Merge pull request #488 from KnpLabs/fix/security-advisory-GHSA-92rv-…

…4j2h-8mjj

fix: security advisory GHSA-92rv-4j2h-8mjj

src/Knp/Snappy/AbstractGenerator.php

@@ -625,8 +625,13 @@ protected function executeCommand($command)
      */
     protected function prepareOutput($filename, $overwrite)
     {
-        if (\strpos($filename, 'phar://') === 0) {
-            throw new InvalidArgumentException('The output file cannot be a phar archive.');
+        if (false === $parsedFilename = \parse_url($filename)) {
+            throw new InvalidArgumentException('The output filename is invalid.');
+        }
+
+        $scheme = isset($parsedFilename['scheme']) ? \mb_strtolower($parsedFilename['scheme']) : '';
+        if ($scheme !== '' && $scheme !== 'file') {
+            throw new InvalidArgumentException(\sprintf('The output file scheme is not supported. Expected \'\' or \'file\' but got \'%s\'.', $scheme));
         }
 
         $directory = \dirname($filename);

tests/Knp/Snappy/AbstractGeneratorTest.php

@@ -965,6 +965,30 @@ public function testFailingGenerateWithOutputContainingPharPrefix(): void
         $media->generate('the_input_file', 'phar://the_output_file', ['foo' => 'bar']);
     }
 
+    public function testFailingGenerateWithOutputContainingUppercasePharPrefix(): void
+    {
+        $media = $this->getMockBuilder(AbstractGenerator::class)
+            ->setMethods([
+                'configure',
+                'prepareOutput',
+            ])
+            ->setConstructorArgs(['the_binary', [], ['PATH' => '/usr/bin']])
+            ->getMock()
+        ;
+
+        $media->setTimeout(2000);
+
+        $media
+            ->expects($this->once())
+            ->method('prepareOutput')
+            ->with($this->equalTo('PHAR://the_output_file'))
+        ;
+
+        $this->expectException(InvalidArgumentException::class);
+
+        $media->generate('the_input_file', 'PHAR://the_output_file', ['foo' => 'bar']);
+    }
+
     /**
      * @return null|string
      */