mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-23 18:48:51 +02:00
N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)
Upgrade all Symfony components to last security fix (~6.4.0)
This commit is contained in:
Benjamin Dalsass
@@ -28,7 +28,7 @@ class EnvVarProcessor implements EnvVarProcessorInterface
|
||||
/**
|
||||
* @param \Traversable<EnvVarLoaderInterface>|null $loaders
|
||||
*/
|
||||
public function __construct(ContainerInterface $container, \Traversable $loaders = null)
|
||||
public function __construct(ContainerInterface $container, ?\Traversable $loaders = null)
|
||||
{
|
||||
$this->container = $container;
|
||||
$this->loaders = $loaders ?? new \ArrayIterator();
|
||||
@@ -164,10 +164,16 @@ class EnvVarProcessor implements EnvVarProcessorInterface
|
||||
if (false !== $i || 'string' !== $prefix) {
|
||||
$env = $getEnv($name);
|
||||
} elseif ('' === ($env = $_ENV[$name] ?? (str_starts_with($name, 'HTTP_') ? null : ($_SERVER[$name] ?? null)))
|
||||
|| (false !== $env && false === ($env = $env ?? getenv($name) ?? false)) // null is a possible value because of thread safety issues
|
||||
|| (false !== $env && false === $env ??= getenv($name) ?? false) // null is a possible value because of thread safety issues
|
||||
) {
|
||||
foreach ($this->loadedVars as $vars) {
|
||||
if (false !== ($env = ($vars[$name] ?? $env)) && '' !== $env) {
|
||||
foreach ($this->loadedVars as $i => $vars) {
|
||||
if (false === $env = $vars[$name] ?? $env) {
|
||||
continue;
|
||||
}
|
||||
if ($env instanceof \Stringable) {
|
||||
$this->loadedVars[$i][$name] = $env = (string) $env;
|
||||
}
|
||||
if ('' !== ($env ?? '')) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -185,7 +191,13 @@ class EnvVarProcessor implements EnvVarProcessorInterface
|
||||
continue;
|
||||
}
|
||||
$this->loadedVars[] = $vars = $loader->loadEnvVars();
|
||||
if (false !== ($env = ($vars[$name] ?? $env)) && '' !== $env) {
|
||||
if (false === $env = $vars[$name] ?? $env) {
|
||||
continue;
|
||||
}
|
||||
if ($env instanceof \Stringable) {
|
||||
$this->loadedVars[array_key_last($this->loadedVars)][$name] = $env = (string) $env;
|
||||
}
|
||||
if ('' !== ($env ?? '')) {
|
||||
$ended = false;
|
||||
break;
|
||||
}
|
||||
@@ -286,15 +298,15 @@ class EnvVarProcessor implements EnvVarProcessorInterface
|
||||
}
|
||||
|
||||
if ('url' === $prefix) {
|
||||
$parsedEnv = parse_url($env);
|
||||
$params = parse_url($env);
|
||||
|
||||
if (false === $parsedEnv) {
|
||||
if (false === $params) {
|
||||
throw new RuntimeException(sprintf('Invalid URL in env var "%s".', $name));
|
||||
}
|
||||
if (!isset($parsedEnv['scheme'], $parsedEnv['host'])) {
|
||||
throw new RuntimeException(sprintf('Invalid URL env var "%s": schema and host expected, "%s" given.', $name, $env));
|
||||
if (!isset($params['scheme'], $params['host'])) {
|
||||
throw new RuntimeException(sprintf('Invalid URL in env var "%s": scheme and host expected.', $name));
|
||||
}
|
||||
$parsedEnv += [
|
||||
$params += [
|
||||
'port' => null,
|
||||
'user' => null,
|
||||
'pass' => null,
|
||||
@@ -303,10 +315,13 @@ class EnvVarProcessor implements EnvVarProcessorInterface
|
||||
'fragment' => null,
|
||||
];
|
||||
|
||||
// remove the '/' separator
|
||||
$parsedEnv['path'] = '/' === ($parsedEnv['path'] ?? '/') ? '' : substr($parsedEnv['path'], 1);
|
||||
$params['user'] = null !== $params['user'] ? rawurldecode($params['user']) : null;
|
||||
$params['pass'] = null !== $params['pass'] ? rawurldecode($params['pass']) : null;
|
||||
|
||||
return $parsedEnv;
|
||||
// remove the '/' separator
|
||||
$params['path'] = '/' === ($params['path'] ?? '/') ? '' : substr($params['path'], 1);
|
||||
|
||||
return $params;
|
||||
}
|
||||
|
||||
if ('query_string' === $prefix) {
|
||||
|
||||
Reference in New Issue
Block a user