Fixed additional RCE vectors

CHANGELOG.md

@@ -4,7 +4,7 @@
 
 - Fixed a bug where the `defaultDirMode` config setting wasn’t being respected when the `storage/runtime/` and `storage/logs/` folders were created. ([#13756](https://github.com/craftcms/cms/issues/13756))
 - Fixed a bug where the `CRAFT_VENDOR_PATH`, `CRAFT_BASE_PATH`, `CRAFT_CONFIG_PATH`, `CRAFT_CONTENT_MIGRATIONS_PATH`, `CRAFT_STORAGE_PATH`, `CRAFT_TEMPLATES_PATH`, `CRAFT_TRANSLATIONS_PATH`, and `CRAFT_TESTS_PATH` PHP constants weren’t being respected if the directories didn’t exist.
-- Fixed an RCE vulnerability.
+- Fixed RCE vulnerabilities.
 
 ## 3.9.4 - 2023-09-26
 

src/Craft.php

@@ -16,6 +16,7 @@ use craft\helpers\FileHelper;
 use craft\helpers\StringHelper;
 use GuzzleHttp\Client;
 use yii\base\ExitException;
+use yii\base\InvalidConfigException;
 use yii\db\Expression;
 use yii\helpers\VarDumper;
 use yii\web\Request;
@@ -58,6 +59,10 @@ class Craft extends Yii
      */
     public static function createObject($type, array $params = [])
     {
+        if (is_array($type) && isset($type['__class']) && isset($type['class'])) {
+            throw new InvalidConfigException('`__class` and `class` cannot both be specified.');
+        }
+
         return parent::createObject($type, $params);
     }
 

src/controllers/ElementIndexesController.php

@@ -18,6 +18,7 @@ use craft\elements\db\ElementQuery;
 use craft\elements\db\ElementQueryInterface;
 use craft\elements\exporters\Raw;
 use craft\events\ElementActionEvent;
+use craft\helpers\Component;
 use craft\helpers\ElementHelper;
 use yii\base\InvalidValueException;
 use yii\web\BadRequestHttpException;
@@ -480,7 +481,7 @@ class ElementIndexesController extends BaseElementsController
                     $criteria['draftOf'] = filter_var($criteria['draftOf'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
                 }
             }
-            Craft::configure($query, $criteria);
+            Craft::configure($query, Component::cleanseConfig($criteria));
         }
 
         // Exclude descendants of the collapsed element IDs

src/controllers/ElementsController.php

@@ -14,6 +14,7 @@ use craft\elements\Category;
 use craft\errors\InvalidTypeException;
 use craft\fieldlayoutelements\BaseField;
 use craft\helpers\ArrayHelper;
+use craft\helpers\Component;
 use craft\helpers\Cp;
 use craft\helpers\DateTimeHelper;
 use craft\helpers\ElementHelper;
@@ -163,7 +164,7 @@ class ElementsController extends BaseElementsController
         }
 
         // Configure the element
-        Craft::configure($element, $params);
+        Craft::configure($element, Component::cleanseConfig($params));
         $element->setFieldValuesFromRequest($namespace . '.fields');
 
         // Now save it
@@ -385,7 +386,7 @@ class ElementsController extends BaseElementsController
         }
 
         // Populate it with any posted attributes
-        Craft::configure($element, $attributes);
+        Craft::configure($element, Component::cleanseConfig($attributes));
         $element->siteId = $siteId;
 
         return $element;

src/controllers/SystemSettingsController.php

@@ -12,6 +12,7 @@ use craft\elements\GlobalSet;
 use craft\errors\MissingComponentException;
 use craft\helpers\App;
 use craft\helpers\ArrayHelper;
+use craft\helpers\Component;
 use craft\helpers\MailerHelper;
 use craft\helpers\UrlHelper;
 use craft\mail\Mailer;
@@ -206,7 +207,7 @@ class SystemSettingsController extends Controller
         if ($settingsIsValid && $adapterIsValid) {
             // Try to send the test email
             /** @var Mailer $mailer */
-            $mailer = Craft::createObject(App::mailerConfig($settings));
+            $mailer = Craft::createObject(App::mailerConfig(Component::cleanseConfig($settings)));
             $message = $mailer
                 ->composeFromKey('test_email', [
                     'settings' => MailerHelper::settingsReport($mailer, $adapter),