Upgrade to 3.9.6

kirby/src/Cms/App.php

@@ -367,14 +367,14 @@ class App
 	 * @return \Kirby\Toolkit\Collection|null
 	 * @todo 5.0 Add return type declaration
 	 */
-	public function collection(string $name)
+	public function collection(string $name, array $options = [])
 	{
-		return $this->collections()->get($name, [
+		return $this->collections()->get($name, array_merge($options, [
 			'kirby' => $this,
-			'site'  => $this->site(),
-			'pages' => $this->site()->children(),
+			'site'  => $site = $this->site(),
+			'pages' => $site->children(),
 			'users' => $this->users()
-		]);
+		]));
 	}
 
 	/**
@@ -580,7 +580,14 @@ class App
 		$visitor   = $this->visitor();
 
 		foreach ($visitor->acceptedLanguages() as $acceptedLang) {
-			$closure = fn ($language) => $language->locale(LC_ALL) === $acceptedLang->locale();
+			$closure = function ($language) use ($acceptedLang) {
+				$languageLocale = $language->locale(LC_ALL);
+				$acceptedLocale = $acceptedLang->locale();
+
+				return $languageLocale === $acceptedLocale ||
+					$acceptedLocale === Str::substr($languageLocale, 0, 2);
+			};
+
 			if ($language = $languages->filter($closure)?->first()) {
 				return $language;
 			}

kirby/src/Cms/Auth.php

@@ -279,18 +279,39 @@ class Auth
 
 		$id = $session->data()->get('kirby.userId');
 
+		// if no user is logged in, return immediately
 		if (is_string($id) !== true) {
 			return null;
 		}
 
-		if ($user = $this->kirby->users()->find($id)) {
-			// in case the session needs to be updated, do it now
-			// for better performance
-			$session->commit();
-			return $user;
+		// a user is logged in, ensure it exists
+		$user = $this->kirby->users()->find($id);
+		if ($user === null) {
+			return null;
 		}
 
-		return null;
+		if ($passwordTimestamp = $user->passwordTimestamp()) {
+			$loginTimestamp = $session->data()->get('kirby.loginTimestamp');
+			if (is_int($loginTimestamp) !== true) {
+				// session that was created before Kirby
+				// 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1 or 3.9.6
+				// or when the user didn't have a password set
+				$user->logout();
+				return null;
+			}
+
+			// invalidate the session if the password
+			// changed since the login
+			if ($loginTimestamp < $passwordTimestamp) {
+				$user->logout();
+				return null;
+			}
+		}
+
+		// in case the session needs to be updated, do it now
+		// for better performance
+		$session->commit();
+		return $user;
 	}
 
 	/**

kirby/src/Cms/Find.php

@@ -121,7 +121,10 @@ class Find
 			'site'    => $kirby->site(),
 			'account' => static::user(),
 			'page'    => static::page(basename($path)),
-			'file'    => static::file(...explode('/files/', $path)),
+			// regular expression to split the path at the last
+			// occurrence of /files/ which separates parent path
+			// and filename
+			'file'    => static::file(...preg_split('$.*\K(/files/)$', $path)),
 			'user'    => $kirby->user(basename($path)),
 			default   => throw new InvalidArgumentException('Invalid model type: ' . $modelType)
 		};

kirby/src/Cms/User.php

@@ -441,6 +441,9 @@ class User extends ModelWithContent
 
 		$session->regenerateToken(); // privilege change
 		$session->data()->set('kirby.userId', $this->id());
+		if ($this->passwordTimestamp() !== null) {
+			$session->data()->set('kirby.loginTimestamp', time());
+		}
 		$this->kirby()->auth()->setUser($this);
 
 		$kirby->trigger('user.login:after', ['user' => $this, 'session' => $session]);
@@ -461,6 +464,7 @@ class User extends ModelWithContent
 
 		// remove the user from the session for future requests
 		$session->data()->remove('kirby.userId');
+		$session->data()->remove('kirby.loginTimestamp');
 
 		// clear the cached user object from the app state of the current request
 		$this->kirby()->auth()->flush();
@@ -607,6 +611,26 @@ class User extends ModelWithContent
 		return $this->password = $this->readPassword();
 	}
 
+	/**
+	 * Returns the timestamp when the password
+	 * was last changed
+	 */
+	public function passwordTimestamp(): int|null
+	{
+		$file = $this->passwordFile();
+
+		// ensure we have the latest information
+		// to prevent cache attacks
+		clearstatcache();
+
+		// user does not have a password
+		if (is_file($file) === false) {
+			return null;
+		}
+
+		return filemtime($file);
+	}
+
 	/**
 	 * @return \Kirby\Cms\UserPermissions
 	 */
@@ -864,14 +888,29 @@ class User extends ModelWithContent
 			throw new NotFoundException(['key' => 'user.password.undefined']);
 		}
 
+		// `UserRules` enforces a minimum length of 8 characters,
+		// so everything below that is a typo
 		if (Str::length($password) < 8) {
 			throw new InvalidArgumentException(['key' => 'user.password.invalid']);
 		}
 
+		// too long passwords can cause DoS attacks
+		if (Str::length($password) > 1000) {
+			throw new InvalidArgumentException(['key' => 'user.password.excessive']);
+		}
+
 		if (password_verify($password, $this->password()) !== true) {
 			throw new InvalidArgumentException(['key' => 'user.password.wrong', 'httpCode' => 401]);
 		}
 
 		return true;
 	}
+
+	/**
+	 * Returns the path to the password file
+	 */
+	protected function passwordFile(): string
+	{
+		return $this->root() . '/.htpasswd';
+	}
 }

kirby/src/Cms/UserActions.php

@@ -118,6 +118,13 @@ trait UserActions
 			// update the users collection
 			$user->kirby()->users()->set($user->id(), $user);
 
+			// keep the user logged in to the current browser
+			// if they changed their own password
+			// (regenerate the session token, update the login timestamp)
+			if ($user->isLoggedIn() === true) {
+				$user->loginPasswordless();
+			}
+
 			return $user;
 		});
 	}
@@ -323,7 +330,7 @@ trait UserActions
 	 */
 	protected function readPassword()
 	{
-		return F::read($this->root() . '/.htpasswd');
+		return F::read($this->passwordFile());
 	}
 
 	/**
@@ -384,6 +391,6 @@ trait UserActions
 		#[SensitiveParameter]
 		string $password = null
 	): bool {
-		return F::write($this->root() . '/.htpasswd', $password);
+		return F::write($this->passwordFile(), $password);
 	}
 }

kirby/src/Cms/UserRules.php

@@ -341,12 +341,23 @@ class UserRules
 		#[SensitiveParameter]
 		string $password
 	): bool {
+		// too short passwords are ineffective
 		if (Str::length($password ?? null) < 8) {
 			throw new InvalidArgumentException([
 				'key' => 'user.password.invalid',
 			]);
 		}
 
+		// too long passwords can cause DoS attacks
+		// and are therefore blocked in the auth system
+		// (blocked here as well to avoid passwords
+		// that cannot be used to log in)
+		if (Str::length($password ?? null) > 1000) {
+			throw new InvalidArgumentException([
+				'key' => 'user.password.excessive',
+			]);
+		}
+
 		return true;
 	}
 

kirby/src/Data/Txt.php

@@ -93,10 +93,14 @@ class Txt extends Handler
 			throw new InvalidArgumentException('Invalid TXT data; please pass a string');
 		}
 
-		// remove BOM
-		$string = str_replace("\xEF\xBB\xBF", '', $string);
+		// remove Unicode BOM at the beginning of the file
+		if (Str::startsWith($string, "\xEF\xBB\xBF") === true) {
+			$string = substr($string, 3);
+		}
+
 		// explode all fields by the line separator
 		$fields = preg_split('!\n----\s*\n*!', $string);
+
 		// start the data array
 		$data = [];
 

kirby/src/Http/Response.php

@@ -176,6 +176,18 @@ class Response
 			'type' => F::extensionToMime(F::extension($file))
 		], $props);
 
+		// if we couldn't serve a correct MIME type, force
+		// the browser to display the file as plain text to
+		// harden against attacks from malicious file uploads
+		if ($props['type'] === null) {
+			if (isset($props['headers']) !== true) {
+				$props['headers'] = [];
+			}
+
+			$props['type'] = 'text/plain';
+			$props['headers']['X-Content-Type-Options'] = 'nosniff';
+		}
+
 		return new static($props);
 	}
 

kirby/src/Panel/Document.php

@@ -278,6 +278,8 @@ class Document
 			'panelUrl' => $uri->path()->toString(true) . '/',
 		]);
 
-		return new Response($body, 'text/html', $code);
+		return new Response($body, 'text/html', $code, [
+			'Content-Security-Policy' => "frame-ancestors 'none'"
+		]);
 	}
 }

kirby/src/Panel/Panel.php

@@ -11,6 +11,7 @@ use Kirby\Exception\NotFoundException;
 use Kirby\Exception\PermissionException;
 use Kirby\Http\Response;
 use Kirby\Http\Router;
+use Kirby\Http\Uri;
 use Kirby\Http\Url;
 use Kirby\Toolkit\Str;
 use Kirby\Toolkit\Tpl;
@@ -538,15 +539,22 @@ class Panel
 	 */
 	public static function url(string|null $url = null): string
 	{
-		$slug = App::instance()->option('panel.slug', 'panel');
-
 		// only touch relative paths
 		if (Url::isAbsolute($url) === false) {
-			$path = trim($url, '/');
+			$kirby = App::instance();
+			$slug  = $kirby->option('panel.slug', 'panel');
+			$path  = trim($url, '/');
 
+			$baseUri  = new Uri($kirby->url());
+			$basePath = trim($baseUri->path()->toString(), '/');
+
+			// removes base path if relative path contains it
+			if (empty($basePath) === false && Str::startsWith($path, $basePath) === true) {
+				$path = Str::after($path, $basePath);
+			}
 			// add the panel slug prefix if it it's not
 			// included in the path yet
-			if (Str::startsWith($path, $slug . '/') === false) {
+			elseif (Str::startsWith($path, $slug . '/') === false) {
 				$path = $slug . '/' . $path;
 			}
 

kirby/src/Query/Argument.php

@@ -70,6 +70,10 @@ class Argument
 
 		// numeric
 		if (is_numeric($argument) === true) {
+			if (strpos($argument, '.') === false) {
+				return new static((int)$argument);
+			}
+
 			return new static((float)$argument);
 		}
 

kirby/src/Query/Query.php

@@ -117,7 +117,7 @@ Query::$entries['file'] = function (string $id): File|null {
 };
 
 Query::$entries['page'] = function (string $id): Page|null {
-	return App::instance()->site()->find($id);
+	return App::instance()->page($id);
 };
 
 Query::$entries['site'] = function (): Site {

kirby/src/Query/Segment.php

@@ -77,19 +77,17 @@ class Segment
 	/**
 	 * Automatically resolves the segment depending on the
 	 * segment position and the type of the base
+	 *
+	 * @param mixed $base Current value of the query chain
 	 */
 	public function resolve(mixed $base = null, array|object $data = []): mixed
 	{
 		// resolve arguments to array
 		$args = $this->arguments?->resolve($data) ?? [];
 
-		// 1st segment, start from $data array
+		// 1st segment, use $data as base
 		if ($this->position === 0) {
-			if (is_array($data) == true) {
-				return $this->resolveArray($data, $args);
-			}
-
-			return $this->resolveObject($data, $args);
+			$base = $data;
 		}
 
 		if (is_array($base) === true) {
@@ -109,26 +107,55 @@ class Segment
 	 */
 	protected function resolveArray(array $array, array $args): mixed
 	{
-		if (array_key_exists($this->method, $array) === false) {
-			static::error($array, $this->method, 'property');
+		// the directly provided array takes precedence
+		// to look up a matching entry
+		if (array_key_exists($this->method, $array) === true) {
+			$value = $array[$this->method];
+
+			// if this is a Closure we can directly use it, as
+			// Closures from the $array should always have priority
+			// over the Query::$entries Closures
+			if ($value instanceof Closure) {
+				return $value(...$args);
+			}
+
+			// if we have no arguments to pass, we also can directly
+			// use the value from the $array as it must not be different
+			// to the one from Query::$entries with the same name
+			if ($args === []) {
+				return $value;
+			}
 		}
 
-		$value = $array[$this->method];
-
-		if ($value instanceof Closure) {
-			return $value(...$args);
+		// fallback time: only if we are handling the first segment,
+		// we can also try to resolve the segment with an entry from the
+		// default Query::$entries
+		if ($this->position === 0) {
+			if (array_key_exists($this->method, Query::$entries) === true) {
+				return Query::$entries[$this->method](...$args);
+			}
 		}
 
-		if ($args !== []) {
+		// if we have not been able to return anything so far,
+		// we just need to differntiate between two different error messages
+
+		// this one is in case the original array contained the key,
+		// but was not a Closure while the segment had arguments
+		if (
+			array_key_exists($this->method, $array) &&
+			$args !== []
+		) {
 			throw new InvalidArgumentException('Cannot access array element "' . $this->method . '" with arguments');
 		}
 
-		return $value;
+		// last, the standard error for trying to access something
+		// that does not exist
+		static::error($array, $this->method, 'property');
 	}
 
 	/**
-	 * Resolves segment by calling the method/accessing the property
-	 * on the base object
+	 * Resolves segment by calling the method/
+	 * accessing the property on the base object
 	 */
 	protected function resolveObject(object $object, array $args): mixed
 	{
@@ -140,7 +167,8 @@ class Segment
 		}
 
 		if (
-			$args === [] && (
+			$args === [] &&
+			(
 				property_exists($object, $this->method) === true ||
 				method_exists($object, '__get') === true
 			)

kirby/src/Toolkit/Controller.php

@@ -26,11 +26,25 @@ class Controller
 	public function arguments(array $data = []): array
 	{
 		$info = new ReflectionFunction($this->function);
+		$args = [];
 
-		return A::map(
-			$info->getParameters(),
-			fn ($parameter) => $data[$parameter->getName()] ?? null
-		);
+		foreach ($info->getParameters() as $param) {
+			$name = $param->getName();
+
+			if ($param->isVariadic() === true) {
+				// variadic ... argument collects all remaining values
+				$args += $data;
+			} elseif (isset($data[$name]) === true) {
+				// use provided argument value if available
+				$args[$name] = $data[$name];
+			} elseif ($param->isDefaultValueAvailable() === false) {
+				// use null for any other arguments that don't define
+				// a default value for themselves
+				$args[$name] = null;
+			}
+		}
+
+		return $args;
 	}
 
 	public function call($bind = null, $data = [])

kirby/src/Toolkit/Xml.php

@@ -271,7 +271,7 @@ class Xml
 	 */
 	public static function parse(string $xml): array|null
 	{
-		$xml = @simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
+		$xml = @simplexml_load_string($xml);
 
 		if (is_object($xml) !== true) {
 			return null;