GHSA-mhfv-8rc9-w38c: 
PHP vulnerability analysis and mitigation

A high-severity security vulnerability was identified in PHPCodeSniffer (squizlabs/phpcodesniffer) affecting versions 1.0.0 through 2.8.1. The vulnerability, discovered on February 26, 2017, involves improper handling of shell commands that could lead to arbitrary shell execution. The issue was formally published to the GitHub Advisory Database on March 26, 2022 (GitHub Advisory).

The vulnerability stems from unescaped filenames and configuration settings in shellexec() and exec() function calls throughout the codebase. This security flaw affects multiple features within PHPCodeSniffer, particularly when handling external files and user-defined configurations (PHP CodeSniffer Release).

The vulnerability could allow attackers to execute arbitrary code through specially crafted filenames or configuration options. This is particularly critical in environments where PHPCodeSniffer is used to check third-party code, run as a web service over user-uploaded files, or when external tool paths are configured with user-defined values ([PHP CodeSniffer Release](https://github.com/squizlabs/PHPCodeSniffer/releases/tag/2.8.1)).

Users are strongly encouraged to upgrade to version 2.8.1 which contains the security fix. For users unable to upgrade immediately, it is recommended to avoid using the affected features, particularly when checking third-party code. The vulnerable features include the diff report, notify-send report, and various debug sniffs. The fix was implemented by properly escaping filenames and configuration settings in shell command executions (PHP CodeSniffer Release).

The vulnerability was initially reported by Klaus Purer, leading to a prompt security advisory and patch release. The issue was subsequently documented in the FriendsOfPHP security advisories repository (Security Advisory).