Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.

But, that is hardly surprising as with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else [1, 2] locally and then upload the spoofed ...