From a63b9236445fdd2292409f87d16ad34ac7181bde Mon Sep 17 00:00:00 2001 From: Woeler Date: Fri, 4 Oct 2019 13:53:12 +0200 Subject: [PATCH 1/9] Set version to 2.15.3 --- app/AppKernel.php | 6 +++--- app/version.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/AppKernel.php b/app/AppKernel.php index 1a0147f2ebb..f402bda4311 100644 --- a/app/AppKernel.php +++ b/app/AppKernel.php @@ -34,14 +34,14 @@ class AppKernel extends Kernel * * @const integer */ - const MINOR_VERSION = 16; + const MINOR_VERSION = 15; /** * Patch version number. * * @const integer */ - const PATCH_VERSION = 0; + const PATCH_VERSION = 3; /** * Extra version identifier. @@ -51,7 +51,7 @@ class AppKernel extends Kernel * * @const string */ - const EXTRA_VERSION = '-dev'; + const EXTRA_VERSION = ''; /** * @var array diff --git a/app/version.txt b/app/version.txt index f9b87778ca2..6480dd5ed87 100644 --- a/app/version.txt +++ b/app/version.txt @@ -1 +1 @@ -2.16.0-dev +2.15.3 From 2c3a3152919882422d0f396e2e5ff38172185a04 Mon Sep 17 00:00:00 2001 From: Alan Hartless Date: Wed, 25 Sep 2019 08:53:59 -0500 Subject: [PATCH 2/9] Throw exception with objects in nested arrays --- app/bundles/CoreBundle/Helper/ClickthroughHelper.php | 4 ++-- .../Tests/unit/Helper/ClickthroughHelperTest.php | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/app/bundles/CoreBundle/Helper/ClickthroughHelper.php b/app/bundles/CoreBundle/Helper/ClickthroughHelper.php index a4ec4481e53..2a84d79d037 100644 --- a/app/bundles/CoreBundle/Helper/ClickthroughHelper.php +++ b/app/bundles/CoreBundle/Helper/ClickthroughHelper.php @@ -42,8 +42,8 @@ public static function decodeArrayFromUrl($string, $urlDecode = true) return []; } - if (strpos(strtolower($decoded), 'a') !== 0) { - throw new \InvalidArgumentException(sprintf('The string %s is not a serialized array.', $decoded)); + if (stripos($decoded, 'a') !== 0 || stripos($decoded, 'o:') !== false) { + throw new \InvalidArgumentException(sprintf('The string %s is not a serialized array or contains an object.', $decoded)); } return Serializer::decode($decoded); diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php b/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php index adff89b9f79..6c79476987a 100644 --- a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php +++ b/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php @@ -12,6 +12,7 @@ namespace Mautic\CoreBundle\Tests\Helper; use Mautic\CoreBundle\Helper\ClickthroughHelper; +use Symfony\Component\HttpFoundation\Request; class ClickthroughHelperTest extends \PHPUnit_Framework_TestCase { @@ -22,6 +23,15 @@ public function testEncodingCanBeDecoded() $this->assertEquals($array, ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array))); } + public function testObjectInArrayIsDetected() + { + $this->expectException(\InvalidArgumentException::class); + + $array = ['foo' => new Request()]; + + $this->assertEquals($array, ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array))); + } + public function testOnlyArraysCanBeDecodedToPreventObjectWakeupVulnerability() { $this->expectException(\InvalidArgumentException::class); From cf91540cd40093a8d7eb371f7f8356733ab1d33e Mon Sep 17 00:00:00 2001 From: Alan Hartless Date: Wed, 25 Sep 2019 10:51:23 -0500 Subject: [PATCH 3/9] Move the object check into the Serialize class and added additional PHP specific testing --- .../CoreBundle/Helper/ClickthroughHelper.php | 4 ++-- app/bundles/CoreBundle/Helper/Serializer.php | 4 ++++ .../Tests/unit/Helper/ClickthroughHelperTest.php | 16 +++++++++++----- .../unit/Helper/TestResources/WakeupCall.php | 11 +++++++++++ 4 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php diff --git a/app/bundles/CoreBundle/Helper/ClickthroughHelper.php b/app/bundles/CoreBundle/Helper/ClickthroughHelper.php index 2a84d79d037..15ac849bde3 100644 --- a/app/bundles/CoreBundle/Helper/ClickthroughHelper.php +++ b/app/bundles/CoreBundle/Helper/ClickthroughHelper.php @@ -42,8 +42,8 @@ public static function decodeArrayFromUrl($string, $urlDecode = true) return []; } - if (stripos($decoded, 'a') !== 0 || stripos($decoded, 'o:') !== false) { - throw new \InvalidArgumentException(sprintf('The string %s is not a serialized array or contains an object.', $decoded)); + if (stripos($decoded, 'a') !== 0) { + throw new \InvalidArgumentException(sprintf('The string %s is not a serialized array', $decoded)); } return Serializer::decode($decoded); diff --git a/app/bundles/CoreBundle/Helper/Serializer.php b/app/bundles/CoreBundle/Helper/Serializer.php index e258bde4abd..673b0bb4e32 100644 --- a/app/bundles/CoreBundle/Helper/Serializer.php +++ b/app/bundles/CoreBundle/Helper/Serializer.php @@ -27,6 +27,10 @@ class Serializer public static function decode($serializedString, array $options = ['allowed_classes' => false]) { if (version_compare(phpversion(), '7.0.0', '<')) { + if (stripos($serializedString, 'o:') !== false) { + throw new \InvalidArgumentException(sprintf('The string %s contains an object.', $serializedString)); + } + return unserialize($serializedString); } diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php b/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php index 6c79476987a..b95c72e78c8 100644 --- a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php +++ b/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php @@ -9,10 +9,10 @@ * @license GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html */ -namespace Mautic\CoreBundle\Tests\Helper; +namespace Mautic\CoreBundle\Tests\Unit\Helper; use Mautic\CoreBundle\Helper\ClickthroughHelper; -use Symfony\Component\HttpFoundation\Request; +use Mautic\CoreBundle\Tests\Unit\Helper\TestResources\WakeupCall; class ClickthroughHelperTest extends \PHPUnit_Framework_TestCase { @@ -23,11 +23,17 @@ public function testEncodingCanBeDecoded() $this->assertEquals($array, ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array))); } - public function testObjectInArrayIsDetected() + /** + * @covers \Mautic\CoreBundle\Helper\Serializer::decode + */ + public function testObjectInArrayIsDetectedOrIgnored() { - $this->expectException(\InvalidArgumentException::class); + if (version_compare(PHP_VERSION, '7.0', '<')) { + // PHP 5 + $this->expectException(\InvalidArgumentException::class); + } - $array = ['foo' => new Request()]; + $array = ['foo' => new WakeupCall()]; $this->assertEquals($array, ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array))); } diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php b/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php new file mode 100644 index 00000000000..4d69f5bc6ac --- /dev/null +++ b/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php @@ -0,0 +1,11 @@ + Date: Fri, 4 Oct 2019 13:42:37 -0500 Subject: [PATCH 4/9] Fixed namespace for helper resource in tests for Jenkins --- .../CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php b/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php index 4d69f5bc6ac..4d70d01d2d6 100644 --- a/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php +++ b/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php @@ -1,6 +1,6 @@ Date: Fri, 4 Oct 2019 14:00:13 -0500 Subject: [PATCH 5/9] Rename folders to pass tests in Jenkins --- .../Entity/CommonRepositoryTest.php | 2 +- .../IpLookupFactoryCest.php | 0 .../Tests/{unit => Unit}/Doctrine/ArrayTypeTest.php | 0 .../{unit => Unit}/Entity/CommonRepositoryTest.php | 0 .../Tests/{unit => Unit}/Entity/IpAddressTest.php | 0 .../Event/CustomTemplateEventTest.php | 0 .../EventListener/CommonStatSubscriberTest.php | 0 .../EventListener/RequestSubscriberTest.php | 0 .../Constraints/CircularDependencyValidatorTest.php | 0 .../Helper/AbstractFormFieldHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/ArrayHelperTest.php | 0 .../{unit => Unit}/Helper/Chart/LineChartTest.php | 0 .../Tests/{unit => Unit}/Helper/ColorHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/CsvHelperTest.php | 0 .../{unit => Unit}/Helper/DateTimeHelperTest.php | 0 .../{unit => Unit}/Helper/EncryptionHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/FileHelperTest.php | 0 .../{unit => Unit}/Helper/FilePathResolverTest.php | 0 .../{unit => Unit}/Helper/FileUploaderTest.php | 0 .../Tests/{unit => Unit}/Helper/InputHelperTest.php | 0 .../{unit => Unit}/Helper/IpLookupHelperTest.php | 0 .../Helper/RandomHelper/RandomHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/ThemeHelperTest.php | 0 .../Helper/TrailingSlashHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/UrlHelperTest.php | 0 .../Tests/{unit => Unit}/Helper/themes/good.zip | Bin .../{unit => Unit}/Helper/themes/missing-config.zip | Bin .../Helper/themes/missing-feature.zip | Bin .../Helper/themes/missing-message.zip | Bin .../{unit => Unit}/IpLookup/ExtemeIpLookupTest.php | 0 .../{unit => Unit}/IpLookup/GeobytesLookupTest.php | 0 .../{unit => Unit}/IpLookup/GeoipsLookupTest.php | 0 .../{unit => Unit}/IpLookup/IpinfodbLookupTest.php | 0 .../{unit => Unit}/IpLookup/IpstackLookupTest.php | 0 .../IpLookup/MaxmindDownloadLookupTest.php | 0 .../{unit => Unit}/IpLookup/MaxmindLookupTest.php | 0 .../{unit => Unit}/IpLookup/TelizeLookupTest.php | 0 .../Templating/Helper/AssetsHelperTest.php | 0 .../Templating/Helper/ContentHelperTest.html.php | 0 .../Templating/Helper/DateHelperTest.php | 0 .../Templating/Helper/FormatterHelperTest.php | 0 .../Validator/FileUploadValidatorTest.php | 0 42 files changed, 1 insertion(+), 1 deletion(-) rename app/bundles/CoreBundle/Tests/{functional => Functional}/Entity/CommonRepositoryTest.php (93%) rename app/bundles/CoreBundle/Tests/{functional => Functional}/IpLookupFactoryCest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Doctrine/ArrayTypeTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Entity/CommonRepositoryTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Entity/IpAddressTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Event/CustomTemplateEventTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/EventListener/CommonStatSubscriberTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/EventListener/RequestSubscriberTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Form/Validator/Constraints/CircularDependencyValidatorTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/AbstractFormFieldHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/ArrayHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/Chart/LineChartTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/ColorHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/CsvHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/DateTimeHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/EncryptionHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/FileHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/FilePathResolverTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/FileUploaderTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/InputHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/IpLookupHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/RandomHelper/RandomHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/ThemeHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/TrailingSlashHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/UrlHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/themes/good.zip (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/themes/missing-config.zip (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/themes/missing-feature.zip (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/themes/missing-message.zip (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/ExtemeIpLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/GeobytesLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/GeoipsLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/IpinfodbLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/IpstackLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/MaxmindDownloadLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/MaxmindLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/IpLookup/TelizeLookupTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Templating/Helper/AssetsHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Templating/Helper/ContentHelperTest.html.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Templating/Helper/DateHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Templating/Helper/FormatterHelperTest.php (100%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Validator/FileUploadValidatorTest.php (100%) diff --git a/app/bundles/CoreBundle/Tests/functional/Entity/CommonRepositoryTest.php b/app/bundles/CoreBundle/Tests/Functional/Entity/CommonRepositoryTest.php similarity index 93% rename from app/bundles/CoreBundle/Tests/functional/Entity/CommonRepositoryTest.php rename to app/bundles/CoreBundle/Tests/Functional/Entity/CommonRepositoryTest.php index ac604b4c1c2..954307b9450 100644 --- a/app/bundles/CoreBundle/Tests/functional/Entity/CommonRepositoryTest.php +++ b/app/bundles/CoreBundle/Tests/Functional/Entity/CommonRepositoryTest.php @@ -9,7 +9,7 @@ * @license GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html */ -namespace Mautic\CoreBundle\Tests\functional\Entity; +namespace Mautic\CoreBundle\Tests\Functional\Entity; use Mautic\CoreBundle\Test\MauticMysqlTestCase; diff --git a/app/bundles/CoreBundle/Tests/functional/IpLookupFactoryCest.php b/app/bundles/CoreBundle/Tests/Functional/IpLookupFactoryCest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/functional/IpLookupFactoryCest.php rename to app/bundles/CoreBundle/Tests/Functional/IpLookupFactoryCest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Doctrine/ArrayTypeTest.php b/app/bundles/CoreBundle/Tests/Unit/Doctrine/ArrayTypeTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Doctrine/ArrayTypeTest.php rename to app/bundles/CoreBundle/Tests/Unit/Doctrine/ArrayTypeTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Entity/CommonRepositoryTest.php b/app/bundles/CoreBundle/Tests/Unit/Entity/CommonRepositoryTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Entity/CommonRepositoryTest.php rename to app/bundles/CoreBundle/Tests/Unit/Entity/CommonRepositoryTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Entity/IpAddressTest.php b/app/bundles/CoreBundle/Tests/Unit/Entity/IpAddressTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Entity/IpAddressTest.php rename to app/bundles/CoreBundle/Tests/Unit/Entity/IpAddressTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Event/CustomTemplateEventTest.php b/app/bundles/CoreBundle/Tests/Unit/Event/CustomTemplateEventTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Event/CustomTemplateEventTest.php rename to app/bundles/CoreBundle/Tests/Unit/Event/CustomTemplateEventTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/EventListener/CommonStatSubscriberTest.php b/app/bundles/CoreBundle/Tests/Unit/EventListener/CommonStatSubscriberTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/EventListener/CommonStatSubscriberTest.php rename to app/bundles/CoreBundle/Tests/Unit/EventListener/CommonStatSubscriberTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/EventListener/RequestSubscriberTest.php b/app/bundles/CoreBundle/Tests/Unit/EventListener/RequestSubscriberTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/EventListener/RequestSubscriberTest.php rename to app/bundles/CoreBundle/Tests/Unit/EventListener/RequestSubscriberTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Form/Validator/Constraints/CircularDependencyValidatorTest.php b/app/bundles/CoreBundle/Tests/Unit/Form/Validator/Constraints/CircularDependencyValidatorTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Form/Validator/Constraints/CircularDependencyValidatorTest.php rename to app/bundles/CoreBundle/Tests/Unit/Form/Validator/Constraints/CircularDependencyValidatorTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/AbstractFormFieldHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/AbstractFormFieldHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/AbstractFormFieldHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/AbstractFormFieldHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ArrayHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/ArrayHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/ArrayHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/ArrayHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/Chart/LineChartTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/Chart/LineChartTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/Chart/LineChartTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/Chart/LineChartTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ColorHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/ColorHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/ColorHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/ColorHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/CsvHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/CsvHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/CsvHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/CsvHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/DateTimeHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/DateTimeHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/DateTimeHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/DateTimeHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/EncryptionHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/EncryptionHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/EncryptionHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/EncryptionHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/FileHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/FileHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/FileHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/FileHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/FilePathResolverTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/FilePathResolverTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/FilePathResolverTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/FilePathResolverTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/FileUploaderTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/FileUploaderTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/FileUploaderTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/FileUploaderTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/InputHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/InputHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/InputHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/InputHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/IpLookupHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/IpLookupHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/IpLookupHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/IpLookupHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/RandomHelper/RandomHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/RandomHelper/RandomHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/RandomHelper/RandomHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/RandomHelper/RandomHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ThemeHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/ThemeHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/ThemeHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/ThemeHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/TrailingSlashHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/TrailingSlashHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/TrailingSlashHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/TrailingSlashHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/UrlHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/UrlHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/UrlHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/UrlHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/themes/good.zip b/app/bundles/CoreBundle/Tests/Unit/Helper/themes/good.zip similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/themes/good.zip rename to app/bundles/CoreBundle/Tests/Unit/Helper/themes/good.zip diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-config.zip b/app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-config.zip similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-config.zip rename to app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-config.zip diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-feature.zip b/app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-feature.zip similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-feature.zip rename to app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-feature.zip diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-message.zip b/app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-message.zip similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Helper/themes/missing-message.zip rename to app/bundles/CoreBundle/Tests/Unit/Helper/themes/missing-message.zip diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/ExtemeIpLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/ExtemeIpLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/ExtemeIpLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/ExtemeIpLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/GeobytesLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/GeobytesLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/GeobytesLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/GeobytesLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/GeoipsLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/GeoipsLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/GeoipsLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/GeoipsLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/IpinfodbLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/IpinfodbLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/IpinfodbLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/IpinfodbLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/IpstackLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/IpstackLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/IpstackLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/IpstackLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/MaxmindDownloadLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/MaxmindDownloadLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/MaxmindDownloadLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/MaxmindDownloadLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/MaxmindLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/MaxmindLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/MaxmindLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/MaxmindLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/IpLookup/TelizeLookupTest.php b/app/bundles/CoreBundle/Tests/Unit/IpLookup/TelizeLookupTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/IpLookup/TelizeLookupTest.php rename to app/bundles/CoreBundle/Tests/Unit/IpLookup/TelizeLookupTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Templating/Helper/AssetsHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Templating/Helper/AssetsHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Templating/Helper/AssetsHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Templating/Helper/AssetsHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Templating/Helper/ContentHelperTest.html.php b/app/bundles/CoreBundle/Tests/Unit/Templating/Helper/ContentHelperTest.html.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Templating/Helper/ContentHelperTest.html.php rename to app/bundles/CoreBundle/Tests/Unit/Templating/Helper/ContentHelperTest.html.php diff --git a/app/bundles/CoreBundle/Tests/unit/Templating/Helper/DateHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Templating/Helper/DateHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Templating/Helper/DateHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Templating/Helper/DateHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Templating/Helper/FormatterHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Templating/Helper/FormatterHelperTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Templating/Helper/FormatterHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Templating/Helper/FormatterHelperTest.php diff --git a/app/bundles/CoreBundle/Tests/unit/Validator/FileUploadValidatorTest.php b/app/bundles/CoreBundle/Tests/Unit/Validator/FileUploadValidatorTest.php similarity index 100% rename from app/bundles/CoreBundle/Tests/unit/Validator/FileUploadValidatorTest.php rename to app/bundles/CoreBundle/Tests/Unit/Validator/FileUploadValidatorTest.php From 96ca8f80be4c719474eabf1bde0051598fcbd2a9 Mon Sep 17 00:00:00 2001 From: Alan Hartless Date: Fri, 4 Oct 2019 14:00:42 -0500 Subject: [PATCH 6/9] Throw exception regardless of version --- app/bundles/CoreBundle/Helper/Serializer.php | 10 ++++++---- .../{unit => Unit}/Helper/ClickthroughHelperTest.php | 7 ++----- .../{unit => Unit}/Helper/TestResources/WakeupCall.php | 7 ++++++- 3 files changed, 14 insertions(+), 10 deletions(-) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/ClickthroughHelperTest.php (82%) rename app/bundles/CoreBundle/Tests/{unit => Unit}/Helper/TestResources/WakeupCall.php (52%) diff --git a/app/bundles/CoreBundle/Helper/Serializer.php b/app/bundles/CoreBundle/Helper/Serializer.php index 673b0bb4e32..b7b3feb987a 100644 --- a/app/bundles/CoreBundle/Helper/Serializer.php +++ b/app/bundles/CoreBundle/Helper/Serializer.php @@ -19,6 +19,8 @@ class Serializer * PHP <7 do not accept the second parameter, throw warning and return false so we have to handle it diffenetly. * This helper method is secure for PHP >= 7 by default and handle all PHP versions. * + * PHP does not recommend untrusted user input even with ['allowed_classes' => false] + * * @param string $serializedString * @param array $options * @@ -26,11 +28,11 @@ class Serializer */ public static function decode($serializedString, array $options = ['allowed_classes' => false]) { - if (version_compare(phpversion(), '7.0.0', '<')) { - if (stripos($serializedString, 'o:') !== false) { - throw new \InvalidArgumentException(sprintf('The string %s contains an object.', $serializedString)); - } + if (stripos($serializedString, 'o:') !== false) { + throw new \InvalidArgumentException(sprintf('The string %s contains an object.', $serializedString)); + } + if (version_compare(phpversion(), '7.0.0', '<')) { return unserialize($serializedString); } diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php b/app/bundles/CoreBundle/Tests/Unit/Helper/ClickthroughHelperTest.php similarity index 82% rename from app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/ClickthroughHelperTest.php index b95c72e78c8..6018154220d 100644 --- a/app/bundles/CoreBundle/Tests/unit/Helper/ClickthroughHelperTest.php +++ b/app/bundles/CoreBundle/Tests/Unit/Helper/ClickthroughHelperTest.php @@ -28,14 +28,11 @@ public function testEncodingCanBeDecoded() */ public function testObjectInArrayIsDetectedOrIgnored() { - if (version_compare(PHP_VERSION, '7.0', '<')) { - // PHP 5 - $this->expectException(\InvalidArgumentException::class); - } + $this->expectException(\InvalidArgumentException::class); $array = ['foo' => new WakeupCall()]; - $this->assertEquals($array, ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array))); + ClickthroughHelper::decodeArrayFromUrl(ClickthroughHelper::encodeArrayForUrl($array)); } public function testOnlyArraysCanBeDecodedToPreventObjectWakeupVulnerability() diff --git a/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php b/app/bundles/CoreBundle/Tests/Unit/Helper/TestResources/WakeupCall.php similarity index 52% rename from app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php rename to app/bundles/CoreBundle/Tests/Unit/Helper/TestResources/WakeupCall.php index 4d70d01d2d6..ae5c4bd5b3c 100644 --- a/app/bundles/CoreBundle/Tests/unit/Helper/TestResources/WakeupCall.php +++ b/app/bundles/CoreBundle/Tests/Unit/Helper/TestResources/WakeupCall.php @@ -1,6 +1,6 @@ Date: Fri, 4 Oct 2019 14:07:44 -0500 Subject: [PATCH 7/9] unserialize is safe from the email queue command --- app/bundles/EmailBundle/Command/ProcessEmailQueueCommand.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/bundles/EmailBundle/Command/ProcessEmailQueueCommand.php b/app/bundles/EmailBundle/Command/ProcessEmailQueueCommand.php index 34d8a1dc7d5..54f7c3d370a 100644 --- a/app/bundles/EmailBundle/Command/ProcessEmailQueueCommand.php +++ b/app/bundles/EmailBundle/Command/ProcessEmailQueueCommand.php @@ -12,7 +12,6 @@ namespace Mautic\EmailBundle\Command; use Mautic\CoreBundle\Command\ModeratedCommand; -use Mautic\CoreBundle\Helper\Serializer; use Mautic\EmailBundle\EmailEvents; use Mautic\EmailBundle\Event\QueueEmailEvent; use Symfony\Component\Console\Input\ArrayInput; @@ -103,7 +102,7 @@ protected function execute(InputInterface $input, OutputInterface $output) $tmpFilename .= '.finalretry'; rename($failedFile, $tmpFilename); - $message = Serializer::decode(file_get_contents($tmpFilename), ['allowed_classes' => true]); + $message = unserialize(file_get_contents($tmpFilename)); if ($message !== false && is_object($message) && get_class($message) === 'Swift_Message') { $tryAgain = false; if ($dispatcher->hasListeners(EmailEvents::EMAIL_RESEND)) { From 4ca6049ccb1bc9c1e09998e1c61edeb678c8c346 Mon Sep 17 00:00:00 2001 From: Alan Hartless Date: Mon, 7 Oct 2019 19:30:08 -0500 Subject: [PATCH 8/9] unserialize is safe for user session management --- app/bundles/UserBundle/Entity/User.php | 3 +-- .../UserBundle/Security/Authentication/Token/PluginToken.php | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/app/bundles/UserBundle/Entity/User.php b/app/bundles/UserBundle/Entity/User.php index fb62d5e495e..31ebb7936de 100644 --- a/app/bundles/UserBundle/Entity/User.php +++ b/app/bundles/UserBundle/Entity/User.php @@ -15,7 +15,6 @@ use Mautic\ApiBundle\Serializer\Driver\ApiMetadataDriver; use Mautic\CoreBundle\Doctrine\Mapping\ClassMetadataBuilder; use Mautic\CoreBundle\Entity\FormEntity; -use Mautic\CoreBundle\Helper\Serializer; use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity; use Symfony\Component\Form\Form; use Symfony\Component\Security\Core\User\AdvancedUserInterface; @@ -467,7 +466,7 @@ public function unserialize($serialized) $this->username, $this->password, $published - ) = Serializer::decode($serialized); + ) = unserialize($serialized); $this->setIsPublished($published); } diff --git a/app/bundles/UserBundle/Security/Authentication/Token/PluginToken.php b/app/bundles/UserBundle/Security/Authentication/Token/PluginToken.php index cd6605d83d6..aedb40e306b 100644 --- a/app/bundles/UserBundle/Security/Authentication/Token/PluginToken.php +++ b/app/bundles/UserBundle/Security/Authentication/Token/PluginToken.php @@ -11,7 +11,6 @@ namespace Mautic\UserBundle\Security\Authentication\Token; -use Mautic\CoreBundle\Helper\Serializer; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Core\Authentication\Token\AbstractToken; @@ -113,7 +112,7 @@ public function serialize() */ public function unserialize($serialized) { - list($this->authenticatingService, $this->credentials, $this->providerKey, $parentStr) = Serializer::decode($serialized); + list($this->authenticatingService, $this->credentials, $this->providerKey, $parentStr) = unserialize($serialized); parent::unserialize($parentStr); } } From 3ac29015aff6794d78dfcfed99b129cfbf5ae471 Mon Sep 17 00:00:00 2001 From: Woeler Date: Tue, 8 Oct 2019 19:19:54 +0200 Subject: [PATCH 9/9] Bump version --- app/AppKernel.php | 6 +++--- app/version.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/AppKernel.php b/app/AppKernel.php index f402bda4311..1a0147f2ebb 100644 --- a/app/AppKernel.php +++ b/app/AppKernel.php @@ -34,14 +34,14 @@ class AppKernel extends Kernel * * @const integer */ - const MINOR_VERSION = 15; + const MINOR_VERSION = 16; /** * Patch version number. * * @const integer */ - const PATCH_VERSION = 3; + const PATCH_VERSION = 0; /** * Extra version identifier. @@ -51,7 +51,7 @@ class AppKernel extends Kernel * * @const string */ - const EXTRA_VERSION = ''; + const EXTRA_VERSION = '-dev'; /** * @var array diff --git a/app/version.txt b/app/version.txt index 6480dd5ed87..f9b87778ca2 100644 --- a/app/version.txt +++ b/app/version.txt @@ -1 +1 @@ -2.15.3 +2.16.0-dev