composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-04 07:58:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Browse Source 
Upgrade all Symfony components to last security fix (~6.4.0)
This commit is contained in:
Benjamin Dalsass
2025-08-06 08:54:56 +02:00
committed by GitHub
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
lib/symfony/yaml/Inline.php
View File

@@ -34,7 +34,7 @@ class Inline
private static bool $objectForMap = false;
private static bool $constantSupport = false;
public static function initialize(int $flags, int $parsedLineNumber = null, string $parsedFilename = null): void
public static function initialize(int $flags, ?int $parsedLineNumber = null, ?string $parsedFilename = null): void
{
self::$exceptionOnInvalidType = (bool) (Yaml::PARSE_EXCEPTION_ON_INVALID_TYPE & $flags);
self::$objectSupport = (bool) (Yaml::PARSE_OBJECT & $flags);
@@ -267,7 +267,7 @@ class Inline
*
* @throws ParseException When malformed inline YAML string is parsed
*/
public static function parseScalar(string $scalar, int $flags = 0, array $delimiters = null, int &$i = 0, bool $evaluate = true, array &$references = [], bool &$isQuoted = null): mixed
public static function parseScalar(string $scalar, int $flags = 0, ?array $delimiters = null, int &$i = 0, bool $evaluate = true, array &$references = [], ?bool &$isQuoted = null): mixed
{
if (\in_array($scalar[$i], ['"', "'"], true)) {
// quoted scalar
@@ -353,11 +353,18 @@ class Inline
++$i;
// [foo, bar, ...]
$lastToken = null;
while ($i < $len) {
if (']' === $sequence[$i]) {
return $output;
}
if (',' === $sequence[$i] || ' ' === $sequence[$i]) {
if (',' === $sequence[$i] && (null === $lastToken || 'separator' === $lastToken)) {
$output[] = null;
} elseif (',' === $sequence[$i]) {
$lastToken = 'separator';
}
++$i;
continue;
@@ -401,6 +408,7 @@ class Inline
$output[] = $value;
$lastToken = 'value';
++$i;
}
@@ -556,7 +564,7 @@ class Inline
*
* @throws ParseException when object parsing support was disabled and the parser detected a PHP object or when a reference could not be resolved
*/
private static function evaluateScalar(string $scalar, int $flags, array &$references = [], bool &$isQuotedString = null): mixed
private static function evaluateScalar(string $scalar, int $flags, array &$references = [], ?bool &$isQuotedString = null): mixed
{
$isQuotedString = false;
$scalar = trim($scalar);
@@ -709,8 +717,13 @@ class Inline
case Parser::preg_match('/^(-|\+)?[0-9][0-9_]*(\.[0-9_]+)?$/', $scalar):
return (float) str_replace('_', '', $scalar);
case Parser::preg_match(self::getTimestampRegex(), $scalar):
// When no timezone is provided in the parsed date, YAML spec says we must assume UTC.
$time = new \DateTimeImmutable($scalar, new \DateTimeZone('UTC'));
try {
// When no timezone is provided in the parsed date, YAML spec says we must assume UTC.
$time = new \DateTimeImmutable($scalar, new \DateTimeZone('UTC'));
} catch (\Exception $e) {
// Some dates accepted by the regex are not valid dates.
throw new ParseException(\sprintf('The date "%s" could not be parsed as it is an invalid date.', $scalar), self::$parsedLineNumber + 1, $scalar, self::$parsedFilename, $e);
}
if (Yaml::PARSE_DATETIME & $flags) {
return $time;
@@ -724,7 +737,7 @@ class Inline
if (false !== $scalar = $time->getTimestamp()) {
return $scalar;
}
} catch (\ValueError) {
} catch (\DateRangeError|\ValueError) {
// no-op
}