From 390d5da69b262eb9335540bed0e6640b8b3b56c4 Mon Sep 17 00:00:00 2001
From: Christian Flothmann <christian.flothmann@qossmic.com>
Date: Wed, 1 Jan 2025 13:53:31 +0100
Subject: [PATCH] reject inline notations followed by invalid content

---
 src/Symfony/Component/Yaml/Parser.php         | 18 ++++++++-----
 .../Component/Yaml/Tests/ParserTest.php       | 27 ++++++++++++++++++-
 2 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/src/Symfony/Component/Yaml/Parser.php b/src/Symfony/Component/Yaml/Parser.php
index 6d7064e07abb8..2f8afc298ae5f 100644
--- a/src/Symfony/Component/Yaml/Parser.php
+++ b/src/Symfony/Component/Yaml/Parser.php
@@ -1167,17 +1167,17 @@ private function lexUnquotedString(int &$cursor): string
         return substr($this->currentLine, $offset, $cursor - $offset);
     }
 
-    private function lexInlineMapping(int &$cursor = 0): string
+    private function lexInlineMapping(int &$cursor = 0, bool $consumeUntilEol = true): string
     {
-        return $this->lexInlineStructure($cursor, '}');
+        return $this->lexInlineStructure($cursor, '}', $consumeUntilEol);
     }
 
-    private function lexInlineSequence(int &$cursor = 0): string
+    private function lexInlineSequence(int &$cursor = 0, bool $consumeUntilEol = true): string
     {
-        return $this->lexInlineStructure($cursor, ']');
+        return $this->lexInlineStructure($cursor, ']', $consumeUntilEol);
     }
 
-    private function lexInlineStructure(int &$cursor, string $closingTag): string
+    private function lexInlineStructure(int &$cursor, string $closingTag, bool $consumeUntilEol = true): string
     {
         $value = $this->currentLine[$cursor];
         ++$cursor;
@@ -1197,15 +1197,19 @@ private function lexInlineStructure(int &$cursor, string $closingTag): string
                         ++$cursor;
                         break;
                     case '{':
-                        $value .= $this->lexInlineMapping($cursor);
+                        $value .= $this->lexInlineMapping($cursor, false);
                         break;
                     case '[':
-                        $value .= $this->lexInlineSequence($cursor);
+                        $value .= $this->lexInlineSequence($cursor, false);
                         break;
                     case $closingTag:
                         $value .= $this->currentLine[$cursor];
                         ++$cursor;
 
+                        if ($consumeUntilEol && isset($this->currentLine[$cursor]) && (strspn($this->currentLine, ' ', $cursor) + $cursor) < strlen($this->currentLine)) {
+                            throw new ParseException(sprintf('Unexpected token "%s".', trim(substr($this->currentLine, $cursor))));
+                        }
+
                         return $value;
                     case '#':
                         break 2;
diff --git a/src/Symfony/Component/Yaml/Tests/ParserTest.php b/src/Symfony/Component/Yaml/Tests/ParserTest.php
index 23119f92176b8..0c5c8222b00b0 100644
--- a/src/Symfony/Component/Yaml/Tests/ParserTest.php
+++ b/src/Symfony/Component/Yaml/Tests/ParserTest.php
@@ -1718,7 +1718,8 @@ public function testWrappedUnquotedStringWithMultipleSpacesInValue(string $yaml,
         $this->assertSame($expected, $this->parser->parse($yaml));
     }
 
-    public static function wrappedUnquotedStringsProvider() {
+    public static function wrappedUnquotedStringsProvider()
+    {
         return [
             'mapping' => [
                 '{ foo: bar  bar, fiz: cat      cat }',
@@ -2252,6 +2253,30 @@ public function testRootLevelInlineMappingFollowedByMoreContentIsInvalid()
         $this->parser->parse($yaml);
     }
 
+    public function testInlineMappingFollowedByMoreContentIsInvalid()
+    {
+        $this->expectException(ParseException::class);
+        $this->expectExceptionMessage('Unexpected token "baz" at line 1 (near "{ foo: bar } baz").');
+
+        $yaml = <<<YAML
+{ foo: bar } baz
+YAML;
+
+        $this->parser->parse($yaml);
+    }
+
+    public function testInlineSequenceFollowedByMoreContentIsInvalid()
+    {
+        $this->expectException(ParseException::class);
+        $this->expectExceptionMessage('Unexpected token ",bar," at line 1 (near "[\'foo\'],bar,").');
+
+        $yaml = <<<YAML
+['foo'],bar,
+YAML;
+
+        $this->parser->parse($yaml);
+    }
+
     public function testTaggedInlineMapping()
     {
         $this->assertSameData(new TaggedValue('foo', ['foo' => 'bar']), $this->parser->parse('!foo {foo: bar}', Yaml::PARSE_CUSTOM_TAGS));

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/59349.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/59349.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/59349.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/59349.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>