Merge branch '6.4' into 7.1

xabbuh · xabbuh · commit 5d928d0dc782 · 2025-01-27T11:57:12.000+01:00
* 6.4:
  [FrameworkBundle] Add missing `not-compromised-password` entry in XSD
  [AssetMapper] Fix CssCompiler matches url in comments
  Add support for doctrine/persistence 4
  Ensure TransportExceptionInterface populates stream debug data
  Fix typo in validators.sk.xlf
  [Mime] Fix body validity check in `Email` when using `Message::setBody()`
  Review Arabic translations for the validator
  Fixed mistakes in proper hebrew writing in the previous translation and confirmed the rest to be correct and in the same style.
  Review translation
  [Cache] Don't clear system caches on cache:clear
  [FrameworkBundle] Fix patching refs to the tmp warmup dir in files generated by optional cache warmers
  Mark Czech Validator translation as reviewed
  [PropertyInfo] Fix `TypeTest` duplicated assert
  [HtmlSanitizer] Avoid accessing non existent array key when checking for hosts validity
  Update validators.ar.xlf
  [DomCrawler] Make `ChoiceFormField::isDisabled` return `true` for unchecked disabled checkboxes
diff --git a/Tests/TextSanitizer/UrlSanitizerTest.php b/Tests/TextSanitizer/UrlSanitizerTest.php
@@ -274,6 +274,15 @@ public static function provideSanitize(): iterable
             'expected' => null,
         ];
 
+        yield [
+            'input' => 'https://trusted.com/link.php',
+            'allowedSchemes' => ['http', 'https'],
+            'allowedHosts' => ['subdomain.trusted.com', 'trusted.com'],
+            'forceHttps' => false,
+            'allowRelative' => false,
+            'expected' => 'https://trusted.com/link.php',
+        ];
+
         // Allow relative
         yield [
             'input' => '/link.php',
diff --git a/TextSanitizer/UrlSanitizer.php b/TextSanitizer/UrlSanitizer.php
@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
     {
         // Check each chunk of the domain is valid
         foreach ($trustedParts as $key => $trustedPart) {
-            if ($uriParts[$key] !== $trustedPart) {
+            if (!array_key_exists($key, $uriParts) || $uriParts[$key] !== $trustedPart) {
                 return false;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar`
`132`	`132`	`{`
`133`	`133`	`// Check each chunk of the domain is valid`
`134`	`134`	`foreach ($trustedParts as $key => $trustedPart) {`
`135`		`- if ($uriParts[$key] !== $trustedPart) {`
	`135`	`+ if (!array_key_exists($key, $uriParts) \|\| $uriParts[$key] !== $trustedPart) {`
`136`	`136`	`return false;`
`137`	`137`	`}`
`138`	`138`	`}`