: This is a specific file within a PHPUnit installation, likely within a project's vendor directory, which is where Composer (a PHP package manager) installs dependencies.
If you take one thing away from this article, let it be this: The best way to use eval-stdin.php is to ensure it never runs on a production web server. Keep it in your local vendor directory, use it for testing and debugging, and delete it from production.
She typed it into her browser, half-expecting a 404. Instead, the screen filled with a directory index—a raw, unfiltered map of the vendor folder.
The core issue lies in the simplicity and potential vulnerability of the original eval-stdin.php file. Historically, it might contain code similar to: ' . file_get_contents('php://stdin')); Use code with caution. : This is a specific file within a
Make sure the generator script properly declares namespaces and uses PHPUnit\Framework\TestCase .
<?php // generate_tests.php echo '<?php use PHPUnit\Framework\TestCase;
fix: remove eval-stdin.php from production build – why is this even here?! Author: lyra@finapi.com She typed it into her browser, half-expecting a 404
An open directory listing showing Index of /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php indicates a severe security misconfiguration. This path belongs to PHPUnit, a popular testing framework for the PHP programming language.
#!/usr/bin/env php <?php /* * This file is part of PHPUnit. * * (c) Sebastian Bergmann <sebastian@phpunit.de> * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */
The script takes raw data from the HTTP request body and passes it directly into the PHP eval() function without authentication or sanitization. Historically, it might contain code similar to: '
to exclude specific vendor files
If a production web server is misconfigured to allow directory indexing (i.e., Options +Indexes in Apache), and an attacker navigates to example.com/vendor/phpunit/phpunit/src/Util/PHP/ , they might see an index listing. If they can then access eval-stdin.php via HTTP and send POST data to it, they have a remote code execution (RCE) vulnerability.