From b8fac55aa5cb7a3d514c7308378bb37bb711b25e Mon Sep 17 00:00:00 2001
From: oleibman <10341515+oleibman@users.noreply.github.com>
Date: Wed, 25 Dec 2024 19:40:39 -0800
Subject: [PATCH] Backport Security Patches for Samples
---
.github/workflows/main.yml | 1 +
CHANGELOG.md | 3 ++-
samples/Engineering/Convert-Online.php | 10 ++++++----
samples/Wizards/NumberFormat/Accounting.php | 9 ++++++---
samples/Wizards/NumberFormat/Currency.php | 9 ++++++---
src/PhpSpreadsheet/Helper/Downloader.php | 6 +++---
6 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 417b97b323..efd1e23380 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -263,3 +263,4 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
bodyFile: release-body.txt
+ makeLatest: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 07c1750ea3..15b63f9e86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org).
### Fixed
-- More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- Backported security patches for Samples.
## 2024-12-08 - 2.3.4
diff --git a/samples/Engineering/Convert-Online.php b/samples/Engineering/Convert-Online.php
index a923956b4d..bae13f778c 100644
--- a/samples/Engineering/Convert-Online.php
+++ b/samples/Engineering/Convert-Online.php
@@ -78,14 +78,16 @@
$quantity = $_POST['quantity'];
$fromUnit = $_POST['fromUnit'];
$toUnit = $_POST['toUnit'];
- if (isset($units[$_POST['category']][$fromUnit], $units[$_POST['category']][$toUnit])) {
+ if (!is_numeric($quantity)) {
+ $helper->log('Quantity is not numeric');
+ } elseif (isset($units[$_POST['category']][$fromUnit], $units[$_POST['category']][$toUnit])) {
/** @var float|string */
$result = ConvertUOM::CONVERT($quantity, $fromUnit, $toUnit);
- echo "{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}", PHP_EOL;
+ $helper->log("{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}");
} else {
- echo 'Please enter quantity and select From Unit and To Unit', PHP_EOL;
+ $helper->log('Please enter quantity and select From Unit and To Unit');
}
} else {
- echo 'Please enter quantity and select From Unit and To Unit', PHP_EOL;
+ $helper->log('Please enter quantity and select From Unit and To Unit');
}
diff --git a/samples/Wizards/NumberFormat/Accounting.php b/samples/Wizards/NumberFormat/Accounting.php
index 0b87dd4812..2d13228f6e 100644
--- a/samples/Wizards/NumberFormat/Accounting.php
+++ b/samples/Wizards/NumberFormat/Accounting.php
@@ -85,6 +85,8 @@
$helper->log('The Sample Number Value must be numeric');
} elseif (!is_numeric($_POST['decimals']) || str_contains((string) $_POST['decimals'], '.') || (int) $_POST['decimals'] < 0) {
$helper->log('The Decimal Places value must be positive integer');
+ } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+ $helper->log('Unrecognized currency symbol');
} else {
try {
$wizard = new Wizard\Accounting($_POST['currency'], (int) $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,13 +95,14 @@
$helper->log('
Code:
');
$helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
$helper->log(
- "\$mask = Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
+ "\$wizard = new Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
. (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR')
. ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL')
. ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING')
- . ');
'
+ . ');'
);
- $helper->log('echo (string) $mask;');
+ $helper->log('$mask = $wizard->format();');
+ $helper->log('
echo (string) $mask;');
$helper->log('
Mask:
');
$helper->log($mask . '
');
$helper->log('
Example:
');
diff --git a/samples/Wizards/NumberFormat/Currency.php b/samples/Wizards/NumberFormat/Currency.php
index 2c2b248525..64ea37ebb8 100644
--- a/samples/Wizards/NumberFormat/Currency.php
+++ b/samples/Wizards/NumberFormat/Currency.php
@@ -85,6 +85,8 @@
$helper->log('The Sample Number Value must be numeric');
} elseif (!is_numeric($_POST['decimals']) || str_contains((string) $_POST['decimals'], '.') || (int) $_POST['decimals'] < 0) {
$helper->log('The Decimal Places value must be positive integer');
+ } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+ $helper->log('Unrecognized currency symbol');
} else {
try {
$wizard = new Wizard\Currency($_POST['currency'], (int) $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,13 +95,14 @@
$helper->log('
Code:
');
$helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
$helper->log(
- "\$mask = Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
+ "\$wizard = new Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
. (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR')
. ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL')
. ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING')
- . ');
'
+ . ');'
);
- $helper->log('echo (string) $mask;');
+ $helper->log('$mask = $wizard->format();');
+ $helper->log('
echo (string) $mask;');
$helper->log('
Mask:
');
$helper->log($mask . '
');
$helper->log('
Example:
');
diff --git a/src/PhpSpreadsheet/Helper/Downloader.php b/src/PhpSpreadsheet/Helper/Downloader.php
index 4e98c7925c..41bfe6fbaf 100644
--- a/src/PhpSpreadsheet/Helper/Downloader.php
+++ b/src/PhpSpreadsheet/Helper/Downloader.php
@@ -30,18 +30,18 @@ class Downloader
public function __construct(string $folder, string $filename, ?string $filetype = null)
{
if ((is_dir($folder) === false) || (is_readable($folder) === false)) {
- throw new Exception("Folder {$folder} is not accessable");
+ throw new Exception('Folder is not accessible');
}
$filepath = "{$folder}/{$filename}";
$this->filepath = (string) realpath($filepath);
$this->filename = basename($filepath);
if ((file_exists($this->filepath) === false) || (is_readable($this->filepath) === false)) {
- throw new Exception("{$this->filename} not found, or cannot be read");
+ throw new Exception('File not found, or cannot be read');
}
$filetype ??= pathinfo($filename, PATHINFO_EXTENSION);
if (array_key_exists(strtolower($filetype), self::CONTENT_TYPES) === false) {
- throw new Exception("Invalid filetype: {$filetype} cannot be downloaded");
+ throw new Exception('Invalid filetype: cannot be downloaded');
}
$this->filetype = strtolower($filetype);
}