Bundled output for commit 1ced907e52

Includes transpiled JS/TS, and Typescript declaration files (typings).

[skip ci]

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [1.0.2](https://github.com/flarum/core/compare/v1.0.1...v1.0.2)
+
+### Fixed
+- Critical XSS vulnerability
+
+## [1.0.1](https://github.com/flarum/core/compare/v1.0.0...v1.0.1)
+
+### Fixed
+- Installation fails on environments without proc_* functions enabled or mysql client binary (https://github.com/flarum/core/issues/2890)
+
 ## [1.0.0](https://github.com/flarum/core/compare/v0.1.0-beta.16...v1.0.0)
 
 ### Added

js/package-lock.json

@@ -7552,9 +7552,9 @@
       "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
     },
     "node_modules/ws": {
-      "version": "7.4.5",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.5.tgz",
-      "integrity": "sha512-xzyu3hFvomRfXKH8vOFMU3OguG6oOvhXMo3xsGy3xWExqaM2dxBbVxuD99O7m3ZUFMvvscsZDqxfgMaRr/Nr1g==",
+      "version": "7.4.6",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz",
+      "integrity": "sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==",
       "dev": true,
       "engines": {
         "node": ">=8.3.0"
@@ -13723,9 +13723,9 @@
       "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
     },
     "ws": {
-      "version": "7.4.5",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.5.tgz",
-      "integrity": "sha512-xzyu3hFvomRfXKH8vOFMU3OguG6oOvhXMo3xsGy3xWExqaM2dxBbVxuD99O7m3ZUFMvvscsZDqxfgMaRr/Nr1g==",
+      "version": "7.4.6",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz",
+      "integrity": "sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==",
       "dev": true,
       "requires": {}
     },

js/src/common/Translator.tsx

@@ -48,12 +48,23 @@ export default class Translator {
     // future there should be a hook here to inspect the user and change the
     // translation key. This will allow a gender property to determine which
     // translation key is used.
+
     if ('user' in parameters) {
       const user = extract(parameters, 'user');
 
       if (!parameters.username) parameters.username = username(user);
     }
-    return parameters;
+
+    const escapedParameters: TranslatorParameters = {};
+
+    for (const param in parameters) {
+      const paramValue = parameters[param];
+
+      if (typeof paramValue === 'string') escapedParameters[param] = <>{parameters[param]}</>;
+      else escapedParameters[param] = parameters[param];
+    }
+
+    return escapedParameters;
   }
 
   trans(id: string, parameters: TranslatorParameters = {}) {

src/Database/Migrator.php

@@ -13,8 +13,6 @@ use Exception;
 use Flarum\Extension\Extension;
 use Illuminate\Database\ConnectionInterface;
 use Illuminate\Database\MySqlConnection;
-use Illuminate\Database\Schema\Builder;
-use Illuminate\Database\Schema\SchemaState;
 use Illuminate\Filesystem\Filesystem;
 use InvalidArgumentException;
 use Symfony\Component\Console\Output\OutputInterface;
@@ -38,31 +36,16 @@ class Migrator
      */
     protected $files;
 
-    /**
-     * The database schema builder instance.
-     *
-     * @var Builder
-     */
-    protected $schemaBuilder;
-
-    /**
-     * The DB table prefix.
-     */
-    protected $tablePrefix;
-
-    /**
-     * The database schema builder instance.
-     *
-     * @var SchemaState
-     */
-    protected $schemaState;
-
     /**
      * The output interface implementation.
      *
      * @var OutputInterface
      */
     protected $output;
+    /**
+     * @var ConnectionInterface|MySqlConnection
+     */
+    protected $connection;
 
     /**
      * Create a new migrator instance.
@@ -83,9 +66,7 @@ class Migrator
             throw new InvalidArgumentException('Only MySQL connections are supported');
         }
 
-        $this->tablePrefix = $connection->getTablePrefix();
-        $this->schemaBuilder = $connection->getSchemaBuilder();
-        $this->schemaState = $connection->getSchemaState();
+        $this->connection = $connection;
 
         // Workaround for https://github.com/laravel/framework/issues/1186
         $connection->getDoctrineSchemaManager()->getDatabasePlatform()->registerDoctrineTypeMapping('enum', 'string');
@@ -218,7 +199,7 @@ class Migrator
     protected function runClosureMigration($migration, $direction = 'up')
     {
         if (is_array($migration) && array_key_exists($direction, $migration)) {
-            call_user_func($migration[$direction], $this->schemaBuilder);
+            call_user_func($migration[$direction], $this->connection->getSchemaBuilder());
         } else {
             throw new Exception('Migration file should contain an array with up/down.');
         }
@@ -275,27 +256,31 @@ class Migrator
     {
         $schemaPath = "$path/install.dump";
 
-        // If we can't create a tmp file, fall back to the vendor directory.
-        $schemaWithPrefixes = tempnam(sys_get_temp_dir(), 'install');
-        if (! $schemaWithPrefixes) {
-            $schemaWithPrefixes = "$path/install_dump.dump.tmp";
-        }
-
-        $currDumpFile = file_get_contents($schemaPath);
-
-        file_put_contents($schemaWithPrefixes, str_replace('db_prefix_', $this->tablePrefix, $currDumpFile));
-
-        $this->note('<info>Loading stored database schema:</info>');
         $startTime = microtime(true);
 
-        $this->schemaState->handleOutputUsing(function ($type, $buffer) {
-            $this->output->write($buffer);
-        })->load($schemaWithPrefixes);
+        $dump = file_get_contents($schemaPath);
+
+        $this->connection->getSchemaBuilder()->disableForeignKeyConstraints();
+
+        foreach (explode(';', $dump) as $statement) {
+            $statement = trim($statement);
+
+            if (empty($statement) || substr($statement, 0, 2) === '/*') {
+                continue;
+            }
+
+            $statement = str_replace(
+                'db_prefix_',
+                $this->connection->getTablePrefix(),
+                $statement
+            );
+            $this->connection->statement($statement);
+        }
+
+        $this->connection->getSchemaBuilder()->enableForeignKeyConstraints();
 
         $runTime = number_format((microtime(true) - $startTime) * 1000, 2);
         $this->note('<info>Loaded stored database schema.</info> ('.$runTime.'ms)');
-
-        unlink($schemaWithPrefixes);
     }
 
     /**

src/Foundation/Application.php

@@ -21,7 +21,7 @@ class Application
      *
      * @var string
      */
-    const VERSION = '1.0.0';
+    const VERSION = '1.0.2';
 
     /**
      * The IoC container for the Flarum application.