diff --git a/BaseYii.php b/BaseYii.php
index fe2301b0f..74d87f8a6 100644
--- a/BaseYii.php
+++ b/BaseYii.php
@@ -93,7 +93,7 @@ class BaseYii
*/
public static function getVersion()
{
- return '2.0.49.2';
+ return '2.0.49.4';
}
/**
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ecf64bb49..7fbb8d925 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,19 @@
Yii Framework 2 Change Log
==========================
+2.0.49.4 June 4, 2024
+---------------------
+
+- Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing)
+- Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@mtangoo)
+
+
+2.0.49.3 October 31, 2023
+-------------------------
+
+- Bug #20041: Revert MaskedInput package update (bizley)
+
+
2.0.49.2 October 12, 2023
-------------------------
diff --git a/base/Component.php b/base/Component.php
index d6121705f..e1b94c8ce 100644
--- a/base/Component.php
+++ b/base/Component.php
@@ -188,7 +188,15 @@ public function __set($name, $value)
} elseif (strncmp($name, 'as ', 3) === 0) {
// as behavior: attach behavior
$name = trim(substr($name, 3));
- $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
+ if ($value instanceof Behavior) {
+ $this->attachBehavior($name, $value);
+ } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) {
+ $this->attachBehavior($name, Yii::createObject($value));
+ } elseif (is_string($value) && is_subclass_of($value, 'yii\base\Behavior', true)) {
+ $this->attachBehavior($name, Yii::createObject($value));
+ } else {
+ throw new InvalidConfigException('Class is not of type yii\base\Behavior or its subclasses');
+ }
return;
}
diff --git a/composer.json b/composer.json
index 951679fae..5494cae7a 100644
--- a/composer.json
+++ b/composer.json
@@ -71,8 +71,8 @@
"ezyang/htmlpurifier": "^4.6",
"cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0",
"bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable",
- "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ",
- "bower-asset/punycode": "1.3.* | 2.2.*",
+ "bower-asset/inputmask": "~3.2.2 | ~3.3.5",
+ "bower-asset/punycode": "1.3.*",
"bower-asset/yii2-pjax": "~2.0.1",
"paragonie/random_compat": ">=1"
},
diff --git a/helpers/mimeExtensions.php b/helpers/mimeExtensions.php
index e4936030f..cc2625cd2 100644
--- a/helpers/mimeExtensions.php
+++ b/helpers/mimeExtensions.php
@@ -947,7 +947,10 @@
'font/woff' => 'woff',
'font/woff2' => 'woff2',
'image/apng' => 'apng',
- 'image/avif' => 'avif',
+ 'image/avif' => [
+ 'avif',
+ 'avif',
+ ],
'image/bmp' => 'bmp',
'image/cgm' => 'cgm',
'image/g3fax' => 'g3',
@@ -1041,7 +1044,6 @@
'model/vnd.dwf' => 'dwf',
'model/vnd.gdl' => 'gdl',
'model/vnd.gtw' => 'gtw',
- 'model/vnd.mts' => 'mts',
'model/vnd.vtu' => 'vtu',
'model/vrml' => [
'wrl',
@@ -1165,6 +1167,12 @@
'mj2',
'mjp2',
],
+ 'video/mp2t' => [
+ 'ts',
+ 'm2t',
+ 'm2ts',
+ 'mts',
+ ],
'video/mp4' => [
'mp4',
'mp4v',
diff --git a/helpers/mimeTypes.php b/helpers/mimeTypes.php
index f895e8d07..8db4f92f4 100644
--- a/helpers/mimeTypes.php
+++ b/helpers/mimeTypes.php
@@ -418,6 +418,8 @@
'm1v' => 'video/mpeg',
'm21' => 'application/mp21',
'm2a' => 'audio/mpeg',
+ 'm2t' => 'video/mp2t',
+ 'm2ts' => 'video/mp2t',
'm2v' => 'video/mpeg',
'm3a' => 'audio/mpeg',
'm3u' => 'audio/x-mpegurl',
@@ -503,7 +505,7 @@
'msi' => 'application/x-msdownload',
'msl' => 'application/vnd.mobius.msl',
'msty' => 'application/vnd.muvee.style',
- 'mts' => 'model/vnd.mts',
+ 'mts' => 'video/mp2t',
'mus' => 'application/vnd.musician',
'musicxml' => 'application/vnd.recordare.musicxml+xml',
'mvb' => 'application/x-msmediaview',
@@ -818,6 +820,7 @@
'tr' => 'text/troff',
'tra' => 'application/vnd.trueapp',
'trm' => 'application/x-msterminal',
+ 'ts' => 'video/mp2t',
'tsd' => 'application/timestamped-data',
'tsv' => 'text/tab-separated-values',
'ttc' => 'font/collection',
diff --git a/web/ErrorHandler.php b/web/ErrorHandler.php
index 3806c576c..94e03f975 100644
--- a/web/ErrorHandler.php
+++ b/web/ErrorHandler.php
@@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception)
*/
public function htmlEncode($text)
{
- return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+ return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
}
/**
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy