CVE-2024-32877, Fix Reflected XSS in Debug mode, CVE-2024-4990, Fix U…

…nsafe Reflection in base Component class
yiisoft · Jun 4, 2024 · 62d081f · 62d081f
1 parent b4045ba
commit 62d081f
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 6 deletions.
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -1,6 +1,13 @@
 Yii Framework 2 Change Log
 ==========================
 
+2.0.49.4 June 4, 2024
+---------------------
+
+- Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing)
+- Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@mtangoo)
+
+
 2.0.49.3 October 31, 2023
 -------------------------
 

diff --git a/framework/base/Component.php b/framework/base/Component.php
@@ -188,7 +188,15 @@ public function __set($name, $value)
         } elseif (strncmp($name, 'as ', 3) === 0) {
             // as behavior: attach behavior
             $name = trim(substr($name, 3));
-            $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
+            if ($value instanceof Behavior) {
+                $this->attachBehavior($name, $value);
+            } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } elseif (is_string($value) && is_subclass_of($value, 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } else {
+                throw new InvalidConfigException('Class is not of type yii\base\Behavior or its subclasses');
+            }
 
             return;
         }

diff --git a/framework/web/ErrorHandler.php b/framework/web/ErrorHandler.php
@@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**

diff --git a/tests/framework/web/ErrorHandlerTest.php b/tests/framework/web/ErrorHandlerTest.php
@@ -85,19 +85,19 @@ public function dataHtmlEncode()
         return [
             [
                 "a \t=<>&\"'\x80`\n",
-                "a \t=&lt;&gt;&amp;\"'�`\n",
+                "a \t=&lt;&gt;&amp;&quot;&apos;�`\n",
             ],
             [
                 '<b>test</b>',
                 '&lt;b&gt;test&lt;/b&gt;',
             ],
             [
                 '"hello"',
-                '"hello"',
+                '&quot;hello&quot;',
             ],
             [
                 "'hello world'",
-                "'hello world'",
+                "&apos;hello world&apos;",
             ],
             [
                 'Chip&amp;Dale',
@@ -130,7 +130,7 @@ public function testHtmlEncodeWithUnicodeSequence()
         $handler = Yii::$app->getErrorHandler();
 
         $text = "a \t=<>&\"'\x80\u{20bd}`\u{000a}\u{000c}\u{0000}";
-        $expected = "a \t=&lt;&gt;&amp;\"'�₽`\n\u{000c}\u{0000}";
+        $expected = "a \t=&lt;&gt;&amp;&quot;&apos;�₽`\n\u{000c}\u{0000}";
 
         $this->assertSame($expected, $handler->htmlEncode($text));
     }