Skip to content

Commit b48b752

Browse files
jonnyhorkjonnyhork
authored
Fix XSS vulnerability and upgrade PHP 7.4 to 8.4 for Heroku-24 (#869)
* Fix XSS vulnerability in footer script injection (W-21733773) addFooterScript() stored scripts in $_REQUEST which merges user-supplied GET/POST/COOKIE data, allowing arbitrary JS injection via crafted query params. Moved storage to $GLOBALS which is server-side only. * Upgrade PHP 7.4 to 8.4 for Heroku-24 compatibility - composer.json: PHP ~8.4.0, sentry/sentry ^4.0 (was ^1.9) - Replace create_function() with closure in localizeDateTimes() - Remove all get_magic_quotes_gpc() calls (removed in PHP 8.0) - Remove libxml_disable_entity_loader() calls (deprecated in PHP 8.0) - Fix handleAllErrors() $errcontext param (removed in PHP 8.0) - Migrate ErrorLogging.php from Raven_Client to \Sentry\init() - Remove always_populate_raw_post_data from fpm_custom.conf - Update Dockerfile to heroku:24-build and .devcontainer to PHP 8.4 - Add verify_xss_fix.php to .slugignore * Fix PHP 8.4 compatibility issues breaking REST Explorer - Remove CURLOPT_BINARYTRANSFER (removed in PHP 8.0) - Replace catch(Exception) with catch(Throwable) in critical paths so PHP 8 Error objects are properly caught - Declare missing $defaultObjectChanged property on WorkbenchContext - Fix RedisSessionHandler::gc() return type (int, not bool) * Set review app stack to heroku-24 in app.json * Harden PHP 8 error handling to catch all throwables Switch remaining Exception-only catch blocks to Throwable across Workbench request paths so PHP 8 Error/TypeError cases are handled consistently instead of bubbling as fatal errors. * Refactor SoapBaseClient to manage SOAP headers more effectively - Introduced a new protected property $soapHeaders to store SOAP headers. - Updated methods to utilize $soapHeaders for setting and managing SOAP headers, improving code clarity and maintainability.
1 parent 1d0ccaf commit b48b752

39 files changed

+657
-166
lines changed

.devcontainer/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.158.0/containers/php/.devcontainer/base.Dockerfile
22

33
# [Choice] PHP version: 8, 8.0, 7, 7.4, 7.3
4-
ARG VARIANT="7.4"
4+
ARG VARIANT="8.4"
55
FROM mcr.microsoft.com/vscode/devcontainers/php:0-${VARIANT}
66

77
# [Option] Install Node.js

Dockerfile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
FROM heroku/heroku:20-build as base
1+
FROM heroku/heroku:24-build as base
22

3-
ENV PHP_BUILDPACK_VERSION v190
3+
ENV PHP_BUILDPACK_VERSION v260
44
ENV APP /app
55
ENV HOME $APP
66
ENV HEROKU_PHP_BIN $APP/.heroku/php/bin
7-
ENV STACK heroku-20
7+
ENV STACK heroku-24
88

99
ADD . $APP
1010
WORKDIR $APP

app.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
"repository": "https://github.com/forceworkbench/forceworkbench",
55
"keywords": ["Salesforce", "Force.com", "API", "PHP"],
66
"logo": "https://raw.githubusercontent.com/forceworkbench/forceworkbench/master/assets/logos/blueCube-256x256.png",
7+
"stack": "heroku-24",
78
"env": {
89
"MAX_WORKERS": "5",
910
"WEB_CONCURRENCY": "4",

composer.json

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,10 @@
11
{
22
"require": {
3-
"php": "~7.4.0",
3+
"php": "~8.4.0",
44
"ext-redis": "*",
55
"ext-soap": "*",
6-
"sentry/sentry": "^1.9",
7-
"ext-sodium": "*"
6+
"sentry/sentry": "^4.0",
7+
"ext-sodium": "*",
8+
"ext-curl": "*"
89
}
910
}

0 commit comments

Comments
 (0)