Merge branch 'support/2.7' into develop

# Conflicts:
#	README.md
#	composer.json
#	composer.lock
#	core/cmdbsource.class.inc.php
#	core/dbobject.class.php
#	datamodels/2.x/combodo-db-tools/db_analyzer.class.inc.php
#	datamodels/2.x/combodo-db-tools/dbtools.php
#	datamodels/2.x/combodo-db-tools/dictionaries/zh_cn.dict.combodo-db-tools.php
#	datamodels/2.x/itop-attachments/dictionaries/zh_cn.dict.itop-attachments.php
#	datamodels/2.x/itop-core-update/dictionaries/zh_cn.dict.itop-core-update.php
#	dictionaries/zh_cn.dictionary.itop.core.php
#	dictionaries/zh_cn.dictionary.itop.ui.php
#	lib/composer/InstalledVersions.php
#	lib/composer/autoload_classmap.php
#	lib/composer/autoload_static.php
#	lib/composer/installed.php
#	lib/composer/platform_check.php
#	pages/ajax.render.php
#	pages/csvimport.php
#	setup/ajax.dataloader.php
#	setup/index.php
#	setup/setuputils.class.inc.php
#	test/application/UtilsTest.php

lib/pear/archive_tar/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: [mrook]
+patreon: michielrook

lib/pear/archive_tar/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "composer" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"

lib/pear/archive_tar/.github/workflows/build.yml

@@ -0,0 +1,41 @@
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: true
+      matrix:
+        operating-system: [ ubuntu-latest ]
+        php: [ '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0' ]
+        dependencies: [ 'locked' ]
+
+    name: PHP ${{ matrix.php }} on ${{ matrix.operating-system }} with ${{ matrix.dependencies }} dependencies
+
+    steps:
+      - uses: actions/checkout@v2
+        name: Checkout repository
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+
+      - uses: ramsey/composer-install@v1
+        with:
+          dependency-versions: ${{ matrix.dependencies }}
+
+      - name: Install PEAR
+        run: |
+          sudo apt-get install php-pear
+
+      - name: Run tests
+        run: |
+          sudo pear install -f package.xml
+          pear version
+          pear run-tests -qr tests/ || cat run-tests.log
+          for i in `find tests/ -name '*.out'`; do echo "$i"; cat "$i"; done

lib/pear/archive_tar/Archive/Tar.php

@@ -1397,16 +1397,20 @@ class Archive_Tar extends PEAR
 
         $v_magic = 'ustar ';
         $v_version = ' ';
+        $v_uname = '';
+        $v_gname = '';
 
         if (function_exists('posix_getpwuid')) {
             $userinfo = posix_getpwuid($v_info[4]);
             $groupinfo = posix_getgrgid($v_info[5]);
 
-            $v_uname = $userinfo['name'];
-            $v_gname = $groupinfo['name'];
-        } else {
-            $v_uname = '';
-            $v_gname = '';
+            if (isset($userinfo['name'])) {
+                $v_uname = $userinfo['name'];
+            }
+
+            if (isset($groupinfo['name'])) {
+                $v_gname = $groupinfo['name'];
+            }
         }
 
         $v_devmajor = '';
@@ -1730,7 +1734,7 @@ class Archive_Tar extends PEAR
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1800,9 +1804,9 @@ class Archive_Tar extends PEAR
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1838,7 +1842,7 @@ class Archive_Tar extends PEAR
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'
@@ -2120,6 +2124,14 @@ class Archive_Tar extends PEAR
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                 'Out-of-path file extraction {'
+                                 . $v_header['filename'] . ' --> ' .
+                                 $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'

lib/pear/archive_tar/package.xml

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
   <email>stig@php.net</email>
   <active>no</active>
  </helper>
- <date>2020-09-15</date>
- <time>14:03:45</time>
+ <date>2021-01-18</date>
+ <time>19:29:56</time>
  <version>
-  <release>1.4.10</release>
+  <release>1.4.12</release>
   <api>1.4.0</api>
  </version>
  <stability>
@@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </stability>
  <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
  <notes>
-* Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
-* Don't try to copy username/groupname in chroot jail
+* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
  </notes>
  <contents>
   <dir name="/">
@@ -75,6 +74,37 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </dependencies>
  <phprelease />
  <changelog>
+  <release>
+   <version>
+    <release>1.4.11</release>
+    <api>1.4.0</api>
+   </version>
+   <stability>
+    <release>stable</release>
+    <api>stable</api>
+   </stability>
+   <date>2020-11-19</date>
+   <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+   <notes>
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
+   </notes>
+  </release>
+  <release>
+    <version>
+     <release>1.4.10</release>
+     <api>1.4.0</api>
+    </version>
+    <stability>
+     <release>stable</release>
+     <api>stable</api>
+    </stability>
+    <date>2020-09-15</date>
+    <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+    <notes>
+ * Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
+ * Don&apos;t try to copy username/groupname in chroot jail
+    </notes>
+  </release>
   <release>
    <version>
     <release>1.4.9</release>

lib/pear/pear_exception/.gitignore

@@ -1,6 +0,0 @@
-PEAR_Exception*.tgz
-
-# composer related
-composer.lock
-composer.phar
-vendor

lib/pear/pear_exception/.travis.yml

@@ -1,7 +0,0 @@
-language: php
-php:
-  - 5.6
-  - 5.5
-  - 5.4
-script:
-  - cd tests && phpunit --coverage-text .

lib/pear/pear_exception/PEAR/Exception.php

@@ -142,7 +142,7 @@ class PEAR_Exception extends Exception
             $code = null;
             $this->cause = null;
         }
-        parent::__construct($message, $code);
+        parent::__construct($message, (int) $code);
         $this->signal();
     }
 

lib/pear/pear_exception/composer.json

@@ -18,7 +18,7 @@
         }
     ],
     "require": {
-        "php": ">=4.4.0"
+        "php": ">=5.2.0"
     },
     "autoload": {
         "classmap": ["PEAR/"]
@@ -36,6 +36,6 @@
         "source": "https://github.com/pear/PEAR_Exception"
     },
     "require-dev": {
-        "phpunit/phpunit": "*"
+        "phpunit/phpunit": "<9"
     }
 }

lib/pear/pear_exception/package.xml

@@ -1,120 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<package packagerversion="1.9.4" version="2.0"
- xmlns="http://pear.php.net/dtd/package-2.0"
- xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0 http://pear.php.net/dtd/tasks-1.0.xsd http://pear.php.net/dtd/package-2.0 http://pear.php.net/dtd/package-2.0.xsd"
->
- <name>PEAR_Exception</name>
- <channel>pear.php.net</channel>
- <summary>The PEAR Exception base class</summary>
- <description>PEAR_Exception PHP5 error handling mechanism</description>
-
- <lead>
-  <name>Christian Weiske</name>
-  <user>cweiske</user>
-  <email>cweiske@php.net</email>
-  <active>yes</active>
- </lead>
- <lead>
-  <name>Helgi Thormar</name>
-  <user>dufuz</user>
-  <email>dufuz@php.net</email>
-  <active>no</active>
- </lead>
- <developer>
-  <name>Greg Beaver</name>
-  <user>cellog</user>
-  <email>cellog@php.net</email>
-  <active>no</active>
- </developer>
-
- <date>2015-02-10</date>
- <time>21:02:23</time>
- <version>
-  <release>1.0.0</release>
-  <api>1.0.0</api>
- </version>
- <stability>
-  <release>stable</release>
-  <api>stable</api>
- </stability>
- <license uri="http://opensource.org/licenses/bsd-license.php">New BSD License</license>
- <notes>
-  This package was split out from the PEAR package.
-  If you use PEAR_Exception in your package and use nothing from the PEAR package
-  then it's better to depend on just PEAR_Exception.
- </notes>
- <contents>
-  <dir  name="/">
-   <file name="/PEAR/Exception.php" role="php">
-    <tasks:replace from="@package_version@" to="version" type="package-info" />
-   </file>
-   <dir name="tests">
-    <dir name="PEAR">
-     <file name="ExceptionTest.php" role="test"/>
-    </dir>
-   </dir>
-  </dir>
- </contents>
-
- <dependencies>
-  <required>
-   <php>
-    <min>5.4.0</min>
-   </php>
-   <pearinstaller>
-    <min>1.9.5</min>
-   </pearinstaller>
-  </required>
- </dependencies>
-
- <phprelease />
-
- <changelog>
-  <release>
-   <version>
-    <release>1.0.0</release>
-    <api>1.0.0</api>
-   </version>
-   <stability>
-    <release>stable</release>
-    <api>stable</api>
-   </stability>
-   <date>2015-02-10</date>
-   <license uri="http://opensource.org/licenses/bsd-license.php">New BSD License</license>
-   <notes>Release stable version</notes>
-  </release>
-
-  <release>
-   <version>
-    <release>1.0.0beta2</release>
-    <api>1.0.0</api>
-   </version>
-   <stability>
-    <release>beta</release>
-    <api>stable</api>
-   </stability>
-   <date>2014-02-21</date>
-   <license uri="http://opensource.org/licenses/bsd-license.php">New BSD License</license>
-   <notes>Bump up PEAR dependency.</notes>
-  </release>
-
-  <release>
-   <version>
-    <release>1.0.0beta1</release>
-    <api>1.0.0</api>
-   </version>
-   <stability>
-    <release>beta</release>
-    <api>stable</api>
-   </stability>
-   <date>2012-05-10</date>
-   <license uri="http://opensource.org/licenses/bsd-license.php">New BSD License</license>
-   <notes>
-This packge was split out from the PEAR package. If you use PEAR_Exception in your package
-and use nothing from the PEAR package then it&apos;s better to depend on just PEAR_Exception.
-   </notes>
-  </release>
- </changelog>
-</package>