Secure cli.php to be available from CLI only #39
Description
php-peg library is included by other projects, for example: https://github.com/maths/moodle-qtype_stack/tree/master/thirdparty/php-peg
In this example, the other library is deployed on available on a web server. This leads to opportunity to run any PHP script contained there using web URL - including https://github.com/maths/moodle-qtype_stack/blob/master/thirdparty/php-peg/cli.php .
If register_argc_argv is set in php.ini, then $_SERVER['argv'] is populated with $_GET so the data could be passed into Compiler::cli( $_SERVER['argv'] ) ; .
I don't think that in the current form cli.php can be exploited in any way but it may be a good idea to protect this script and make sure it only runs as CLI. This could be done with:
if (php_sapi_name() != "cli") {
die();
}