Security update for Core, with self-updated composer

[yaffs-website] / vendor / consolidation / annotated-command / src / AnnotatedCommandFactory.php

diff --git a/vendor/consolidation/annotated-command/src/AnnotatedCommandFactory.php b/vendor/consolidation/annotated-command/src/AnnotatedCommandFactory.php
index 687acd5ca97ba6a1c8bb22682809b6aa76201a9f..abdd97276f5fbd3736399e60c1f62119844ccf0a 100644 (file)
--- a/vendor/consolidation/annotated-command/src/AnnotatedCommandFactory.php
+++ b/vendor/consolidation/annotated-command/src/AnnotatedCommandFactory.php
@@ -246,8 +246,9 @@ class AnnotatedCommandFactory implements AutomaticOptionsProviderInterface
         // can never be commands.
         $commandMethodNames = array_filter(
             get_class_methods($classNameOrInstance) ?: [],
-            function ($m) {
-                return !preg_match('#^_#', $m);
+            function ($m) use ($classNameOrInstance) {
+                $reflectionMethod = new \ReflectionMethod($classNameOrInstance, $m);
+                return !$reflectionMethod->isStatic() && !preg_match('#^_#', $m);
             }
         );
 
@@ -320,6 +321,11 @@ class AnnotatedCommandFactory implements AutomaticOptionsProviderInterface
         if ($commandInfo->hasAnnotation('command')) {
             return true;
         }
+        // Skip anything that has a missing or invalid name.
+        $commandName = $commandInfo->getName();
+        if (empty($commandName) || preg_match('#[^a-zA-Z0-9:_-]#', $commandName)) {
+            return false;
+        }
         // Skip anything named like an accessor ('get' or 'set')
         if (preg_match('#^(get[A-Z]|set[A-Z])#', $commandInfo->getMethodName())) {
             return false;