php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-10-29 17:48:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20243 from erickskrauch/fix_behaviors_attachment

Browse Source 
Fix restored vulnerability after #20232
This commit is contained in:
Stefano D. Mtangoo
2024-09-14 12:23:36 +03:00
committed by GitHub
parent 964fe57625 05a8fbee3e
commit 899a833b16
2 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
framework/base/Component.php
View File

@ -190,7 +190,9 @@ class Component extends BaseObject
$name = trim(substr($name, 3));
if ($value instanceof Behavior) {
$this->attachBehavior($name, $value);
} elseif ((isset($value['class']) && is_subclass_of($value['class'], Behavior::class)) || (isset($value['__class']) && is_subclass_of($value['__class'], Behavior::class))) {
} elseif (isset($value['__class']) && is_subclass_of($value['__class'], Behavior::class)) {
$this->attachBehavior($name, Yii::createObject($value));
} elseif (!isset($value['__class']) && isset($value['class']) && is_subclass_of($value['class'], Behavior::class)) {
$this->attachBehavior($name, Yii::createObject($value));
} elseif (is_string($value) && is_subclass_of($value, Behavior::class, true)) {
$this->attachBehavior($name, Yii::createObject($value));

36
tests/framework/base/ComponentTest.php
View File

@ -10,6 +10,8 @@ namespace yiiunit\framework\base;
use yii\base\Behavior;
use yii\base\Component;
use yii\base\Event;
use yii\base\InvalidConfigException;
use yii\base\UnknownMethodException;
use yiiunit\TestCase;
function globalEventHandler($event)
@ -331,19 +333,39 @@ class ComponentTest extends TestCase
$this->assertSame($behavior, $component->detachBehavior('a'));
$this->assertFalse($component->hasProperty('p'));
$this->expectException('yii\base\UnknownMethodException');
$component->test();
try {
$component->test();
$this->fail('Expected exception ' . UnknownMethodException::class . " wasn't thrown");
} catch (UnknownMethodException $e) {
// Expected
}
$p = 'as b';
$component = new NewComponent();
$component->$p = ['class' => 'NewBehavior'];
$this->assertSame($behavior, $component->getBehavior('a'));
$component->{'as b'} = ['class' => NewBehavior::class];
$this->assertInstanceOf(NewBehavior::class, $component->getBehavior('b'));
$this->assertTrue($component->hasProperty('p'));
$component->test();
$this->assertTrue($component->behaviorCalled);
$component->{'as c'} = ['__class' => NewBehavior::class];
$this->assertNotNull($component->getBehavior('c'));
$component->{'as d'} = [
'__class' => NewBehavior2::class,
'class' => NewBehavior::class,
];
$this->assertInstanceOf(NewBehavior2::class, $component->getBehavior('d'));
// CVE-2024-4990
try {
$component->{'as e'} = [
'__class' => 'NotExistsBehavior',
'class' => NewBehavior::class,
];
$this->fail('Expected exception ' . InvalidConfigException::class . " wasn't thrown");
} catch (InvalidConfigException $e) {
$this->assertSame('Class is not of type yii\base\Behavior or its subclasses', $e->getMessage());
}
}
public function testAttachBehaviors()
@ -546,6 +568,10 @@ class NewBehavior extends Behavior
}
}
class NewBehavior2 extends Behavior
{
}
class NewComponent2 extends Component
{
public $a;