From e6f31f9c637956adea5ba52a2fff1f398b189a26 Mon Sep 17 00:00:00 2001
From: Bizley <pawel.bizley@gmail.com>
Date: Tue, 31 Oct 2023 11:49:20 +0100
Subject: [PATCH 1/5] Revert MaskedInput changes

---
 composer.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/composer.json b/composer.json
index 951679fae..5494cae7a 100644
--- a/composer.json
+++ b/composer.json
@@ -71,8 +71,8 @@
         "ezyang/htmlpurifier": "^4.6",
         "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0",
         "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable",
-        "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ",
-        "bower-asset/punycode": "1.3.* | 2.2.*",
+        "bower-asset/inputmask": "~3.2.2 | ~3.3.5",
+        "bower-asset/punycode": "1.3.*",
         "bower-asset/yii2-pjax": "~2.0.1",
         "paragonie/random_compat": ">=1"
     },

From 53a47039506c2d25adb9f045468bc92d6ca82281 Mon Sep 17 00:00:00 2001
From: Bizley <pawel.bizley@gmail.com>
Date: Tue, 31 Oct 2023 12:01:53 +0100
Subject: [PATCH 2/5] Changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ecf64bb49..777fb7b6d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,12 @@
 Yii Framework 2 Change Log
 ==========================
 
+2.0.49.3 under development
+--------------------------
+
+- Bug #20041: Revert MaskedInput package update (bizley)
+
+
 2.0.49.2 October 12, 2023
 -------------------------
 

From 783f65c9a743dfd7484b6026f1aa6f25e37159d9 Mon Sep 17 00:00:00 2001
From: Bizley <pawel.bizley@gmail.com>
Date: Tue, 31 Oct 2023 16:39:08 +0100
Subject: [PATCH 3/5] release version 2.0.49.3

---
 BaseYii.php  | 2 +-
 CHANGELOG.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/BaseYii.php b/BaseYii.php
index fe2301b0f..869365fd8 100644
--- a/BaseYii.php
+++ b/BaseYii.php
@@ -93,7 +93,7 @@ class BaseYii
      */
     public static function getVersion()
     {
-        return '2.0.49.2';
+        return '2.0.49.3';
     }
 
     /**
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 777fb7b6d..1999edca9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
 Yii Framework 2 Change Log
 ==========================
 
-2.0.49.3 under development
---------------------------
+2.0.49.3 October 31, 2023
+-------------------------
 
 - Bug #20041: Revert MaskedInput package update (bizley)
 

From 7d9a5c0622dd05286da2bdacc4c1ca8fc3ae8938 Mon Sep 17 00:00:00 2001
From: Robert Korulczyk <robert@korulczyk.pl>
Date: Tue, 4 Jun 2024 18:23:46 +0200
Subject: [PATCH 4/5] CVE-2024-32877, Fix Reflected XSS in Debug mode,
 CVE-2024-4990, Fix Unsafe Reflection in base Component class

---
 CHANGELOG.md         |  7 +++++++
 base/Component.php   | 10 +++++++++-
 web/ErrorHandler.php |  2 +-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1999edca9..7fbb8d925 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,13 @@
 Yii Framework 2 Change Log
 ==========================
 
+2.0.49.4 June 4, 2024
+---------------------
+
+- Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing)
+- Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@mtangoo)
+
+
 2.0.49.3 October 31, 2023
 -------------------------
 
diff --git a/base/Component.php b/base/Component.php
index d6121705f..e1b94c8ce 100644
--- a/base/Component.php
+++ b/base/Component.php
@@ -188,7 +188,15 @@ public function __set($name, $value)
         } elseif (strncmp($name, 'as ', 3) === 0) {
             // as behavior: attach behavior
             $name = trim(substr($name, 3));
-            $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
+            if ($value instanceof Behavior) {
+                $this->attachBehavior($name, $value);
+            } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } elseif (is_string($value) && is_subclass_of($value, 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } else {
+                throw new InvalidConfigException('Class is not of type yii\base\Behavior or its subclasses');
+            }
 
             return;
         }
diff --git a/web/ErrorHandler.php b/web/ErrorHandler.php
index 3806c576c..94e03f975 100644
--- a/web/ErrorHandler.php
+++ b/web/ErrorHandler.php
@@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**

From deec9b7330a09e06ab9e002c8718a8b478524dda Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Mon, 10 Jun 2024 23:26:16 +0300
Subject: [PATCH 5/5] release version 2.0.49.4

---
 BaseYii.php                |  2 +-
 helpers/mimeExtensions.php | 12 ++++++++++--
 helpers/mimeTypes.php      |  5 ++++-
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/BaseYii.php b/BaseYii.php
index 869365fd8..74d87f8a6 100644
--- a/BaseYii.php
+++ b/BaseYii.php
@@ -93,7 +93,7 @@ class BaseYii
      */
     public static function getVersion()
     {
-        return '2.0.49.3';
+        return '2.0.49.4';
     }
 
     /**
diff --git a/helpers/mimeExtensions.php b/helpers/mimeExtensions.php
index e4936030f..cc2625cd2 100644
--- a/helpers/mimeExtensions.php
+++ b/helpers/mimeExtensions.php
@@ -947,7 +947,10 @@
     'font/woff' => 'woff',
     'font/woff2' => 'woff2',
     'image/apng' => 'apng',
-    'image/avif' => 'avif',
+    'image/avif' => [
+        'avif',
+        'avif',
+    ],
     'image/bmp' => 'bmp',
     'image/cgm' => 'cgm',
     'image/g3fax' => 'g3',
@@ -1041,7 +1044,6 @@
     'model/vnd.dwf' => 'dwf',
     'model/vnd.gdl' => 'gdl',
     'model/vnd.gtw' => 'gtw',
-    'model/vnd.mts' => 'mts',
     'model/vnd.vtu' => 'vtu',
     'model/vrml' => [
         'wrl',
@@ -1165,6 +1167,12 @@
         'mj2',
         'mjp2',
     ],
+    'video/mp2t' => [
+        'ts',
+        'm2t',
+        'm2ts',
+        'mts',
+    ],
     'video/mp4' => [
         'mp4',
         'mp4v',
diff --git a/helpers/mimeTypes.php b/helpers/mimeTypes.php
index f895e8d07..8db4f92f4 100644
--- a/helpers/mimeTypes.php
+++ b/helpers/mimeTypes.php
@@ -418,6 +418,8 @@
     'm1v' => 'video/mpeg',
     'm21' => 'application/mp21',
     'm2a' => 'audio/mpeg',
+    'm2t' => 'video/mp2t',
+    'm2ts' => 'video/mp2t',
     'm2v' => 'video/mpeg',
     'm3a' => 'audio/mpeg',
     'm3u' => 'audio/x-mpegurl',
@@ -503,7 +505,7 @@
     'msi' => 'application/x-msdownload',
     'msl' => 'application/vnd.mobius.msl',
     'msty' => 'application/vnd.muvee.style',
-    'mts' => 'model/vnd.mts',
+    'mts' => 'video/mp2t',
     'mus' => 'application/vnd.musician',
     'musicxml' => 'application/vnd.recordare.musicxml+xml',
     'mvb' => 'application/x-msmediaview',
@@ -818,6 +820,7 @@
     'tr' => 'text/troff',
     'tra' => 'application/vnd.trueapp',
     'trm' => 'application/x-msterminal',
+    'ts' => 'video/mp2t',
     'tsd' => 'application/timestamped-data',
     'tsv' => 'text/tab-separated-values',
     'ttc' => 'font/collection',

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/yiisoft/yii2-framework/compare/master...2.0.49.x.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/yiisoft/yii2-framework/compare/master...2.0.49.x.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/yiisoft/yii2-framework/compare/master...2.0.49.x.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/yiisoft/yii2-framework/compare/master...2.0.49.x.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>