Backport Security Patches for Samples

oleibman · oleibman · commit 9b9a55c7154d · 2024-12-25T19:35:43.000-08:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -282,3 +282,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         with:
           bodyFile: release-body.txt
+          makeLatest: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,7 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 
 ### Fixed
 
--  More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- Backported security patches for Samples.
 
 ## 2024-12-08 - 2.1.5
 
diff --git a/samples/Engineering/Convert-Online.php b/samples/Engineering/Convert-Online.php
@@ -78,14 +78,16 @@
     $quantity = $_POST['quantity'];
     $fromUnit = $_POST['fromUnit'];
     $toUnit = $_POST['toUnit'];
-    if (isset($units[$_POST['category']][$fromUnit], $units[$_POST['category']][$toUnit])) {
+    if (!is_numeric($quantity)) {
+        $helper->log('Quantity is not numeric');
+    } elseif (isset($units[$_POST['category']][$fromUnit], $units[$_POST['category']][$toUnit])) {
         /** @var float|string */
         $result = ConvertUOM::CONVERT($quantity, $fromUnit, $toUnit);
 
-        echo "{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}", PHP_EOL;
+        $helper->log("{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}");
     } else {
-        echo 'Please enter quantity and select From Unit and To Unit', PHP_EOL;
+        $helper->log('Please enter quantity and select From Unit and To Unit');
     }
 } else {
-    echo 'Please enter quantity and select From Unit and To Unit', PHP_EOL;
+    $helper->log('Please enter quantity and select From Unit and To Unit');
 }
diff --git a/samples/Wizards/NumberFormat/Accounting.php b/samples/Wizards/NumberFormat/Accounting.php
@@ -85,6 +85,8 @@
         $helper->log('The Sample Number Value must be numeric');
     } elseif (!is_numeric($_POST['decimals']) || str_contains((string) $_POST['decimals'], '.') || (int) $_POST['decimals'] < 0) {
         $helper->log('The Decimal Places value must be positive integer');
+    } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+        $helper->log('Unrecognized currency symbol');
     } else {
         try {
             $wizard = new Wizard\Accounting($_POST['currency'], (int) $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,12 +95,14 @@
             $helper->log('<hr /><b>Code:</b><br />');
             $helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
             $helper->log(
-                "\$mask = Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
+                "\$wizard = new Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
                 . (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR')
                 . ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL')
                 . ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING')
-                . ');<br />'
+                . ');'
             );
+            $helper->log('$mask = $wizard->format();');
+            $helper->log('<br />');
             $helper->log('echo (string) $mask;');
             $helper->log('<hr /><b>Mask:</b><br />');
             $helper->log($mask . '<br />');
diff --git a/samples/Wizards/NumberFormat/Currency.php b/samples/Wizards/NumberFormat/Currency.php
@@ -85,6 +85,8 @@
         $helper->log('The Sample Number Value must be numeric');
     } elseif (!is_numeric($_POST['decimals']) || str_contains((string) $_POST['decimals'], '.') || (int) $_POST['decimals'] < 0) {
         $helper->log('The Decimal Places value must be positive integer');
+    } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+        $helper->log('Unrecognized currency symbol');
     } else {
         try {
             $wizard = new Wizard\Currency($_POST['currency'], (int) $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,12 +95,14 @@
             $helper->log('<hr /><b>Code:</b><br />');
             $helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
             $helper->log(
-                "\$mask = Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
+                "\$wizard = new Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::"
                 . (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR')
                 . ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL')
                 . ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING')
-                . ');<br />'
+                . ');'
             );
+            $helper->log('$mask = $wizard->format();');
+            $helper->log('<br />');
             $helper->log('echo (string) $mask;');
             $helper->log('<hr /><b>Mask:</b><br />');
             $helper->log($mask . '<br />');
diff --git a/src/PhpSpreadsheet/Helper/Downloader.php b/src/PhpSpreadsheet/Helper/Downloader.php
@@ -30,18 +30,18 @@ class Downloader
     public function __construct(string $folder, string $filename, ?string $filetype = null)
     {
         if ((is_dir($folder) === false) || (is_readable($folder) === false)) {
-            throw new Exception("Folder {$folder} is not accessable");
+            throw new Exception('Folder is not accessible');
         }
         $filepath = "{$folder}/{$filename}";
         $this->filepath = (string) realpath($filepath);
         $this->filename = basename($filepath);
         if ((file_exists($this->filepath) === false) || (is_readable($this->filepath) === false)) {
-            throw new Exception("{$this->filename} not found, or cannot be read");
+            throw new Exception('File not found, or cannot be read');
         }
 
         $filetype ??= pathinfo($filename, PATHINFO_EXTENSION);
         if (array_key_exists(strtolower($filetype), self::CONTENT_TYPES) === false) {
-            throw new Exception("Invalid filetype: {$filetype} cannot be downloaded");
+            throw new Exception('Invalid filetype: cannot be downloaded');
         }
         $this->filetype = strtolower($filetype);
     }

Original file line number	Diff line number	Diff line change
`@@ -30,18 +30,18 @@ class Downloader`
`30`	`30`	`public function __construct(string $folder, string $filename, ?string $filetype = null)`
`31`	`31`	`{`
`32`	`32`	`if ((is_dir($folder) === false) \|\| (is_readable($folder) === false)) {`
`33`		`- throw new Exception("Folder {$folder} is not accessable");`
	`33`	`+ throw new Exception('Folder is not accessible');`
`34`	`34`	`}`
`35`	`35`	`$filepath = "{$folder}/{$filename}";`
`36`	`36`	`$this->filepath = (string) realpath($filepath);`
`37`	`37`	`$this->filename = basename($filepath);`
`38`	`38`	`if ((file_exists($this->filepath) === false) \|\| (is_readable($this->filepath) === false)) {`
`39`		`- throw new Exception("{$this->filename} not found, or cannot be read");`
	`39`	`+ throw new Exception('File not found, or cannot be read');`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`$filetype ??= pathinfo($filename, PATHINFO_EXTENSION);`
`43`	`43`	`if (array_key_exists(strtolower($filetype), self::CONTENT_TYPES) === false) {`
`44`		`- throw new Exception("Invalid filetype: {$filetype} cannot be downloaded");`
	`44`	`+ throw new Exception('Invalid filetype: cannot be downloaded');`
`45`	`45`	`}`
`46`	`46`	`$this->filetype = strtolower($filetype);`
`47`	`47`	`}`