Merge branch 'master' into 13920-validation-marks-valid-field-as-invalid

docs/guide-ru/runtime-bootstrapping.md

@@ -10,7 +10,7 @@
 
 В конструкторе приложения происходит следующий процесс предзагрузки:
 
-1. Вызывается метод [[yii\base\Application::preInit()|preInit()]], которые конфигурирует свойства приложения, имеющие
+1. Вызывается метод [[yii\base\Application::preInit()|preInit()]], который конфигурирует свойства приложения, имеющие
    наивысший приоритет, такие как [[yii\base\Application::basePath|basePath]];
 2. Регистрируется [[yii\base\Application::errorHandler|обработчик ошибок]];
 3. Происходит инициализация свойств приложения согласно заданной конфигурации;

docs/guide/security-best-practices.md

@@ -263,6 +263,12 @@ Further reading on the topic:
 - <https://owasp.org/www-community/SameSite>
 
 
+Avoiding arbitrary object instantiations
+----------------------------------------
+
+Yii [configurations](concept-configurations.md) are associative arrays used by the framework to instantiate new objects through `Yii::createObject($config)`. These arrays specify the class name for instantiation, and it is important to ensure that this class name does not originate from untrusted sources. Otherwise, it can lead to Unsafe Reflection, a vulnerability that allows the execution of malicious code by exploiting the loading of specific classes. Additionally, when you need to dynamically add keys to an object derived from a framework class, such as the base `Component` class, it's essential to validate these dynamic properties using a whitelist approach. This precaution is necessary because the framework might employ `Yii::createObject($config)` within the `__set()` magic method.
+
+
 Avoiding file exposure
 ----------------------
 

framework/BaseYii.php

@@ -93,7 +93,7 @@ class BaseYii
      */
     public static function getVersion()
     {
-        return '2.0.49-dev';
+        return '2.0.50-dev';
     }
 
     /**

framework/CHANGELOG.md

@@ -1,25 +1,34 @@
 Yii Framework 2 Change Log
 ==========================
 
-2.0.49 under development
+2.0.50 under development
 ------------------------
 
 - Bug #13920: Fixed erroneous validation for specific cases (tim-fischer-maschinensucher)
-- Bug #19911: Resolved inconsistency in `ActiveRecord::getAttributeLabel()` with regard of overriding in primary model labels for attributes of related model in favor of allowing such overriding for all levels of relation nesting (PowerGamer1)
+- Bug #19925: Improved PHP version check when handling MIME types (schmunk42)
-- Bug #19872: Fixed the definition of dirty attributes in AR properties for a non-associative array in case of changing the order of elements (eegusakov)
+- Bug #19940: File Log writer without newline (terabytesoftw)
-- Bug #19899: Fixed `GridView` in some cases calling `Model::generateAttributeLabel()` to generate label values that are never used (PowerGamer1)
+- Bug #19951: Removed unneeded MIME file tests (schmunk42)
+- Bug #19950: Fix `Query::groupBy(null)` causes error for PHP 8.1: `trim(): Passing null to parameter #1 ($string) of type string is deprecated` (uaoleg)
+
+
+2.0.49 August 29, 2023
+----------------------
+
 - Bug #9899: Fix caching a MSSQL query with BLOB data type (terabytesoftw)
 - Bug #16208: Fix `yii\log\FileTarget` to not export empty messages (terabytesoftw)
-- Bug #19857: Fix AttributeTypecastBehavior::resetOldAttributes() causes "class has no attribute named" InvalidArgumentException (uaoleg)
 - Bug #18859: Fix `yii\web\Controller::bindInjectedParams()` to not throw error when argument of `ReflectionUnionType` type is passed (bizley)
+- Bug #19857: Fix AttributeTypecastBehavior::resetOldAttributes() causes "class has no attribute named" InvalidArgumentException (uaoleg)
+- Bug #19868: Added whitespace sanitation for tests, due to updates in ICU 72 (schmunk42)
+- Bug #19872: Fixed the definition of dirty attributes in AR properties for a non-associative array in case of changing the order of elements (eegusakov)
+- Bug #19899: Fixed `GridView` in some cases calling `Model::generateAttributeLabel()` to generate label values that are never used (PowerGamer1)
+- Bug #19906: Fixed multiline strings in the `\yii\console\widgets\Table` widget (rhertogh)
+- Bug #19908: Fix associative array cell content rendering in Table widget (rhertogh)
+- Bug #19911: Resolved inconsistency in `ActiveRecord::getAttributeLabel()` with regard of overriding in primary model labels for attributes of related model in favor of allowing such overriding for all levels of relation nesting (PowerGamer1)
+- Bug #19914: Fixed `ArrayHelper::keyExists()` and  `::remove()` functions when the key is a float and the value is `null` (rhertogh)
+- Bug #19924: Fix `yii\i18n\Formatter` to not throw error `Unknown named parameter` under PHP 8 (arollmann)
 - Enh #19841: Allow jQuery 3.7 to be installed (wouter90)
 - Enh #19853: Added support for default value for `\yii\helpers\Console::select()` (rhertogh)
-- Bug #19868: Added whitespace sanitation for tests, due to updates in ICU 72 (schmunk42)
 - Enh #19884: Added support Enums in Query Builder (sk1t0n)
-- Bug #19908: Fix associative array cell content rendering in Table widget (rhertogh)
-- Bug #19906: Fixed multiline strings in the `\yii\console\widgets\Table` widget (rhertogh)
-- Bug #19924: Fix `yii\i18n\Formatter` to not throw error `Unknown named parameter` under PHP 8 (arollmann)
-- Bug #19914: Fixed `ArrayHelper::keyExists()` and  `::remove()` functions when the key is a float and the value is `null` (rhertogh)
 - Enh #19920: Broadened the accepted type of `Cookie::$expire` from `int` to `int|string|\DateTimeInterface|null` (rhertogh)
 
 

framework/db/BaseActiveRecord.php

@@ -1616,7 +1616,7 @@ abstract class BaseActiveRecord extends Model implements ActiveRecordInterface
      * - the label for 'relatedModel1.relatedModel2.attr' defined in [[attributeLabels()]] of this model;
      * - the label for 'relatedModel2.attr' defined in related model represented by relation 'relatedModel1' of this model;
      * - the label for 'attr' defined in related model represented by relation 'relatedModel2' of relation 'relatedModel1'.
-     * If no label definition was found then the value of $this->generateAttributeLabel('relatedModel1.relatedModel2.attr') will be returned.
+     *   If no label definition was found then the value of $this->generateAttributeLabel('relatedModel1.relatedModel2.attr') will be returned.
      * @param string $attribute the attribute name
      * @return string the attribute label
      * @see attributeLabels()

framework/db/Migration.php

@@ -311,7 +311,7 @@ class Migration extends Component implements MigrationInterface
      *
      * If a column is specified with definition only (e.g. 'PRIMARY KEY (name, type)'), it will be directly
      * put into the generated SQL.
-     * 
+     *
      * Example usage:
      * ```php
      * class m200000_000000_create_table_fruits extends \yii\db\Migration
@@ -319,10 +319,10 @@ class Migration extends Component implements MigrationInterface
      *     public function safeUp()
      *     {
      *          $this->createTable('{{%fruits}}', [
-     *              // ...              
+     *              // ...
      *              'column_name double precision null default null',
      * ```
-
+     *
      *
      * @param string $table the name of the table to be created. The name will be properly quoted by the method.
      * @param array $columns the columns (name => definition) in the new table.

framework/db/Query.php

@@ -1049,7 +1049,7 @@ PATTERN;
 
     /**
      * Sets the GROUP BY part of the query.
-     * @param string|array|ExpressionInterface $columns the columns to be grouped by.
+     * @param string|array|ExpressionInterface|null $columns the columns to be grouped by.
      * Columns can be specified in either a string (e.g. "id, name") or an array (e.g. ['id', 'name']).
      * The method will automatically quote the column names unless a column contains some parenthesis
      * (which means the column contains a DB expression).
@@ -1067,7 +1067,7 @@ PATTERN;
     {
         if ($columns instanceof ExpressionInterface) {
             $columns = [$columns];
-        } elseif (!is_array($columns)) {
+        } elseif (!is_array($columns) && !is_null($columns)) {
             $columns = preg_split('/\s*,\s*/', trim($columns), -1, PREG_SPLIT_NO_EMPTY);
         }
         $this->groupBy = $columns;

framework/helpers/mimeExtensions.php

@@ -299,6 +299,7 @@ return [
     'application/vnd.fuzzysheet' => 'fzs',
     'application/vnd.genomatix.tuxedo' => 'txd',
     'application/vnd.geogebra.file' => 'ggb',
+    'application/vnd.geogebra.slides' => 'ggs',
     'application/vnd.geogebra.tool' => 'ggt',
     'application/vnd.geometry-explorer' => [
         'gex',
@@ -655,6 +656,7 @@ return [
     ],
     'application/vnd.zzazz.deck+xml' => 'zaz',
     'application/voicexml+xml' => 'vxml',
+    'application/wasm' => 'wasm',
     'application/widget' => 'wgt',
     'application/winhlp' => 'hlp',
     'application/wsdl+xml' => 'wsdl',

framework/helpers/mimeTypes.php

@@ -282,6 +282,7 @@ $mimeTypes = [
     'geo' => 'application/vnd.dynageo',
     'gex' => 'application/vnd.geometry-explorer',
     'ggb' => 'application/vnd.geogebra.file',
+    'ggs' => 'application/vnd.geogebra.slides',
     'ggt' => 'application/vnd.geogebra.tool',
     'ghf' => 'application/vnd.groove-help',
     'gif' => 'image/gif',
@@ -887,6 +888,7 @@ $mimeTypes = [
     'vxml' => 'application/voicexml+xml',
     'w3d' => 'application/x-director',
     'wad' => 'application/x-doom',
+    'wasm' => 'application/wasm',
     'wav' => 'audio/x-wav',
     'wax' => 'audio/x-ms-wax',
     'wbmp' => 'image/vnd.wap.wbmp',
@@ -1001,7 +1003,8 @@ $mimeTypes = [
     'zmm' => 'application/vnd.handheld-entertainment+xml',
 ];
 
-if (PHP_VERSION_ID >= 80100) {
+# fix for bundled libmagic bug, see also https://github.com/yiisoft/yii2/issues/19925
+if ((PHP_VERSION_ID >= 80100 && PHP_VERSION_ID < 80122) || (PHP_VERSION_ID >= 80200 && PHP_VERSION_ID < 80209)) {
     $mimeTypes = array_replace($mimeTypes, array('xz' => 'application/octet-stream'));
 }
 

framework/log/FileTarget.php

@@ -130,12 +130,12 @@ class FileTarget extends Target
         if ($this->enableRotation && @filesize($this->logFile) > $this->maxFileSize * 1024) {
             $this->rotateFiles();
         }
-        $writeResult = @fwrite($fp, $trimmedText);
+        $writeResult = @fwrite($fp, $text);
         if ($writeResult === false) {
             $error = error_get_last();
             throw new LogRuntimeException("Unable to export log through file ({$this->logFile})!: {$error['message']}");
         }
-        $textSize = strlen($trimmedText);
+        $textSize = strlen($text);
         if ($writeResult < $textSize) {
             throw new LogRuntimeException("Unable to export whole log through file ({$this->logFile})! Wrote $writeResult out of $textSize bytes.");
         }

tests/framework/log/FileTargetTest.php

@@ -123,7 +123,19 @@ class FileTargetTest extends TestCase
         $logger->export();
 
         $test = file($logFile);
-        $this->assertEquals("xxx", $test[0]);
+        $this->assertEquals("xxx\n", $test[0]);
+
+        $this->clearLogFile($logFile);
+
+        $logger = new CustomLogger();
+        $logger->logFile = $logFile;
+        $logger->messages = array_fill(0, 3, 'xxx');
+        $logger->export();
+
+        $test = file($logFile);
+        $this->assertEquals("xxx\n", $test[0]);
+        $this->assertEquals("xxx\n", $test[1]);
+        $this->assertEquals("xxx\n", $test[2]);
 
         $this->clearLogFile($logFile);
 

tests/framework/validators/FileValidatorTest.php

@@ -546,7 +546,8 @@ class FileValidatorTest extends TestCase
             ['test.tar.xz', 'application/x-xz', 'tar.xz'],
         ]);
 
-        if (PHP_VERSION_ID >= 80100) {
+        # fix for bundled libmagic bug, see also https://github.com/yiisoft/yii2/issues/19925
+        if ((PHP_VERSION_ID >= 80100 && PHP_VERSION_ID < 80122) || (PHP_VERSION_ID >= 80200 && PHP_VERSION_ID < 80209)) {
             $v81_zx = ['test.tar.xz', 'application/octet-stream', 'tar.xz'];
             array_pop($validMimeTypes);
             $validMimeTypes[] = $v81_zx;