From ad3ac95d2d35e1afc4dd09239c5d969f42613458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Wed, 24 Aug 2016 15:49:11 +0000 Subject: [PATCH 1/7] bug #18042 [Security] $attributes can be anything, but RoleVoter assumes strings --- .../Security/Core/Authorization/Voter/RoleVoter.php | 7 ++++++- .../Core/Tests/Authorization/Voter/RoleVoterTest.php | 6 ++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php b/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php index 722675d29b..539dcda327 100644 --- a/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php +++ b/src/Symfony/Component/Security/Core/Authorization/Voter/RoleVoter.php @@ -12,6 +12,7 @@ namespace Symfony\Component\Security\Core\Authorization\Voter; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Role\RoleInterface; /** * RoleVoter votes if any attribute starts with a given prefix. @@ -37,7 +38,7 @@ class RoleVoter implements VoterInterface */ public function supportsAttribute($attribute) { - return 0 === strpos($attribute, $this->prefix); + return is_string($attribute) && 0 === strpos($attribute, $this->prefix); } /** @@ -57,6 +58,10 @@ class RoleVoter implements VoterInterface $roles = $this->extractRoles($token); foreach ($attributes as $attribute) { + if ($attribute instanceof RoleInterface) { + $attribute = $attribute->getRole(); + } + if (!$this->supportsAttribute($attribute)) { continue; } diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php index 03ab2da27e..c15e936f6e 100644 --- a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleVoterTest.php @@ -43,6 +43,12 @@ class RoleVoterTest extends \PHPUnit_Framework_TestCase array(array('ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED), array(array('ROLE_FOO'), array('FOO', 'ROLE_FOO'), VoterInterface::ACCESS_GRANTED), array(array('ROLE_BAR', 'ROLE_FOO'), array('ROLE_FOO'), VoterInterface::ACCESS_GRANTED), + + // Test mixed Types + array(array(), array(array()), VoterInterface::ACCESS_ABSTAIN), + array(array(), array(new \stdClass()), VoterInterface::ACCESS_ABSTAIN), + array(array('ROLE_BAR'), array(new Role('ROLE_BAR')), VoterInterface::ACCESS_GRANTED), + array(array('ROLE_BAR'), array(new Role('ROLE_FOO')), VoterInterface::ACCESS_DENIED), ); } From 32451b1a092181b793ee6bd186eeb7a3ca039491 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Wed, 5 Oct 2016 18:00:01 +0200 Subject: [PATCH 2/7] add missing use statement --- .../DependencyInjection/Compiler/AddConstraintValidatorsPass.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/AddConstraintValidatorsPass.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/AddConstraintValidatorsPass.php index 800a32e2f3..497ea08a4b 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/AddConstraintValidatorsPass.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/AddConstraintValidatorsPass.php @@ -13,6 +13,7 @@ namespace Symfony\Bundle\FrameworkBundle\DependencyInjection\Compiler; use Symfony\Component\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface; +use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException; class AddConstraintValidatorsPass implements CompilerPassInterface { From cc9a49948271fc6864003b65dfd2f5d888e8c443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Wed, 5 Oct 2016 19:21:13 +0200 Subject: [PATCH 3/7] Uniformize exception vars according to our CS --- .../Component/PropertyInfo/Extractor/PhpDocExtractor.php | 4 ++-- .../PropertyInfo/Extractor/ReflectionExtractor.php | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Symfony/Component/PropertyInfo/Extractor/PhpDocExtractor.php b/src/Symfony/Component/PropertyInfo/Extractor/PhpDocExtractor.php index b1f323c0bd..e60a623985 100644 --- a/src/Symfony/Component/PropertyInfo/Extractor/PhpDocExtractor.php +++ b/src/Symfony/Component/PropertyInfo/Extractor/PhpDocExtractor.php @@ -208,7 +208,7 @@ class PhpDocExtractor implements PropertyDescriptionExtractorInterface, Property // Use a ReflectionProperty instead of $class to get the parent class if applicable try { $reflectionProperty = new \ReflectionProperty($class, $property); - } catch (\ReflectionException $reflectionException) { + } catch (\ReflectionException $e) { return; } @@ -260,7 +260,7 @@ class PhpDocExtractor implements PropertyDescriptionExtractorInterface, Property ) { break; } - } catch (\ReflectionException $reflectionException) { + } catch (\ReflectionException $e) { // Try the next prefix if the method doesn't exist } } diff --git a/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php b/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php index 1d3d3a2083..1bf56b9109 100644 --- a/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php +++ b/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php @@ -51,7 +51,7 @@ class ReflectionExtractor implements PropertyListExtractorInterface, PropertyTyp { try { $reflectionClass = new \ReflectionClass($class); - } catch (\ReflectionException $reflectionException) { + } catch (\ReflectionException $e) { return; } @@ -261,7 +261,7 @@ class ReflectionExtractor implements PropertyListExtractorInterface, PropertyTyp $reflectionProperty = new \ReflectionProperty($class, $property); return $reflectionProperty->isPublic(); - } catch (\ReflectionException $reflectionExcetion) { + } catch (\ReflectionException $e) { // Return false if the property doesn't exist } @@ -290,7 +290,7 @@ class ReflectionExtractor implements PropertyListExtractorInterface, PropertyTyp if (0 === $reflectionMethod->getNumberOfRequiredParameters()) { return array($reflectionMethod, $prefix); } - } catch (\ReflectionException $reflectionException) { + } catch (\ReflectionException $e) { // Return null if the property doesn't exist } } @@ -319,7 +319,7 @@ class ReflectionExtractor implements PropertyListExtractorInterface, PropertyTyp if ($reflectionMethod->getNumberOfParameters() >= 1) { return array($reflectionMethod, $prefix); } - } catch (\ReflectionException $reflectionException) { + } catch (\ReflectionException $e) { // Try the next prefix if the method doesn't exist } } From 29226ef1160dc2ab2c43dbb50f80c1d236653957 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 5 Oct 2016 12:47:52 +0200 Subject: [PATCH 4/7] [Console] Improved the explanation of the hasOption() method --- src/Symfony/Component/Console/Input/InputDefinition.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Symfony/Component/Console/Input/InputDefinition.php b/src/Symfony/Component/Console/Input/InputDefinition.php index 809baebd33..f7eafbd84f 100644 --- a/src/Symfony/Component/Console/Input/InputDefinition.php +++ b/src/Symfony/Component/Console/Input/InputDefinition.php @@ -282,6 +282,9 @@ class InputDefinition /** * Returns true if an InputOption object exists by name. * + * This method can't be used to check if the user included the option when + * executing the command (use getOption() instead). + * * @param string $name The InputOption name * * @return bool true if the InputOption object exists, false otherwise From 1159f8bba65d0e0f50d69f637dbed4308b959057 Mon Sep 17 00:00:00 2001 From: Roland Franssen Date: Mon, 3 Oct 2016 18:24:18 +0000 Subject: [PATCH 5/7] [HttpFoundation] JSONP callback validation --- .../Component/HttpFoundation/JsonResponse.php | 14 +++++++++++--- .../HttpFoundation/Tests/JsonResponseTest.php | 8 ++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/HttpFoundation/JsonResponse.php b/src/Symfony/Component/HttpFoundation/JsonResponse.php index 4672cdc8de..f370867aed 100644 --- a/src/Symfony/Component/HttpFoundation/JsonResponse.php +++ b/src/Symfony/Component/HttpFoundation/JsonResponse.php @@ -80,11 +80,19 @@ class JsonResponse extends Response public function setCallback($callback = null) { if (null !== $callback) { - // taken from http://www.geekality.net/2011/08/03/valid-javascript-identifier/ - $pattern = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u'; + // partially token from http://www.geekality.net/2011/08/03/valid-javascript-identifier/ + // partially token from https://github.com/willdurand/JsonpCallbackValidator + // JsonpCallbackValidator is released under the MIT License. See https://github.com/willdurand/JsonpCallbackValidator/blob/v1.1.0/LICENSE for details. + // (c) William Durand + $pattern = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*(?:\[(?:"(?:\\\.|[^"\\\])*"|\'(?:\\\.|[^\'\\\])*\'|\d+)\])*?$/u'; + $reserved = array( + 'break', 'do', 'instanceof', 'typeof', 'case', 'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 'for', 'switch', 'while', + 'debugger', 'function', 'this', 'with', 'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 'extends', 'super', 'const', 'export', + 'import', 'implements', 'let', 'private', 'public', 'yield', 'interface', 'package', 'protected', 'static', 'null', 'true', 'false', + ); $parts = explode('.', $callback); foreach ($parts as $part) { - if (!preg_match($pattern, $part)) { + if (!preg_match($pattern, $part) || in_array($part, $reserved, true)) { throw new \InvalidArgumentException('The callback name is not valid.'); } } diff --git a/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php b/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php index 60d27e4d59..0a0732f473 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/JsonResponseTest.php @@ -213,6 +213,14 @@ class JsonResponseTest extends \PHPUnit_Framework_TestCase JsonResponse::create($serializable); } + + public function testSetComplexCallback() + { + $response = JsonResponse::fromJsonString('{foo: "bar"}'); + $response->setCallback('ಠ_ಠ["foo"].bar[0]'); + + $this->assertEquals('/**/ಠ_ಠ["foo"].bar[0]({foo: "bar"});', $response->getContent()); + } } if (interface_exists('JsonSerializable')) { From 1427d3315378951540aecd6fef32065beb237cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Wed, 5 Oct 2016 21:27:34 +0200 Subject: [PATCH 6/7] Correct a typo in the ReflectionExtractor's description --- .../Component/PropertyInfo/Extractor/ReflectionExtractor.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php b/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php index 1bf56b9109..9b004b606b 100644 --- a/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php +++ b/src/Symfony/Component/PropertyInfo/Extractor/ReflectionExtractor.php @@ -17,7 +17,7 @@ use Symfony\Component\PropertyInfo\PropertyTypeExtractorInterface; use Symfony\Component\PropertyInfo\Type; /** - * Extracts PHP informations using the reflection API. + * Extracts data using the reflection API. * * @author Kévin Dunglas */ From 4cae9c09471d500adaa3af54600334cc012b4f9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Wed, 5 Oct 2016 22:47:52 +0200 Subject: [PATCH 7/7] [DependencyInjection] Add missing PHPDoc type --- src/Symfony/Component/DependencyInjection/Definition.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Symfony/Component/DependencyInjection/Definition.php b/src/Symfony/Component/DependencyInjection/Definition.php index 895b37459c..788eccebad 100644 --- a/src/Symfony/Component/DependencyInjection/Definition.php +++ b/src/Symfony/Component/DependencyInjection/Definition.php @@ -850,7 +850,7 @@ class Definition /** * Sets autowired. * - * @param $autowired + * @param bool $autowired * * @return Definition The current instance */