to execute.
The efficient indexing mechanism in PHPUnit, facilitated by evalStdin.php , provides several benefits, including: The script, in essence, acts as a bridge
If you are currently managing a server displaying this issue, let me know your (Apache or Nginx) and whether you have SSH/root access to the host so I can provide specific configuration commands. Share public link
If your application relies on PHPUnit, you must secure your server to prevent attackers from accessing testing utilities. 1. Update Your Dependencies
If your web root cannot be changed, you should explicitly block access to your vendor and .git folders in your web server configuration. Add this block inside your server block: location ~* /vendor/.*\.php$ deny all; return 403; Use code with caution. The core logic is minimal: This is not
$this->assertSame($expected, $a + $b);
#!/usr/bin/env php <?php if (PHP_SAPI !== 'cli') die('CLI only');
Even if you cannot delete the file, set strict permissions: The body of the POST request contains the
So, the core need is: Let’s answer that step by step.
Deep in the shadows of a botnet hosted in a cold climate, a script finally matched the index. It didn’t send a polite request. It sent a payload—a string of encoded gibberice that flowed through the eval-stdin.php pipe like a virus through an IV drip.
The most robust architectural solution is to configure your web server root to point to a dedicated public directory (e.g., /public or /web ) rather than the root directory of the project.
Using a tool like curl , a malicious user can execute system commands instantly:
With this setup, a malicious actor could potentially access the file at the following URL: