Merge branch '4.11' into fix-logout-handler

calendar-bundle/src/Resources/contao/modules/ModuleEventReader.php

@@ -308,7 +308,7 @@ protected function compile()
 			$figureBuilder
 				->setSize($imgSize)
 				->setMetadata($objEvent->getOverwriteMetadata())
-				->enableLightbox($objEvent->fullsize)
+				->enableLightbox((bool) $objEvent->fullsize)
 				->build()
 				->applyLegacyTemplateData($objTemplate, $objEvent->imagemargin, $objEvent->floating);
 		}

calendar-bundle/src/Resources/contao/modules/ModuleEventlist.php

@@ -368,7 +368,7 @@ protected function compile()
 				$figure = $figureBuilder
 					->setSize($imgSize)
 					->setMetadata($eventModel->getOverwriteMetadata())
-					->enableLightbox($eventModel->fullsize)
+					->enableLightbox((bool) $eventModel->fullsize)
 					->build();
 
 				// Rebuild with link to event if none is set

core-bundle/src/DependencyInjection/ContaoCoreExtension.php

@@ -185,7 +185,11 @@ private function setPredefinedImageSizes(array $config, ContainerBuilder $contai
             }
 
             if (isset($config['image']['sizes']['_defaults'])) {
-                $value = array_merge($config['image']['sizes']['_defaults'], $value);
+                // Make sure that arrays defined under _defaults will take precedence over empty arrays (see #2783)
+                $value = array_merge(
+                    $config['image']['sizes']['_defaults'],
+                    array_filter($value, static function ($v) { return !\is_array($v) || !empty($v); })
+                );
             }
 
             $imageSizes['_'.$name] = $this->camelizeKeys($value);

core-bundle/src/EventListener/MakeResponsePrivateListener.php

@@ -39,7 +39,7 @@ public function __construct(ScopeMatcher $scopeMatcher)
      * Make sure that the current response becomes a private response if any
      * of the following conditions are true.
      *
-     *   1. An Authorization header is present
+     *   1. An Authorization header is present and not empty
      *   2. The session was started
      *   3. The response sets a cookie (same reason as 2 but for other cookies than the session cookie)
      *   4. The response has a "Vary: Cookie" header and the request provides at least one cookie
@@ -64,8 +64,8 @@ public function __invoke(ResponseEvent $event): void
             return;
         }
 
-        // 1) An Authorization header is present
-        if ($request->headers->has('Authorization')) {
+        // 1) An Authorization header is present and not empty
+        if ('' !== (string) $request->headers->get('Authorization')) {
             $this->makePrivate($response, 'authorization');
 
             return;

core-bundle/src/Repository/RememberMeRepository.php

@@ -15,6 +15,7 @@
 use Contao\CoreBundle\Entity\RememberMe;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Types\Types;
 use Symfony\Bridge\Doctrine\ManagerRegistry;
 
 /**
@@ -61,7 +62,7 @@ public function findBySeries(string $series): array
                 )
             )
             ->setParameter('series', $series)
-            ->setParameter('now', new \DateTime())
+            ->setParameter('now', new \DateTime(), Types::DATETIME_MUTABLE)
             ->orderBy('rm.expires', 'ASC')
         ;
 

core-bundle/src/Resources/contao/classes/Backend.php

@@ -894,7 +894,7 @@ public static function addPagesBreadcrumb($strKey='tl_page_node')
 		$arrLinks = array_reverse($arrLinks);
 
 		// Insert breadcrumb menu
-		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['breadcrumb'] .= '
+		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['breadcrumb'] = ($GLOBALS['TL_DCA']['tl_page']['list']['sorting']['breadcrumb'] ?? '') . '
 
 <nav aria-label="' . $GLOBALS['TL_LANG']['MSC']['breadcrumbMenu'] . '">
   <ul id="tl_breadcrumb">
@@ -1068,7 +1068,7 @@ public static function addFilesBreadcrumb($strKey='tl_files_node')
 		$GLOBALS['TL_DCA']['tl_files']['list']['sorting']['root'] = array($strNode);
 
 		// Insert breadcrumb menu
-		$GLOBALS['TL_DCA']['tl_files']['list']['sorting']['breadcrumb'] .= '
+		$GLOBALS['TL_DCA']['tl_files']['list']['sorting']['breadcrumb'] = ($GLOBALS['TL_DCA']['tl_files']['list']['sorting']['breadcrumb'] ?? '') . '
 
 <nav aria-label="' . $GLOBALS['TL_LANG']['MSC']['breadcrumbMenu'] . '">
   <ul id="tl_breadcrumb">

core-bundle/src/Resources/contao/drivers/DC_Folder.php

@@ -17,6 +17,7 @@
 use Contao\CoreBundle\Twig\FailTolerantFilesystemLoader;
 use Contao\CoreBundle\Util\SymlinkUtil;
 use Contao\Image\ResizeConfiguration;
+use Doctrine\DBAL\Exception\DriverException;
 use Imagine\Exception\RuntimeException;
 use Imagine\Gd\Imagine;
 use Symfony\Component\Filesystem\Filesystem;
@@ -317,75 +318,78 @@ public function showAll()
 		// Limit the results by modifying $this->arrFilemounts
 		if ((string) $for !== '')
 		{
-			// Wrap in a try catch block in case the regular expression is invalid (see #7743)
 			try
 			{
-				$strPattern = "CAST(name AS CHAR) REGEXP ?";
+				$this->Database->prepare("SELECT '' REGEXP ?")->execute($for);
+			}
+			catch (DriverException $exception)
+			{
+				// Quote search string if it is not a valid regular expression
+				$for = preg_quote($for);
+			}
 
-				if (substr(Config::get('dbCollation'), -3) == '_ci')
-				{
-					$strPattern = "LOWER(CAST(name AS CHAR)) REGEXP LOWER(?)";
-				}
+			$strPattern = "CAST(name AS CHAR) REGEXP ?";
 
-				if (isset($GLOBALS['TL_DCA'][$this->strTable]['fields']['name']['foreignKey']))
-				{
-					list($t, $f) = explode('.', $GLOBALS['TL_DCA'][$this->strTable]['fields']['name']['foreignKey']);
+			if (substr(Config::get('dbCollation'), -3) == '_ci')
+			{
+				$strPattern = "LOWER(CAST(name AS CHAR)) REGEXP LOWER(?)";
+			}
 
-					$objRoot = $this->Database->prepare("SELECT path, type, extension FROM " . $this->strTable . " WHERE (" . $strPattern . " OR " . sprintf($strPattern, "(SELECT " . Database::quoteIdentifier($f) . " FROM $t WHERE $t.id=" . $this->strTable . ".name)") . ")")
-											  ->execute($for, $for);
-				}
-				else
-				{
-					$objRoot = $this->Database->prepare("SELECT path, type, extension FROM " . $this->strTable . " WHERE " . $strPattern)
-											  ->execute($for);
-				}
+			if (isset($GLOBALS['TL_DCA'][$this->strTable]['fields']['name']['foreignKey']))
+			{
+				list($t, $f) = explode('.', $GLOBALS['TL_DCA'][$this->strTable]['fields']['name']['foreignKey']);
 
-				if ($objRoot->numRows < 1)
-				{
-					$this->arrFilemounts = array();
-				}
-				else
-				{
-					$arrRoot = array();
+				$objRoot = $this->Database->prepare("SELECT path, type, extension FROM " . $this->strTable . " WHERE (" . $strPattern . " OR " . sprintf($strPattern, "(SELECT " . Database::quoteIdentifier($f) . " FROM $t WHERE $t.id=" . $this->strTable . ".name)") . ")")
+										  ->execute($for, $for);
+			}
+			else
+			{
+				$objRoot = $this->Database->prepare("SELECT path, type, extension FROM " . $this->strTable . " WHERE " . $strPattern)
+										  ->execute($for);
+			}
+
+			if ($objRoot->numRows < 1)
+			{
+				$this->arrFilemounts = array();
+			}
+			else
+			{
+				$arrRoot = array();
 
-					// Respect existing limitations (root IDs)
-					if (\is_array($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['root'] ?? null))
+				// Respect existing limitations (root IDs)
+				if (\is_array($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['root'] ?? null))
+				{
+					while ($objRoot->next())
 					{
-						while ($objRoot->next())
+						foreach ($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['root'] as $root)
 						{
-							foreach ($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['root'] as $root)
+							if (strncmp($root . '/', $objRoot->path . '/', \strlen($root) + 1) === 0)
 							{
-								if (strncmp($root . '/', $objRoot->path . '/', \strlen($root) + 1) === 0)
+								if ($objRoot->type == 'folder' || empty($this->arrValidFileTypes) || \in_array($objRoot->extension, $this->arrValidFileTypes))
 								{
-									if ($objRoot->type == 'folder' || empty($this->arrValidFileTypes) || \in_array($objRoot->extension, $this->arrValidFileTypes))
-									{
-										$arrFound[] = $objRoot->path;
-									}
-
-									$arrRoot[] = ($objRoot->type == 'folder') ? $objRoot->path : \dirname($objRoot->path);
-									continue 2;
+									$arrFound[] = $objRoot->path;
 								}
+
+								$arrRoot[] = ($objRoot->type == 'folder') ? $objRoot->path : \dirname($objRoot->path);
+								continue 2;
 							}
 						}
 					}
-					else
+				}
+				else
+				{
+					while ($objRoot->next())
 					{
-						while ($objRoot->next())
+						if ($objRoot->type == 'folder' || empty($this->arrValidFileTypes) || \in_array($objRoot->extension, $this->arrValidFileTypes))
 						{
-							if ($objRoot->type == 'folder' || empty($this->arrValidFileTypes) || \in_array($objRoot->extension, $this->arrValidFileTypes))
-							{
-								$arrFound[] = $objRoot->path;
-							}
-
-							$arrRoot[] = ($objRoot->type == 'folder') ? $objRoot->path : \dirname($objRoot->path);
+							$arrFound[] = $objRoot->path;
 						}
-					}
 
-					$this->arrFilemounts = $this->eliminateNestedPaths(array_unique($arrRoot));
+						$arrRoot[] = ($objRoot->type == 'folder') ? $objRoot->path : \dirname($objRoot->path);
+					}
 				}
-			}
-			catch (\Exception $e)
-			{
+
+				$this->arrFilemounts = $this->eliminateNestedPaths(array_unique($arrRoot));
 			}
 		}
 
@@ -2915,21 +2919,6 @@ protected function searchMenu()
 		{
 			$strKeyword = ltrim(Input::postRaw('tl_value'), '*');
 
-			// Make sure the regular expression is valid
-			if ($strKeyword)
-			{
-				try
-				{
-					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE name REGEXP ?")
-								   ->limit(1)
-								   ->execute($strKeyword);
-				}
-				catch (\Exception $e)
-				{
-					$strKeyword = '';
-				}
-			}
-
 			$session['search'][$this->strTable]['value'] = $strKeyword;
 
 			$objSessionBag->replace($session);
@@ -2938,6 +2927,18 @@ protected function searchMenu()
 		// Set the search value from the session
 		elseif (isset($session['search'][$this->strTable]['value']) && (string) $session['search'][$this->strTable]['value'] !== '')
 		{
+			$searchValue = $session['search'][$this->strTable]['value'];
+
+			try
+			{
+				$this->Database->prepare("SELECT '' REGEXP ?")->execute($searchValue);
+			}
+			catch (DriverException $exception)
+			{
+				// Quote search string if it is not a valid regular expression
+				$searchValue = preg_quote($searchValue);
+			}
+
 			$strPattern = "CAST(name AS CHAR) REGEXP ?";
 
 			if (substr(Config::get('dbCollation'), -3) == '_ci')
@@ -2949,14 +2950,14 @@ protected function searchMenu()
 			{
 				list($t, $f) = explode('.', $GLOBALS['TL_DCA'][$this->strTable]['fields']['name']['foreignKey']);
 				$this->procedure[] = "(" . $strPattern . " OR " . sprintf($strPattern, "(SELECT " . Database::quoteIdentifier($f) . " FROM $t WHERE $t.id=" . $this->strTable . ".name)") . ")";
-				$this->values[] = $session['search'][$this->strTable]['value'] ?? null;
+				$this->values[] = $searchValue;
 			}
 			else
 			{
 				$this->procedure[] = $strPattern;
 			}
 
-			$this->values[] = $session['search'][$this->strTable]['value'] ?? null;
+			$this->values[] = $searchValue;
 		}
 
 		$active = isset($session['search'][$this->strTable]['value']) && (string) $session['search'][$this->strTable]['value'] !== '';

core-bundle/src/Resources/contao/drivers/DC_Table.php

@@ -14,6 +14,7 @@
 use Contao\CoreBundle\Exception\InternalServerErrorException;
 use Contao\CoreBundle\Exception\ResponseException;
 use Contao\CoreBundle\Picker\PickerInterface;
+use Doctrine\DBAL\Exception\DriverException;
 use Patchwork\Utf8;
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
 use Symfony\Component\HttpFoundation\Session\Session;
@@ -5187,21 +5188,6 @@ protected function searchMenu()
 				$strKeyword = '';
 			}
 
-			// Make sure the regular expression is valid
-			if ($strField && $strKeyword)
-			{
-				try
-				{
-					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE " . Database::quoteIdentifier($strField) . " REGEXP ?")
-								   ->limit(1)
-								   ->execute($strKeyword);
-				}
-				catch (\Exception $e)
-				{
-					$strKeyword = '';
-				}
-			}
-
 			$session['search'][$this->strTable]['field'] = $strField;
 			$session['search'][$this->strTable]['value'] = $strKeyword;
 
@@ -5211,27 +5197,65 @@ protected function searchMenu()
 		// Set the search value from the session
 		elseif (isset($session['search'][$this->strTable]['value']) && (string) $session['search'][$this->strTable]['value'] !== '')
 		{
-			$strPattern = "CAST(%s AS CHAR) REGEXP ?";
+			$searchValue = $session['search'][$this->strTable]['value'];
+			$fld = $session['search'][$this->strTable]['field'] ?? null;
 
-			if (substr(Config::get('dbCollation'), -3) == '_ci')
+			try
+			{
+				$this->Database->prepare("SELECT '' REGEXP ?")->execute($searchValue);
+			}
+			catch (DriverException $exception)
+			{
+				// Quote search string if it is not a valid regular expression
+				$searchValue = preg_quote($searchValue);
+			}
+
+			$strReplacePrefix = '';
+			$strReplaceSuffix = '';
+
+			// Decode HTML entities to make them searchable
+			if (empty($GLOBALS['TL_DCA'][$this->strTable]['fields'][$fld]['eval']['decodeEntities']))
 			{
-				$strPattern = "LOWER(CAST(%s AS CHAR)) REGEXP LOWER(?)";
+				$arrReplace = array(
+					'#' => '#',
+					'&#60;' => '<',
+					'&#62;' => '>',
+					'&lt;' => '<',
+					'&gt;' => '>',
+					'&#40;' => '(',
+					'&#41;' => ')',
+					'&#92;' => '\\\\',
+					'&#61;' => '=',
+					'&amp;' => '&',
+				);
+
+				$strReplacePrefix = str_repeat('REPLACE(', \count($arrReplace));
+
+				foreach ($arrReplace as $strSource => $strTarget)
+				{
+					$strReplaceSuffix .= ", '$strSource', '$strTarget')";
+				}
 			}
 
-			$fld = $session['search'][$this->strTable]['field'] ?? array();
+			$strPattern = "$strReplacePrefix CAST(%s AS CHAR) $strReplaceSuffix REGEXP ?";
+
+			if (substr(Config::get('dbCollation'), -3) == '_ci')
+			{
+				$strPattern = "$strReplacePrefix LOWER(CAST(%s AS CHAR)) $strReplaceSuffix REGEXP LOWER(?)";
+			}
 
 			if (isset($GLOBALS['TL_DCA'][$this->strTable]['fields'][$fld]['foreignKey']))
 			{
 				list($t, $f) = explode('.', $GLOBALS['TL_DCA'][$this->strTable]['fields'][$fld]['foreignKey'], 2);
 				$this->procedure[] = "(" . sprintf($strPattern, Database::quoteIdentifier($fld)) . " OR " . sprintf($strPattern, "(SELECT " . Database::quoteIdentifier($f) . " FROM $t WHERE $t.id=" . $this->strTable . "." . Database::quoteIdentifier($fld) . ")") . ")";
-				$this->values[] = $session['search'][$this->strTable]['value'] ?? null;
+				$this->values[] = $searchValue;
 			}
 			else
 			{
 				$this->procedure[] = sprintf($strPattern, Database::quoteIdentifier($fld));
 			}
 
-			$this->values[] = $session['search'][$this->strTable]['value'] ?? null;
+			$this->values[] = $searchValue;
 		}
 
 		$options_sorter = array();

core-bundle/src/Resources/contao/elements/ContentAccordion.php

@@ -45,7 +45,7 @@ protected function compile()
 			$figureBuilder
 				->setSize($this->size)
 				->setMetadata($this->objModel->getOverwriteMetadata())
-				->enableLightbox($this->fullsize)
+				->enableLightbox((bool) $this->fullsize)
 				->build()
 				->applyLegacyTemplateData($this->Template, $this->imagemargin, $this->floating);
 		}

core-bundle/src/Resources/contao/elements/ContentGallery.php

@@ -221,7 +221,7 @@ protected function compile()
 			->getFigureBuilder()
 			->setSize($this->size)
 			->setLightboxGroupIdentifier('lb' . $this->id)
-			->enableLightbox($this->fullsize);
+			->enableLightbox((bool) $this->fullsize);
 
 		// Rows
 		for ($i=$offset; $i<$limit; $i+=$this->perRow)