composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-01 06:28:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Browse Source 
Upgrade all Symfony components to last security fix (~6.4.0)
This commit is contained in:
Benjamin Dalsass
2025-08-06 08:54:56 +02:00
committed by GitHub
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
lib/symfony/cache/Traits/RedisTrait.php vendored
View File

@@ -17,6 +17,7 @@ use Predis\Connection\Aggregate\RedisCluster;
use Predis\Connection\Aggregate\ReplicationInterface;
use Predis\Connection\Cluster\ClusterInterface as Predis2ClusterInterface;
use Predis\Connection\Cluster\RedisCluster as Predis2RedisCluster;
use Predis\Connection\Replication\ReplicationInterface as Predis2ReplicationInterface;
use Predis\Response\ErrorInterface;
use Predis\Response\Status;
use Relay\Relay;
@@ -149,10 +150,10 @@ trait RedisTrait
if (isset($params['host']) || isset($params['path'])) {
if (!isset($params['dbindex']) && isset($params['path'])) {
if (preg_match('#/(\d+)?$#', $params['path'], $m)) {
$params['dbindex'] = $m[1] ?? '0';
$params['dbindex'] = $m[1] ?? $query['dbindex'] ?? '0';
$params['path'] = substr($params['path'], 0, -\strlen($m[0]));
} elseif (isset($params['host'])) {
throw new InvalidArgumentException('Invalid Redis DSN: query parameter "dbindex" must be a number.');
throw new InvalidArgumentException('Invalid Redis DSN: parameter "dbindex" must be a number.');
}
}
@@ -167,6 +168,10 @@ trait RedisTrait
throw new InvalidArgumentException('Invalid Redis DSN: missing host.');
}
if (isset($params['dbindex'], $query['dbindex']) && $params['dbindex'] !== $query['dbindex']) {
throw new InvalidArgumentException('Invalid Redis DSN: path and query "dbindex" parameters mismatch.');
}
$params += $query + $options + self::$defaultConnectionOptions;
if (isset($params['redis_sentinel']) && !class_exists(\Predis\Client::class) && !class_exists(\RedisSentinel::class) && !class_exists(Sentinel::class)) {
@@ -228,10 +233,10 @@ trait RedisTrait
$options = [
'host' => $host,
'port' => $port,
'connectTimeout' => $params['timeout'],
'connectTimeout' => (float) $params['timeout'],
'persistent' => $params['persistent_id'],
'retryInterval' => $params['retry_interval'],
'readTimeout' => $params['read_timeout'],
'retryInterval' => (int) $params['retry_interval'],
'readTimeout' => (float) $params['read_timeout'],
];
if ($passAuth) {
@@ -242,10 +247,10 @@ trait RedisTrait
} else {
$extra = $passAuth ? [$params['auth']] : [];
$sentinel = new $sentinelClass($host, $port, $params['timeout'], (string) $params['persistent_id'], $params['retry_interval'], $params['read_timeout'], ...$extra);
$sentinel = @new $sentinelClass($host, $port, $params['timeout'], (string) $params['persistent_id'], $params['retry_interval'], $params['read_timeout'], ...$extra);
}
if ($address = $sentinel->getMasterAddrByName($params['redis_sentinel'])) {
if ($address = @$sentinel->getMasterAddrByName($params['redis_sentinel'])) {
[$host, $port] = $address;
}
} catch (\RedisException|\Relay\Exception $redisException) {
@@ -260,6 +265,22 @@ trait RedisTrait
$extra = [
'stream' => $params['ssl'] ?? null,
];
$booleanStreamOptions = [
'allow_self_signed',
'capture_peer_cert',
'capture_peer_cert_chain',
'disable_compression',
'SNI_enabled',
'verify_peer',
'verify_peer_name',
];
foreach ($extra['stream'] ?? [] as $streamOption => $value) {
if (\in_array($streamOption, $booleanStreamOptions, true) && \is_string($value)) {
$extra['stream'][$streamOption] = filter_var($value, \FILTER_VALIDATE_BOOL);
}
}
if (isset($params['auth'])) {
$extra['auth'] = $params['auth'];
}
@@ -277,7 +298,10 @@ trait RedisTrait
}
if ((null !== $auth && !$redis->auth($auth))
|| ($params['dbindex'] && !$redis->select($params['dbindex']))
// Due to a bug in phpredis we must always select the dbindex if persistent pooling is enabled
// @see https://github.com/phpredis/phpredis/issues/1920
// @see https://github.com/symfony/symfony/issues/51578
|| (($params['dbindex'] || ('pconnect' === $connect && '0' !== \ini_get('redis.pconnect.pooling_enabled'))) && !$redis->select($params['dbindex']))
) {
$e = preg_replace('/^ERR /', '', $redis->getLastError());
throw new InvalidArgumentException('Redis connection failed: '.$e.'.');
@@ -450,9 +474,16 @@ trait RedisTrait
$cleared = true;
$hosts = $this->getHosts();
$host = reset($hosts);
if ($host instanceof \Predis\Client && $host->getConnection() instanceof ReplicationInterface) {
// Predis supports info command only on the master in replication environments
$hosts = [$host->getClientFor('master')];
if ($host instanceof \Predis\Client) {
$connection = $host->getConnection();
if ($connection instanceof ReplicationInterface) {
$hosts = [$host->getClientFor('master')];
} elseif ($connection instanceof Predis2ReplicationInterface) {
$connection->switchToMaster();
$hosts = [$host];
}
}
foreach ($hosts as $host) {
@@ -485,7 +516,7 @@ trait RedisTrait
$cursor = null;
do {
$keys = $host instanceof \Predis\ClientInterface ? $host->scan($cursor, 'MATCH', $pattern, 'COUNT', 1000) : $host->scan($cursor, $pattern, 1000);
$keys = $host instanceof \Predis\ClientInterface ? $host->scan($cursor ?? 0, 'MATCH', $pattern, 'COUNT', 1000) : $host->scan($cursor, $pattern, 1000);
if (isset($keys[1]) && \is_array($keys[1])) {
$cursor = $keys[0];
$keys = $keys[1];
@@ -498,7 +529,7 @@ trait RedisTrait
}
$this->doDelete($keys);
}
} while ($cursor = (int) $cursor);
} while ($cursor);
}
return $cleared;
@@ -563,7 +594,7 @@ trait RedisTrait
return $failed;
}
private function pipeline(\Closure $generator, object $redis = null): \Generator
private function pipeline(\Closure $generator, ?object $redis = null): \Generator
{
$ids = [];
$redis ??= $this->redis;