Merge branch '7.1' into 7.2

* 7.1:
  Do not read from argv on non-CLI SAPIs
  [Process] Use %PATH% before %CD% to load the shell on Windows
  [HttpFoundation] Reject URIs that contain invalid characters
  [HttpClient] Filter private IPs before connecting when Host == IP

Author: nicolas-grekas

src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

@@ -52,8 +52,20 @@ public function request(string $method, string $url, array $options = []): Respo
 
         $subnets = $this->subnets;
 
-        $options['on_progress'] = function (int $dlNow, int $dlSize, array $info) use ($onProgress, $subnets): void {
+        $options['on_progress'] = static function (int $dlNow, int $dlSize, array $info) use ($onProgress, $subnets): void {
+            static $lastUrl = '';
             static $lastPrimaryIp = '';
+
+            if ($info['url'] !== $lastUrl) {
+                $host = trim(parse_url($info['url'], PHP_URL_HOST) ?: '', '[]');
+
+                if ($host && IpUtils::checkIp($host, $subnets ?? IpUtils::PRIVATE_SUBNETS)) {
+                    throw new TransportException(sprintf('Host "%s" is blocked for "%s".', $host, $info['url']));
+                }
+
+                $lastUrl = $info['url'];
+            }
+
             if ($info['primary_ip'] !== $lastPrimaryIp) {
                 if ($info['primary_ip'] && IpUtils::checkIp($info['primary_ip'], $subnets ?? IpUtils::PRIVATE_SUBNETS)) {
                     throw new TransportException(\sprintf('IP "%s" is blocked for "%s".', $info['primary_ip'], $info['url']));

src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php

@@ -65,10 +65,10 @@ public static function getExcludeData(): array
     /**
      * @dataProvider getExcludeData
      */
-    public function testExclude(string $ipAddr, $subnets, bool $mustThrow)
+    public function testExcludeByIp(string $ipAddr, $subnets, bool $mustThrow)
     {
         $content = 'foo';
-        $url = \sprintf('http://%s/', 0 < substr_count($ipAddr, ':') ? \sprintf('[%s]', $ipAddr) : $ipAddr);
+        $url = \sprintf('http://%s/', strtr($ipAddr, '.:', '--'));
 
         if ($mustThrow) {
             $this->expectException(TransportException::class);
@@ -85,6 +85,29 @@ public function testExclude(string $ipAddr, $subnets, bool $mustThrow)
         }
     }
 
+    /**
+     * @dataProvider getExcludeData
+     */
+    public function testExcludeByHost(string $ipAddr, $subnets, bool $mustThrow)
+    {
+        $content = 'foo';
+        $url = \sprintf('http://%s/', str_contains($ipAddr, ':') ? \sprintf('[%s]', $ipAddr) : $ipAddr);
+
+        if ($mustThrow) {
+            $this->expectException(TransportException::class);
+            $this->expectExceptionMessage(\sprintf('Host "%s" is blocked for "%s".', $ipAddr, $url));
+        }
+
+        $previousHttpClient = $this->getHttpClientMock($url, $ipAddr, $content);
+        $client = new NoPrivateNetworkHttpClient($previousHttpClient, $subnets);
+        $response = $client->request('GET', $url);
+
+        if (!$mustThrow) {
+            $this->assertEquals($content, $response->getContent());
+            $this->assertEquals(200, $response->getStatusCode());
+        }
+    }
+
     public function testCustomOnProgressCallback()
     {
         $ipAddr = '104.26.14.6';

src/Symfony/Component/HttpFoundation/Request.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\HttpFoundation;
 
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
 use Symfony\Component\HttpFoundation\Exception\JsonException;
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
@@ -275,6 +276,8 @@ public static function createFromGlobals(): static
      * @param array                $files      The request files ($_FILES)
      * @param array                $server     The server parameters ($_SERVER)
      * @param string|resource|null $content    The raw body data
+     *
+     * @throws BadRequestException When the URI is invalid
      */
     public static function create(string $uri, string $method = 'GET', array $parameters = [], array $cookies = [], array $files = [], array $server = [], $content = null): static
     {
@@ -302,6 +305,20 @@ public static function create(string $uri, string $method = 'GET', array $parame
             throw new \InvalidArgumentException(\sprintf('Malformed URI "%s".', $uri));
         }
 
+        if (false === $components) {
+            throw new BadRequestException('Invalid URI.');
+        }
+
+        if (false !== ($i = strpos($uri, '\\')) && $i < strcspn($uri, '?#')) {
+            throw new BadRequestException('Invalid URI: A URI cannot contain a backslash.');
+        }
+        if (\strlen($uri) !== strcspn($uri, "\r\n\t")) {
+            throw new BadRequestException('Invalid URI: A URI cannot contain CR/LF/TAB characters.');
+        }
+        if ('' !== $uri && (\ord($uri[0]) <= 32 || \ord($uri[-1]) <= 32)) {
+            throw new BadRequestException('Invalid URI: A URI must not start nor end with ASCII control characters or spaces.');
+        }
+
         if (isset($components['host'])) {
             $server['SERVER_NAME'] = $components['host'];
             $server['HTTP_HOST'] = $components['host'];

src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

@@ -12,6 +12,7 @@
 namespace Symfony\Component\HttpFoundation\Tests;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\Exception\ConflictingHeadersException;
 use Symfony\Component\HttpFoundation\Exception\JsonException;
 use Symfony\Component\HttpFoundation\Exception\SuspiciousOperationException;
@@ -290,9 +291,34 @@ public function testCreateWithRequestUri()
         $this->assertTrue($request->isSecure());
 
         // Fragment should not be included in the URI
-        $request = Request::create('http://test.com/foo#bar');
-        $request->server->set('REQUEST_URI', 'http://test.com/foo#bar');
+        $request = Request::create('http://test.com/foo#bar\\baz');
+        $request->server->set('REQUEST_URI', 'http://test.com/foo#bar\\baz');
         $this->assertEquals('http://test.com/foo', $request->getUri());
+
+        $request = Request::create('http://test.com/foo?bar=f\\o');
+        $this->assertEquals('http://test.com/foo?bar=f%5Co', $request->getUri());
+        $this->assertEquals('/foo', $request->getPathInfo());
+        $this->assertEquals('bar=f%5Co', $request->getQueryString());
+    }
+
+    /**
+     * @testWith ["http://foo.com\\bar"]
+     *           ["\\\\foo.com/bar"]
+     *           ["a\rb"]
+     *           ["a\nb"]
+     *           ["a\tb"]
+     *           ["\u0000foo"]
+     *           ["foo\u0000"]
+     *           [" foo"]
+     *           ["foo "]
+     *           [":"]
+     */
+    public function testCreateWithBadRequestUri(string $uri)
+    {
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('Invalid URI');
+
+        Request::create($uri);
     }
 
     /**
@@ -2666,13 +2692,6 @@ public function testReservedFlags()
             $this->assertNotSame(0b10000000, $value, \sprintf('The constant "%s" should not use the reserved value "0b10000000".', $constant));
         }
     }
-
-    public function testMalformedUriCreationException()
-    {
-        $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessage('Malformed URI "/invalid-path:123".');
-        Request::create('/invalid-path:123');
-    }
 }
 
 class RequestContentProxy extends Request

src/Symfony/Component/Process/ExecutableFinder.php

@@ -29,14 +29,6 @@ class ExecutableFinder
 
     private array $suffixes = [];
 
-    public function __construct()
-    {
-        // Set common extensions on Windows.
-        if ('\\' === \DIRECTORY_SEPARATOR) {
-            $this->suffixes = ['.exe', '.bat', '.cmd', '.com'];
-        }
-    }
-
     /**
      * Replaces default suffixes of executable.
      */
@@ -75,11 +67,12 @@ public function find(string $name, ?string $default = null, array $extraDirs = [
             $extraDirs
         );
 
-        $suffixes = [''];
-        if ('\\' === \DIRECTORY_SEPARATOR && $pathExt = getenv('PATHEXT')) {
-            $suffixes = array_merge(explode(\PATH_SEPARATOR, $pathExt), $suffixes);
+        $suffixes = $this->suffixes;
+        if ('\\' === \DIRECTORY_SEPARATOR) {
+            $pathExt = getenv('PATHEXT');
+            $suffixes = array_merge($suffixes, $pathExt ? explode(\PATH_SEPARATOR, $pathExt) : ['.exe', '.bat', '.cmd', '.com']);
         }
-        $suffixes = array_merge($suffixes, $this->suffixes);
+        $suffixes = '' !== pathinfo($name, PATHINFO_EXTENSION) ? array_merge([''], $suffixes) : array_merge($suffixes, ['']);
         foreach ($suffixes as $suffix) {
             foreach ($dirs as $dir) {
                 if ('' === $dir) {
@@ -95,12 +88,11 @@ public function find(string $name, ?string $default = null, array $extraDirs = [
             }
         }
 
-        if (!\function_exists('exec') || \strlen($name) !== strcspn($name, '/'.\DIRECTORY_SEPARATOR)) {
+        if ('\\' === \DIRECTORY_SEPARATOR || !\function_exists('exec') || \strlen($name) !== strcspn($name, '/'.\DIRECTORY_SEPARATOR)) {
             return $default;
         }
 
-        $command = '\\' === \DIRECTORY_SEPARATOR ? 'where %s 2> NUL' : 'command -v -- %s';
-        $execResult = exec(\sprintf($command, escapeshellarg($name)));
+        $execResult = exec('command -v -- '.escapeshellarg($name));
 
         if (($executablePath = substr($execResult, 0, strpos($execResult, \PHP_EOL) ?: null)) && @is_executable($executablePath)) {
             return $executablePath;

src/Symfony/Component/Process/PhpExecutableFinder.php

@@ -32,19 +32,8 @@ public function __construct()
     public function find(bool $includeArgs = true): string|false
     {
         if ($php = getenv('PHP_BINARY')) {
-            if (!is_executable($php)) {
-                if (!\function_exists('exec') || \strlen($php) !== strcspn($php, '/'.\DIRECTORY_SEPARATOR)) {
-                    return false;
-                }
-
-                $command = '\\' === \DIRECTORY_SEPARATOR ? 'where %s 2> NUL' : 'command -v -- %s';
-                $execResult = exec(\sprintf($command, escapeshellarg($php)));
-                if (!$php = substr($execResult, 0, strpos($execResult, \PHP_EOL) ?: null)) {
-                    return false;
-                }
-                if (!is_executable($php)) {
-                    return false;
-                }
+            if (!is_executable($php) && !$php = $this->executableFinder->find($php)) {
+                return false;
             }
 
             if (@is_dir($php)) {

src/Symfony/Component/Process/Process.php

@@ -1592,7 +1592,14 @@ function ($m) use (&$env, $uid) {
             $cmd
         );
 
-        $cmd = 'cmd /V:ON /E:ON /D /C ('.str_replace("\n", ' ', $cmd).')';
+        static $comSpec;
+
+        if (!$comSpec && $comSpec = (new ExecutableFinder())->find('cmd.exe')) {
+            // Escape according to CommandLineToArgvW rules
+            $comSpec = '"'.preg_replace('{(\\\\*+)"}', '$1$1\"', $comSpec) .'"';
+        }
+
+        $cmd = ($comSpec ?? 'cmd').' /V:ON /E:ON /D /C ('.str_replace("\n", ' ', $cmd).')';
         foreach ($this->processPipes->getFiles() as $offset => $filename) {
             $cmd .= ' '.$offset.'>"'.$filename.'"';
         }

src/Symfony/Component/Runtime/SymfonyRuntime.php

@@ -95,7 +95,7 @@ public function __construct(array $options = [])
 
         if (isset($options['env'])) {
             $_SERVER[$envKey] = $options['env'];
-        } elseif (isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
+        } elseif (empty($_GET) && isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
             $this->options = $options;
             $this->getInput();
         }
@@ -203,6 +203,10 @@ protected static function register(GenericRuntime $runtime): GenericRuntime
 
     private function getInput(): ArgvInput
     {
+        if (!empty($_GET) && filter_var(ini_get('register_argc_argv'), \FILTER_VALIDATE_BOOL)) {
+            throw new \Exception('CLI applications cannot be run safely on non-CLI SAPIs with register_argc_argv=On.');
+        }
+
         if (isset($this->input)) {
             return $this->input;
         }

src/Symfony/Component/Runtime/Tests/phpt/kernel-loop.phpt

@@ -11,6 +11,6 @@ require __DIR__.'/kernel-loop.php';
 
 ?>
 --EXPECTF--
-OK Kernel foo_bar
-OK Kernel foo_bar
+OK Kernel (env=dev) foo_bar
+OK Kernel (env=dev) foo_bar
 0

src/Symfony/Component/Runtime/Tests/phpt/kernel.php

@@ -17,17 +17,19 @@
 
 class TestKernel implements HttpKernelInterface
 {
+    private string $env;
     private string $var;
 
-    public function __construct(string $var)
+    public function __construct(string $env, string $var)
     {
+        $this->env = $env;
         $this->var = $var;
     }
 
     public function handle(Request $request, $type = self::MAIN_REQUEST, $catch = true): Response
     {
-        return new Response('OK Kernel '.$this->var);
+        return new Response('OK Kernel (env='.$this->env.') '.$this->var);
     }
 }
 
-return fn (array $context) => new TestKernel($context['SOME_VAR']);
+return fn (array $context) => new TestKernel($context['APP_ENV'], $context['SOME_VAR']);