From 23151ed1380c3212b9647c62f2385da00a6fe379 Mon Sep 17 00:00:00 2001 From: Christophe Coevoet Date: Fri, 24 May 2019 12:09:27 +0200 Subject: [PATCH 1/3] Use constant time comparison in UriSigner --- src/Symfony/Component/HttpKernel/UriSigner.php | 2 +- src/Symfony/Component/HttpKernel/composer.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php index 481270da51..ffe31a2121 100644 --- a/src/Symfony/Component/HttpKernel/UriSigner.php +++ b/src/Symfony/Component/HttpKernel/UriSigner.php @@ -79,7 +79,7 @@ class UriSigner $hash = $params[$this->parameter]; unset($params[$this->parameter]); - return $this->computeHash($this->buildUrl($url, $params)) === $hash; + return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash); } private function computeHash($uri) diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json index f47f1162d1..7f471c680e 100644 --- a/src/Symfony/Component/HttpKernel/composer.json +++ b/src/Symfony/Component/HttpKernel/composer.json @@ -21,6 +21,7 @@ "symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1", "symfony/debug": "^3.3.3|~4.0", "symfony/polyfill-ctype": "~1.8", + "symfony/polyfill-php56": "~1.8", "psr/log": "~1.0" }, "require-dev": { From 150741390d93f67a92295edc4d699a2237fec545 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Tue, 16 Jul 2019 11:30:28 +0200 Subject: [PATCH 2/3] [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances --- .../Component/Cache/Adapter/AbstractAdapter.php | 10 ++++++++++ .../Component/Cache/Adapter/TagAwareAdapter.php | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php b/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php index 0868c16d47..df5280b42d 100644 --- a/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php +++ b/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php @@ -276,6 +276,16 @@ abstract class AbstractAdapter implements AdapterInterface, LoggerAwareInterface return $ok; } + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + public function __destruct() { if ($this->deferred) { diff --git a/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php b/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php index 362aceed0e..7b726237bf 100644 --- a/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php +++ b/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php @@ -273,6 +273,16 @@ class TagAwareAdapter implements TagAwareAdapterInterface, PruneableInterface, R return $this->invalidateTags([]); } + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + public function __destruct() { $this->commit(); From 6be5cc75a4817657c5574553a41bdd0193d4fe51 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 19 Apr 2019 14:48:43 +0200 Subject: [PATCH 3/3] [HttpFoundation] fix guessing mime-types of files with leading dash --- .../File/MimeType/FileBinaryMimeTypeGuesser.php | 4 ++-- .../HttpFoundation/Tests/File/Fixtures/-test | Bin 0 -> 35 bytes .../Tests/File/MimeType/MimeTypeTest.php | 11 ++++++++++- 3 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test diff --git a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php index cfa76843cc..7045e94df6 100644 --- a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php +++ b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php @@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface * * @param string $cmd The command to run to get the mime type of a file */ - public function __construct($cmd = 'file -b --mime %s 2>/dev/null') + public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null') { $this->cmd = $cmd; } @@ -80,7 +80,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface ob_start(); // need to use --mime instead of -i. see #6641 - passthru(sprintf($this->cmd, escapeshellarg($path)), $return); + passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return); if ($return > 0) { ob_end_clean(); diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test new file mode 100644 index 0000000000000000000000000000000000000000..b636f4b8df536b0a85e7cea1a6cf3f0bd3179b96 GIT binary patch literal 35 jcmZ?wbh9u|WMp7uXkcLY4+c66KmZb9U}AD%WUvMRyAlZ1 literal 0 HcmV?d00001 diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php index 3960988a6a..0418726b5b 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php @@ -20,7 +20,16 @@ use Symfony\Component\HttpFoundation\File\MimeType\MimeTypeGuesser; */ class MimeTypeTest extends TestCase { - protected $path; + public function testGuessWithLeadingDash() + { + $cwd = getcwd(); + chdir(__DIR__.'/../Fixtures'); + try { + $this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test')); + } finally { + chdir($cwd); + } + } public function testGuessImageWithoutExtension() {