Merge branch 'master' into 3.0

gsherwood · gsherwood · commit dddc22e367b1 · 2017-02-27T09:20:15.000+11:00
diff --git a/src/Fixer.php b/src/Fixer.php
@@ -247,7 +247,9 @@ public function generateDiff($filePath=null, $colors=true)
 
         // We must use something like shell_exec() because whitespace at the end
         // of lines is critical to diff files.
-        $cmd  = "diff -u -L\"$filename\" -LPHP_CodeSniffer \"$filename\" \"$tempName\"";
+        $filename = escapeshellarg($filename);
+        $cmd      = "diff -u -L$filename -LPHP_CodeSniffer $filename \"$tempName\"";
+
         $diff = shell_exec($cmd);
 
         fclose($fixedFile);
diff --git a/src/Standards/Generic/Sniffs/Debug/CSSLintSniff.php b/src/Standards/Generic/Sniffs/Debug/CSSLintSniff.php
@@ -54,7 +54,7 @@ public function process(File $phpcsFile, $stackPtr)
 
         $fileName = $phpcsFile->getFilename();
 
-        $cmd = $csslintPath.' '.escapeshellarg($fileName);
+        $cmd = escapeshellcmd($csslintPath).' '.escapeshellarg($fileName).' 2>&1';
         exec($cmd, $output, $retval);
 
         if (is_array($output) === false) {
diff --git a/src/Standards/Generic/Sniffs/Debug/ClosureLinterSniff.php b/src/Standards/Generic/Sniffs/Debug/ClosureLinterSniff.php
@@ -71,8 +71,9 @@ public function process(File $phpcsFile, $stackPtr)
 
         $fileName = $phpcsFile->getFilename();
 
-        $cmd = "$lintPath --nosummary --notime --unix_mode \"$fileName\"";
-        $msg = exec($cmd, $output, $retval);
+        $lintPath = escapeshellcmd($lintPath);
+        $cmd      = '$lintPath --nosummary --notime --unix_mode '.escapeshellarg($fileName);
+        $msg      = exec($cmd, $output, $retval);
 
         if (is_array($output) === false) {
             return;
diff --git a/src/Standards/Generic/Sniffs/Debug/JSHintSniff.php b/src/Standards/Generic/Sniffs/Debug/JSHintSniff.php
@@ -57,7 +57,10 @@ public function process(File $phpcsFile, $stackPtr)
 
         $fileName = $phpcsFile->getFilename();
 
-        $cmd = "$rhinoPath \"$jshintPath\" \"$fileName\"";
+        $rhinoPath  = escapeshellcmd($rhinoPath);
+        $jshintPath = escapeshellcmd($jshintPath);
+
+        $cmd = "$rhinoPath \"$jshintPath\" ".escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         if (is_array($output) === true) {
diff --git a/src/Standards/Generic/Sniffs/PHP/SyntaxSniff.php b/src/Standards/Generic/Sniffs/PHP/SyntaxSniff.php
@@ -60,11 +60,11 @@ public function process(File $phpcsFile, $stackPtr)
             }
         }
 
-        $fileName = $phpcsFile->getFilename();
+        $fileName = escapeshellarg($phpcsFile->getFilename());
         if (defined('HHVM_VERSION') === false) {
-            $cmd = $this->phpPath." -l -d error_prepend_string='' \"$fileName\" 2>&1";
+            $cmd = escapeshellcmd($this->phpPath)." -l -d error_prepend_string='' $fileName 2>&1";
         } else {
-            $cmd = $this->phpPath." -l \"$fileName\" 2>&1";
+            $cmd = escapeshellcmd($this->phpPath)." -l $fileName 2>&1";
         }
 
         $output  = shell_exec($cmd);
diff --git a/src/Standards/Squiz/Sniffs/Debug/JSLintSniff.php b/src/Standards/Squiz/Sniffs/Debug/JSLintSniff.php
@@ -56,7 +56,10 @@ public function process(File $phpcsFile, $stackPtr)
 
         $fileName = $phpcsFile->getFilename();
 
-        $cmd = "$rhinoPath \"$jslintPath\" \"$fileName\"";
+        $rhinoPath  = escapeshellcmd($rhinoPath);
+        $jslintPath = escapeshellcmd($jslintPath);
+
+        $cmd = "$rhinoPath \"$jslintPath\" ".escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         if (is_array($output) === true) {
diff --git a/src/Standards/Squiz/Sniffs/Debug/JavaScriptLintSniff.php b/src/Standards/Squiz/Sniffs/Debug/JavaScriptLintSniff.php
@@ -55,7 +55,7 @@ public function process(File $phpcsFile, $stackPtr)
 
         $fileName = $phpcsFile->getFilename();
 
-        $cmd = '"'.$jslPath.'" -nologo -nofilelisting -nocontext -nosummary -output-format __LINE__:__ERROR__ -process "'.$fileName.'"';
+        $cmd = '"'.escapeshellcmd($jslPath).'" -nologo -nofilelisting -nocontext -nosummary -output-format __LINE__:__ERROR__ -process '.escapeshellarg($fileName);
         $msg = exec($cmd, $output, $retval);
 
         // Variable $exitCode is the last line of $output if no error occurs, on
diff --git a/src/Standards/Zend/Sniffs/Debug/CodeAnalyzerSniff.php b/src/Standards/Zend/Sniffs/Debug/CodeAnalyzerSniff.php
@@ -52,7 +52,7 @@ public function process(File $phpcsFile, $stackPtr)
         // In the command, 2>&1 is important because the code analyzer sends its
         // findings to stderr. $output normally contains only stdout, so using 2>&1
         // will pipe even stderr to stdout.
-        $cmd = $analyzerPath.' '.$fileName.' 2>&1';
+        $cmd = escapeshellcmd($analyzerPath).' '.escapeshellarg($fileName).' 2>&1';
 
         // There is the possibility to pass "--ide" as an option to the analyzer.
         // This would result in an output format which would be easier to parse.

Original file line number	Diff line number	Diff line change
`@@ -60,11 +60,11 @@ public function process(File $phpcsFile, $stackPtr)`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
`63`		`- $fileName = $phpcsFile->getFilename();`
	`63`	`+ $fileName = escapeshellarg($phpcsFile->getFilename());`
`64`	`64`	`if (defined('HHVM_VERSION') === false) {`
`65`		`- $cmd = $this->phpPath." -l -d error_prepend_string='' \"$fileName\" 2>&1";`
	`65`	`+ $cmd = escapeshellcmd($this->phpPath)." -l -d error_prepend_string='' $fileName 2>&1";`
`66`	`66`	`} else {`
`67`		`- $cmd = $this->phpPath." -l \"$fileName\" 2>&1";`
	`67`	`+ $cmd = escapeshellcmd($this->phpPath)." -l $fileName 2>&1";`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`$output = shell_exec($cmd);`