|
64 | 64 | use DateTime; |
65 | 65 | use DateTimeInterface; |
66 | 66 | use DateTimeZone; |
| 67 | +use DirectoryIterator; |
| 68 | +use GuzzleHttp\Psr7\FnStream; |
67 | 69 | use Illuminate\Support\Collection; |
68 | 70 | use IteratorAggregate; |
69 | 71 | use Money\Money; |
| 72 | +use SimpleXMLElement; |
| 73 | +use Symfony\Component\Process\Process; |
70 | 74 | use Throwable; |
71 | 75 | use Traversable; |
72 | 76 | use Twig\DeprecatedCallableInfo; |
|
82 | 86 | use yii\base\BaseObject; |
83 | 87 | use yii\base\InvalidArgumentException; |
84 | 88 | use yii\base\InvalidConfigException; |
| 89 | +use yii\behaviors\AttributeTypecastBehavior; |
85 | 90 | use yii\db\Exception; |
86 | 91 | use yii\db\Expression; |
87 | 92 | use yii\db\QueryInterface; |
@@ -1495,11 +1500,22 @@ public function collectFunction(mixed $var): Collection |
1495 | 1500 | public function createFunction(string|array $type, array $params = []): object |
1496 | 1501 | { |
1497 | 1502 | $class = is_string($type) ? $type : ($type['__class'] ?? $type['class'] ?? null); |
1498 | | - if ( |
1499 | | - !is_subclass_of($class, BaseObject::class) && |
1500 | | - !str_starts_with($class, 'craft\\helpers\\') |
1501 | | - ) { |
1502 | | - throw new InvalidArgumentException(sprintf('create() can only be used to create instances of %s.', BaseObject::class)); |
| 1503 | + if (!$class) { |
| 1504 | + throw new InvalidArgumentException('No class specified for create().'); |
| 1505 | + } |
| 1506 | + |
| 1507 | + $blocklist = [ |
| 1508 | + AttributeTypecastBehavior::class, |
| 1509 | + DirectoryIterator::class, |
| 1510 | + FnStream::class, |
| 1511 | + Process::class, |
| 1512 | + SimpleXMLElement::class, |
| 1513 | + ]; |
| 1514 | + |
| 1515 | + foreach ($blocklist as $c) { |
| 1516 | + if (is_a($class, $c, true)) { |
| 1517 | + throw new InvalidArgumentException(sprintf('create() cannot be used to create instances of %s.', $class)); |
| 1518 | + } |
1503 | 1519 | } |
1504 | 1520 |
|
1505 | 1521 | /** @var BaseObject */ |
|
0 commit comments