Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #20232: Fix regression introduced in GHSA-cjcc-p67m-7qxm while attaching behavior defined by __class array key #20232

Merged
merged 1 commit into from
Jul 25, 2024
Merged

Fix #20232: Fix regression introduced in GHSA-cjcc-p67m-7qxm while attaching behavior defined by __class array key #20232

merged 1 commit into from
Jul 25, 2024

Conversation

erickskrauch
Copy link
Contributor

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Fixed issues -

Just spotted this problem after upgrading to the latest version to fix CVE.

Context: configuration via Yii2::createObject() allows creating an object via __class definition. But after the changes in the 628d406, this option was forgotten. This PR restores forgotten behavior.

@codecov Codecov
Copy link

codecov bot commented Jul 24, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.93%. Comparing base (633998b) to head (40fe496).

Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #20232   +/-   ##
=========================================
  Coverage     64.93%   64.93%           
- Complexity    11389    11391    +2     
=========================================
  Files           430      430           
  Lines         36912    36912           
=========================================
  Hits          23970    23970           
  Misses        12942    12942

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@samdark samdark added this to the 2.0.52 milestone Jul 25, 2024
@samdark samdark changed the title Fix behavior attachment with __class key Fix #20232: Fix regression introduced in GHSA-cjcc-p67m-7qxm while attaching behavior defined by __class array key Jul 25, 2024
@samdark samdark merged commit 6abe5bf into yiisoft:master Jul 25, 2024
81 of 85 checks passed
@rob006
Copy link
Contributor

rob006 commented Jul 26, 2024

I'm afraid that this restores vulnerability fixed in 628d406. Now you can pass behavior as class, something else as __class and it will pass validation while creating object using non-behavior class name passed as __class.

@erickskrauch
Copy link
Contributor Author

Will it help if we swap condition so __class will be checked first and only then class?

@rob006
Copy link
Contributor

rob006 commented Jul 26, 2024

Probably, but IMO it should not even check for class if __class is provided - Yii::createObject() works in that way.

@erickskrauch
Copy link
Contributor Author

Ok, I'll submit a new version tomorrow.

erickskrauch added a commit to erickskrauch/yii2 that referenced this pull request Aug 14, 2024
@erickskrauch
Fix regression of regression introduced in GHSA-cjcc-p67m-7qxm and y…
4b75427 
…iisoft#20232
@erickskrauch erickskrauch mentioned this pull request Aug 14, 2024
Merged
mtangoo added a commit that referenced this pull request Sep 14, 2024
@mtangoo
Merge pull request #20243 from erickskrauch/fix_behaviors_attachment
899a833 
Fix restored vulnerability after #20232
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samdark samdark samdark approved these changes

@bizley bizley bizley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.52
Development

Successfully merging this pull request may close these issues.
4 participants
@erickskrauch @rob006 @samdark @bizley