Merge branch '4.17' of https://github.com/craftcms/cms into 5.9

# Conflicts:
#	CHANGELOG-WIP.md

Author: brandonkelly

CHANGELOG-WIP.md

@@ -56,6 +56,7 @@
 - Added support for referencing environment variables anywhere within settings that support them (e.g. `foo/$ENV_NAME/bar` or `foo-${ENV_NAME}-bar`). ([#17794](https://github.com/craftcms/cms/pull/17794))
 - Environmental settings can now reference `CRAFT_SITE` (the current site’s handle) and `CRAFT_SITE_UPPER` (the current site’s handle in UPPER_SNAKE_CASE) environment variables, which are defined at runtime. ([#17794](https://github.com/craftcms/cms/pull/17794))
 - It’s now possible to create unpublished drafts via GraphQL. ([#17805](https://github.com/craftcms/cms/pull/17805))
+- It’s no longer possible to instantiate objects that don’t extend `yii\base\BaseObject` via the `create()` Twig function. (GHSA-94rc-cqvm-m4pw)
 - Added the `randomString()` Twig function. ([#18020](https://github.com/craftcms/cms/discussions/18020))
 - Added the `uuid()` Twig function.
 - The Twig `hash` filter now supports passing a hashing algorithm, such as `'md5'` or `'sha256'`. ([#17885](https://github.com/craftcms/cms/issues/17885))

src/Craft.php

@@ -56,8 +56,7 @@ public static function getAlias($alias, $throwException = true)
     /**
      * @inheritdoc
      * @template T
-     * @param class-string<T>|array|callable $type
-     * @phpstan-param class-string<T>|array{class:class-string<T>}|callable():T $type
+     * @param class-string<T>|array{class:class-string<T>}|array{__class:class-string<T>}|callable():T $type
      * @param array $params
      * @return T
      */

src/web/twig/Extension.php

@@ -81,6 +81,7 @@
 use Twig\TwigFilter;
 use Twig\TwigFunction;
 use Twig\TwigTest;
+use yii\base\BaseObject;
 use yii\base\InvalidArgumentException;
 use yii\base\InvalidConfigException;
 use yii\db\Exception;
@@ -1390,7 +1391,7 @@ public function getFunctions(): array
             new TwigFunction('combine', 'array_combine'),
             new TwigFunction('configure', [Craft::class, 'configure']),
             new TwigFunction('cpUrl', [UrlHelper::class, 'cpUrl']),
-            new TwigFunction('create', [Craft::class, 'createObject']),
+            new TwigFunction('create', [$this, 'createFunction']),
             new TwigFunction('dataUrl', [$this, 'dataUrlFunction']),
             new TwigFunction('date', [$this, 'dateFunction'], ['needs_environment' => true]),
             new TwigFunction('dump', [$this, 'dumpFunction'], ['is_safe' => ['html'], 'needs_context' => true, 'is_variadic' => true]),
@@ -1472,6 +1473,26 @@ public function collectFunction(mixed $var): Collection
         return $collection;
     }
 
+    /**
+     * Creates a new object.
+     *
+     * @template T of BaseObject
+     * @param class-string<T>|array{class:class-string<T>}|array{__class:class-string<T>} $type
+     * @param array $params
+     * @return T
+     * @since 5.9.0
+     */
+    public function createFunction(string|array $type, array $params = []): BaseObject
+    {
+        $class = is_string($type) ? $type : ($type['__class'] ?? $type['class'] ?? null);
+        if (!is_subclass_of($class, BaseObject::class)) {
+            throw new InvalidArgumentException(sprintf('create() can only be used to create instances of %s.', BaseObject::class));
+        }
+
+        /** @var BaseObject */
+        return Craft::createObject($type, $params);
+    }
+
     /**
      * Generates a base64-encoded [data URL](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) for the given file path or asset.
      *