Merge branch 'release-2.3.2'

README.markdown

@@ -65,7 +65,7 @@ should contain this code:
 
 #### Nginx
 
-Your nginx configuration file should contain this code (along with other settings you may need) in your `location` block:
+The nginx configuration file should contain this code (along with other settings you may need) in your `location` block:
 
     try_files $uri $uri/ /index.php?$args;
 

Slim/Helper/Set.php

@@ -139,6 +139,30 @@ public function remove($key)
         unset($this->data[$this->normalizeKey($key)]);
     }
 
+    /**
+     * Property Overloading
+     */
+
+    public function __get($key)
+    {
+        return $this->get($key);
+    }
+
+    public function __set($key, $value)
+    {
+        $this->set($key, $value);
+    }
+
+    public function __isset($key)
+    {
+        return $this->has($key);
+    }
+
+    public function __unset($key)
+    {
+        return $this->remove($key);
+    }
+
     /**
      * Clear all values
      */

Slim/Http/Response.php

@@ -480,7 +480,7 @@ public function count()
     }
 
     /**
-     * DEPRECATION WARNING! IteratorAggreate interface will be removed from \Slim\Http\Response.
+     * DEPRECATION WARNING! IteratorAggregate interface will be removed from \Slim\Http\Response.
      * Iterate `headers` or `cookies` properties directly.
      *
      * Get Iterator

Slim/Http/Util.php

@@ -170,7 +170,7 @@ public static function decrypt($data, $key, $iv, $settings = array())
         //Decrypt value
         mcrypt_generic_init($module, $key, $iv);
         $decryptedData = @mdecrypt_generic($module, $data);
-        $res = str_replace("\x0", '', $decryptedData);
+        $res = rtrim($decryptedData, "\0");
         mcrypt_generic_deinit($module);
 
         return $res;
@@ -389,7 +389,7 @@ public static function deleteCookieHeader(&$header, $name, $value = array())
     /**
      * Parse cookie header
      *
-     * This method will parse the HTTP requst's `Cookie` header
+     * This method will parse the HTTP request's `Cookie` header
      * and extract cookies into an associative array.
      *
      * @param  string
@@ -431,5 +431,4 @@ private static function getIv($expires, $secret)
 
         return pack("h*", $data1.$data2);
     }
-
 }

Slim/Middleware/ContentTypes.php

@@ -137,7 +137,10 @@ protected function parseXml($input)
     {
         if (class_exists('SimpleXMLElement')) {
             try {
-                return new \SimpleXMLElement($input);
+                $backup = libxml_disable_entity_loader(true);
+                $result = new \SimpleXMLElement($input);
+                libxml_disable_entity_loader($backup);
+                return $result;
             } catch (\Exception $e) {
                 // Do nothing
             }

Slim/Middleware/MethodOverride.php

@@ -76,10 +76,10 @@ public function __construct($settings = array())
     public function call()
     {
         $env = $this->app->environment();
-        if (isset($env['X_HTTP_METHOD_OVERRIDE'])) {
+        if (isset($env['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
             // Header commonly used by Backbone.js and others
             $env['slim.method_override.original_method'] = $env['REQUEST_METHOD'];
-            $env['REQUEST_METHOD'] = strtoupper($env['X_HTTP_METHOD_OVERRIDE']);
+            $env['REQUEST_METHOD'] = strtoupper($env['HTTP_X_HTTP_METHOD_OVERRIDE']);
         } elseif (isset($env['REQUEST_METHOD']) && $env['REQUEST_METHOD'] === 'POST') {
             // HTML Form Override
             $req = new \Slim\Http\Request($env);

Slim/Middleware/SessionCookie.php

@@ -40,15 +40,11 @@
  * and instead serializes/unserializes the $_SESSION global
  * variable to/from an HTTP cookie.
  *
- * If a secret key is provided with this middleware, the HTTP
- * cookie will be checked for integrity to ensure the client-side
- * cookie is not changed.
- *
  * You should NEVER store sensitive data in a client-side cookie
- * in any format, encrypted or not. If you need to store sensitive
- * user information in a session, you should rely on PHP's native
- * session implementation, or use other middleware to store
- * session data in a database or alternative server-side cache.
+ * in any format, encrypted (with cookies.encrypt) or not. If you
+ * need to store sensitive user information in a session, you should
+ * rely on PHP's native session implementation, or use other middleware
+ * to store session data in a database or alternative server-side cache.
  *
  * Because this class stores serialized session data in an HTTP cookie,
  * you are inherently limited to 4 Kb. If you attempt to store
@@ -68,7 +64,7 @@ class SessionCookie extends \Slim\Middleware
     /**
      * Constructor
      *
-     * @param  array $settings
+     * @param array $settings
      */
     public function __construct($settings = array())
     {
@@ -79,9 +75,6 @@ public function __construct($settings = array())
             'secure' => false,
             'httponly' => false,
             'name' => 'slim_session',
-            'secret' => 'CHANGE_ME',
-            'cipher' => MCRYPT_RIJNDAEL_256,
-            'cipher_mode' => MCRYPT_MODE_CBC
         );
         $this->settings = array_merge($defaults, $settings);
         if (is_string($this->settings['expires'])) {
@@ -127,14 +120,14 @@ protected function loadSession()
             session_start();
         }
 
-        $value = \Slim\Http\Util::decodeSecureCookie(
-            $this->app->request()->cookies($this->settings['name']),
-            $this->settings['secret'],
-            $this->settings['cipher'],
-            $this->settings['cipher_mode']
-        );
+        $value = $this->app->getCookie($this->settings['name']);
+
         if ($value) {
-            $_SESSION = unserialize($value);
+            try {
+                $_SESSION = unserialize($value);
+            } catch (\Exception $e) {
+                $this->app->getLog()->error('Error unserializing session cookie value! ' . $e->getMessage());
+            }
         } else {
             $_SESSION = array();
         }
@@ -145,26 +138,19 @@ protected function loadSession()
      */
     protected function saveSession()
     {
-        $value = \Slim\Http\Util::encodeSecureCookie(
-            serialize($_SESSION),
-            $this->settings['expires'],
-            $this->settings['secret'],
-            $this->settings['cipher'],
-            $this->settings['cipher_mode']
-        );
+        $value = serialize($_SESSION);
+
         if (strlen($value) > 4096) {
             $this->app->getLog()->error('WARNING! Slim\Middleware\SessionCookie data size is larger than 4KB. Content save failed.');
         } else {
-            $this->app->response()->setCookie(
+            $this->app->setCookie(
                 $this->settings['name'],
-                array(
-                    'value' => $value,
-                    'domain' => $this->settings['domain'],
-                    'path' => $this->settings['path'],
-                    'expires' => $this->settings['expires'],
-                    'secure' => $this->settings['secure'],
-                    'httponly' => $this->settings['httponly']
-                )
+                $value,
+                $this->settings['expires'],
+                $this->settings['path'],
+                $this->settings['domain'],
+                $this->settings['secure'],
+                $this->settings['httponly']
             );
         }
         session_destroy();
@@ -174,31 +160,49 @@ protected function saveSession()
     * Session Handler
     *******************************************************************************/
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function open($savePath, $sessionName)
     {
         return true;
     }
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function close()
     {
         return true;
     }
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function read($id)
     {
         return '';
     }
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function write($id, $data)
     {
         return true;
     }
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function destroy($id)
     {
         return true;
     }
 
+    /**
+     * @codeCoverageIgnore
+     */
     public function gc($maxlifetime)
     {
         return true;

Slim/Router.php

@@ -192,8 +192,8 @@ public function urlFor($name, $params = array())
         }
         $pattern = preg_replace($search, $params, $this->getNamedRoute($name)->getPattern());
 
-        //Remove remnants of unpopulated, trailing optional pattern segments
-        return preg_replace('#\(/?:.+\)|\(|\)#', '', $pattern);
+        //Remove remnants of unpopulated, trailing optional pattern segments, escaped special characters
+        return preg_replace('#\(/?:.+\)|\(|\)|\\\\#', '', $pattern);
     }
 
     /**

Slim/Slim.php

@@ -231,12 +231,14 @@ public function __set($name, $value)
         $this->container[$name] = $value;
     }
 
-    public function __isset($name){
-    	return isset($this->container[$name]);
+    public function __isset($name)
+    {
+        return isset($this->container[$name]);
     }
 
-    public function __unset($name){
-    	unset($this->container[$name]);
+    public function __unset($name)
+    {
+        unset($this->container[$name]);
     }
 
     /**
@@ -524,7 +526,7 @@ public function options()
      * declarations in the callback will be prepended by the group(s)
      * that it is in
      *
-     * Accepts the same paramters as a standard route so:
+     * Accepts the same parameters as a standard route so:
      * (pattern, middleware1, middleware2, ..., $callback)
      */
     public function group()
@@ -870,6 +872,7 @@ public function setCookie($name, $value, $time = null, $path = null, $domain = n
      * the current request will not be available until the next request.
      *
      * @param  string      $name
+     * @param  bool        $deleteIfInvalid
      * @return string|null
      */
     public function getCookie($name, $deleteIfInvalid = true)
@@ -1242,9 +1245,9 @@ public function run()
         set_error_handler(array('\Slim\Slim', 'handleErrors'));
 
         //Apply final outer middleware layers
-        if($this->config('debug')){
-        	//Apply pretty exceptions only in debug to avoid accidental information leakage in production
-        	$this->add(new \Slim\Middleware\PrettyExceptions());
+        if ($this->config('debug')) {
+            //Apply pretty exceptions only in debug to avoid accidental information leakage in production
+            $this->add(new \Slim\Middleware\PrettyExceptions());
         }
 
         //Invoke middleware and application stack
@@ -1384,6 +1387,6 @@ protected function defaultNotFound()
     protected function defaultError($e)
     {
         $this->getLog()->error($e);
-        echo self::generateTemplateMarkup('Error', '<p>A website error has occured. The website administrator has been notified of the issue. Sorry for the temporary inconvenience.</p>');
+        echo self::generateTemplateMarkup('Error', '<p>A website error has occurred. The website administrator has been notified of the issue. Sorry for the temporary inconvenience.</p>');
     }
 }

tests/EnvironmentTest.php

@@ -295,6 +295,19 @@ public function testSetsSpecialHeaders()
         $this->assertEquals('XmlHttpRequest', $env['HTTP_X_REQUESTED_WITH']);
     }
 
+    /**
+     * Tests X-HTTP-Method-Override is allowed through unmolested.
+     *
+     * Pre-conditions:
+     * X_HTTP_METHOD_OVERRIDE is sent in client HTTP request;
+     * X_HTTP_METHOD_OVERRIDE is not empty;
+     */
+    public function testSetsHttpMethodOverrideHeader() {
+        $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] = 'DELETE';
+        $env = \Slim\Environment::getInstance(true);
+        $this->assertEquals('DELETE', $env['HTTP_X_HTTP_METHOD_OVERRIDE']);
+    }
+
     /**
      * Test detects HTTPS
      *