From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Wed, 29 Jun 2022 10:16:02 +0000 (+0200)
Subject: Merge branch '5.5'
X-Git-Tag: 6.0.0_Alpha_1~1139
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=366065910349aa4a7f5c12baec2ea84958d5b9bb;p=GitHub%2FWoltLab%2FWCF.git

Merge branch '5.5'
---

366065910349aa4a7f5c12baec2ea84958d5b9bb
diff --cc wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index 8585adc050,118f3559a1..f077eb9562
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@@ -141,8 -152,20 +152,17 @@@ class PackageUpdateServer extends Datab
          return \current($pluginStoreServer);
      }
  
+     /**
+      * Restricts the available sources to official package
+      * servers when a secure download is requested.
+      */
+     final public static function enableSecureMode(): void
+     {
+         self::$secureMode = true;
+     }
+ 
      /**
 -     * Returns true if the given server url is valid.
 -     *
 -     * @param string $serverURL
 -     * @return  bool
 +     * @deprecated 5.6 This method was only used in PackageUpdateServerAddForm.
       */
      public static function isValidServerURL($serverURL)
      {
diff --cc wcfsetup/install/files/lib/system/request/ControllerMap.class.php
index 60b10516d3,de01cb4297..032b6f6f1e
--- a/wcfsetup/install/files/lib/system/request/ControllerMap.class.php
+++ b/wcfsetup/install/files/lib/system/request/ControllerMap.class.php
@@@ -342,12 -433,22 +342,14 @@@ final class ControllerMap extends Singl
      {
          $className = $application . '\\' . ($isAcpRequest ? 'acp\\' : '') . $pageType . '\\' . $controller . \ucfirst($pageType);
          if (!\class_exists($className)) {
 -            // avoid CORS by allowing action classes invoked form every application domain
 -            if ($pageType === 'action' && $application !== 'wcf') {
 -                $className = 'wcf\\' . ($isAcpRequest ? 'acp\\' : '') . $pageType . '\\' . $controller . \ucfirst($pageType);
 -                if (!\class_exists($className)) {
 -                    return null;
 -                }
 -            } else {
 -                return null;
 -            }
 +            return null;
          }
  
-         // check for abstract classes
+         // Verify that the class can be instantiated. This excludes
+         // abstract classes, interfaces, classes with a private constructor
+         // and more.
          $reflectionClass = new \ReflectionClass($className);
-         if ($reflectionClass->isAbstract()) {
+         if (!$reflectionClass->isInstantiable()) {
              return null;
          }