diff --git a/package.xml b/package.xml
index 2021af0c54..4589db8f67 100644
--- a/package.xml
+++ b/package.xml
@@ -14,8 +14,8 @@ http://pear.php.net/dtd/package-2.0.xsd">
gsherwood@squiz.netyes
- 2017-02-02
-
+ 2017-03-02
+
2.8.12.8.1
@@ -26,20 +26,37 @@ http://pear.php.net/dtd/package-2.0.xsd">
BSD 3-Clause License
+ - This release contains a fix for a security advisory related to the improper handling of shell commands
+ -- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
+ -- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
+ -- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
+ --- e.g., you run PHPCS over libraries that you did not write
+ --- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
+ --- e.g., you allow external tool paths to be set by user-defined values
+ -- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
+ --- The diff report
+ --- The notify-send report
+ --- The Generic.PHP.Syntax sniff
+ --- The Generic.Debug.CSSLint sniff
+ --- The Generic.Debug.ClosureLinter sniff
+ --- The Generic.Debug.JSHint sniff
+ --- The Squiz.Debug.JSLint sniff
+ --- The Squiz.Debug.JavaScriptLint sniff
+ --- The Zend.Debug.CodeAnalyzer sniff
+ -- Thanks to Klaus Purer for the report
+
+
- The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
- - Code that uses shell_exec() and exec() now escapes cmds and args in case PHPCS is being used in a web service
- -- This changes saves having to do filename and config validation before passing content to PHPCS
- -- Thanks to Klaus Purer for reporting this
- PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
- PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
- Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
-- It would previously report that only one argument is allowed per line
- Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
- - Squiz.Commenting.FunctionComment now properly fixes pipe-seperated param types
+ - Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
- Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
-- Thanks to Juliette Reinders Folmer for the patch
- Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
- -- As this is not a real PHP operator, it enforces no spaces beteen ? and : when the THEN statement is empty
+ -- As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
- Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
- Fixed bug #1340 : STDIN file contents not being populated in some cases
-- Thanks to David Biňovec for the patch
@@ -2466,6 +2483,61 @@ http://pear.php.net/dtd/package-2.0.xsd">
+
+
+ 2.8.1
+ 2.8.1
+
+
+ stable
+ stable
+
+ 2017-03-02
+ BSD License
+
+ - This release contains a fix for a security advisory related to the improper handling of shell commands
+ -- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
+ -- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
+ -- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
+ --- e.g., you run PHPCS over libraries that you did not write
+ --- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
+ --- e.g., you allow external tool paths to be set by user-defined values
+ -- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features:
+ --- The diff report
+ --- The notify-send report
+ --- The Generic.PHP.Syntax sniff
+ --- The Generic.Debug.CSSLint sniff
+ --- The Generic.Debug.ClosureLinter sniff
+ --- The Generic.Debug.JSHint sniff
+ --- The Squiz.Debug.JSLint sniff
+ --- The Squiz.Debug.JavaScriptLint sniff
+ --- The Zend.Debug.CodeAnalyzer sniff
+ -- Thanks to Klaus Purer for the report
+
+
+ - The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
+ - PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
+ - PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
+ - Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
+ -- It would previously report that only one argument is allowed per line
+ - Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
+ - Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
+ - Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
+ -- Thanks to Juliette Reinders Folmer for the patch
+ - Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
+ -- As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
+ - Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
+ - Fixed bug #1340 : STDIN file contents not being populated in some cases
+ -- Thanks to David Biňovec for the patch
+ - Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
+ - Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
+ -- Thanks to Algirdas Gurevicius for the patch
+ - Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
+ -- Thanks to Algirdas Gurevicius for the patch
+ - Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
+ - Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop
+
+ 2.8.0