From a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc Mon Sep 17 00:00:00 2001
From: oleibman <10341515+oleibman@users.noreply.github.com>
Date: Wed, 25 Dec 2024 19:29:51 -0800
Subject: [PATCH] Backport Security Patches for Samples

---
 .github/workflows/main.yml                    |  1 +
 CHANGELOG.md                                  |  3 ++-
 .../Engineering/Convert-Online.php            | 20 ++++++++++++++-----
 samples/Wizards/NumberFormat/Accounting.php   |  8 ++++++--
 samples/Wizards/NumberFormat/Currency.php     |  8 ++++++--
 src/PhpSpreadsheet/Helper/Downloader.php      |  6 +++---
 6 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b41491e92e..f9932a29f6 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -267,3 +267,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         with:
           bodyFile: release-body.txt
+          makeLatest: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 766d9c4568..feed1a0965 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 
 ### Fixed
 
--  More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
+- Backported security patches for Samples.
 
 ## 1.29.6 - 2024-12-08
 
diff --git a/samples/Calculations/Engineering/Convert-Online.php b/samples/Calculations/Engineering/Convert-Online.php
index e20e4c79b6..e5b53f4b88 100644
--- a/samples/Calculations/Engineering/Convert-Online.php
+++ b/samples/Calculations/Engineering/Convert-Online.php
@@ -14,6 +14,7 @@
 }
 
 $categories = ConvertUOM::getConversionCategories();
+$defaultCategory = $_POST['category'] ?? $categories[0];
 $units = [];
 foreach ($categories as $category) {
     $categoryUnits = ConvertUOM::getConversionCategoryUnitDetails($category)[$category];
@@ -48,7 +49,7 @@
         <label for="fromUnit" class="col-sm-2 col-form-label">From Unit</label>
         <div class="col-sm-10">
             <select name="fromUnit" class="form-select">
-                <?php foreach ($units[$_POST['category']] as $fromUnitCode => $fromUnitName) {
+                <?php foreach ($units[$defaultCategory] as $fromUnitCode => $fromUnitName) {
                     echo "<option value=\"{$fromUnitCode}\" " . ((isset($_POST['fromUnit']) && $_POST['fromUnit'] === $fromUnitCode) ? 'selected' : '') . ">{$fromUnitName}</option>", PHP_EOL;
                 } ?>
             </select>
@@ -58,7 +59,7 @@
         <label for="toUnit" class="col-sm-2 col-form-label">To Unit</label>
         <div class="col-sm-10">
             <select name="toUnit" class="form-select">
-                <?php foreach ($units[$_POST['category']] as $toUnitCode => $toUnitName) {
+                <?php foreach ($units[$defaultCategory] as $toUnitCode => $toUnitName) {
                     echo "<option value=\"{$toUnitCode}\" " . ((isset($_POST['toUnit']) && $_POST['toUnit'] === $toUnitCode) ? 'selected' : '') . ">{$toUnitName}</option>", PHP_EOL;
                 } ?>
             </select>
@@ -73,11 +74,20 @@
 
 <?php
 /**     If the user has submitted the form, then we need to calculate the value and display the result */
-if (isset($_POST['submit'])) {
+if (isset($_POST['quantity'], $_POST['fromUnit'], $_POST['toUnit'])) {
     $quantity = $_POST['quantity'];
     $fromUnit = $_POST['fromUnit'];
     $toUnit = $_POST['toUnit'];
-    $result = ConvertUOM::CONVERT($quantity, $fromUnit, $toUnit);
+    if (!is_numeric($quantity)) {
+        $helper->log('Quantity is not numeric');
+    } elseif (isset($units[$_POST['category']][$fromUnit], $units[$_POST['category']][$toUnit])) {
+        /** @var float|string */
+        $result = ConvertUOM::CONVERT($quantity, $fromUnit, $toUnit);
 
-    echo "{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}", PHP_EOL;
+        $helper->log("{$quantity} {$units[$_POST['category']][$fromUnit]} is {$result} {$units[$_POST['category']][$toUnit]}");
+    } else {
+        $helper->log('Please enter quantity and select From Unit and To Unit');
+    }
+} else {
+    $helper->log('Please enter quantity and select From Unit and To Unit');
 }
diff --git a/samples/Wizards/NumberFormat/Accounting.php b/samples/Wizards/NumberFormat/Accounting.php
index 6e6296b239..7906988db2 100644
--- a/samples/Wizards/NumberFormat/Accounting.php
+++ b/samples/Wizards/NumberFormat/Accounting.php
@@ -85,6 +85,8 @@
         $helper->log('The Sample Number Value must be numeric');
     } elseif (!is_numeric($_POST['decimals']) || strpos($_POST['decimals'], '.') !== false || (int) $_POST['decimals'] < 0) {
         $helper->log('The Decimal Places value must be positive integer');
+    } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+        $helper->log('Unrecognized currency symbol');
     } else {
         try {
             $wizard = new Wizard\Accounting($_POST['currency'], $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,12 +95,14 @@
             $helper->log('<hr /><b>Code:</b><br />');
             $helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
             $helper->log(
-                "\$mask = Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::" .
+                "\$wizard = new Wizard\\Accounting('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::" .
                 (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR') .
                 ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL') .
                 ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING') .
-                ');<br />'
+                ');'
             );
+            $helper->log('$mask = $wizard->format();');
+            $helper->log('<br />');
             $helper->log('echo (string) $mask;');
             $helper->log('<hr /><b>Mask:</b><br />');
             $helper->log($mask . '<br />');
diff --git a/samples/Wizards/NumberFormat/Currency.php b/samples/Wizards/NumberFormat/Currency.php
index b4373d5415..3749de1e15 100644
--- a/samples/Wizards/NumberFormat/Currency.php
+++ b/samples/Wizards/NumberFormat/Currency.php
@@ -85,6 +85,8 @@
         $helper->log('The Sample Number Value must be numeric');
     } elseif (!is_numeric($_POST['decimals']) || strpos($_POST['decimals'], '.') !== false || (int) $_POST['decimals'] < 0) {
         $helper->log('The Decimal Places value must be positive integer');
+    } elseif (!in_array($_POST['currency'], array_keys($currencies), true)) {
+        $helper->log('Unrecognized currency symbol');
     } else {
         try {
             $wizard = new Wizard\Currency($_POST['currency'], $_POST['decimals'], isset($_POST['thousands']), (bool) $_POST['position'], (bool) $_POST['spacing']);
@@ -93,12 +95,14 @@
             $helper->log('<hr /><b>Code:</b><br />');
             $helper->log('use PhpOffice\PhpSpreadsheet\Style\NumberFormat\Wizard;');
             $helper->log(
-                "\$mask = Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::" .
+                "\$wizard = new Wizard\\Currency('{$_POST['currency']}', {$_POST['decimals']}, Wizard\\Number::" .
                 (isset($_POST['thousands']) ? 'WITH_THOUSANDS_SEPARATOR' : 'WITHOUT_THOUSANDS_SEPARATOR') .
                 ', Wizard\Currency::' . (((bool) $_POST['position']) ? 'LEADING_SYMBOL' : 'TRAILING_SYMBOL') .
                 ', Wizard\Currency::' . (((bool) $_POST['spacing']) ? 'SYMBOL_WITH_SPACING' : 'SYMBOL_WITHOUT_SPACING') .
-                ');<br />'
+                ');'
             );
+            $helper->log('$mask = $wizard->format();');
+            $helper->log('<br />');
             $helper->log('echo (string) $mask;');
             $helper->log('<hr /><b>Mask:</b><br />');
             $helper->log($mask . '<br />');
diff --git a/src/PhpSpreadsheet/Helper/Downloader.php b/src/PhpSpreadsheet/Helper/Downloader.php
index e66ae42584..0cac69c357 100644
--- a/src/PhpSpreadsheet/Helper/Downloader.php
+++ b/src/PhpSpreadsheet/Helper/Downloader.php
@@ -24,18 +24,18 @@ class Downloader
     public function __construct(string $folder, string $filename, ?string $filetype = null)
     {
         if ((is_dir($folder) === false) || (is_readable($folder) === false)) {
-            throw new Exception("Folder {$folder} is not accessable");
+            throw new Exception('Folder is not accessible');
         }
         $filepath = "{$folder}/{$filename}";
         $this->filepath = (string) realpath($filepath);
         $this->filename = basename($filepath);
         if ((file_exists($this->filepath) === false) || (is_readable($this->filepath) === false)) {
-            throw new Exception("{$this->filename} not found, or cannot be read");
+            throw new Exception('File not found, or cannot be read');
         }
 
         $filetype ??= pathinfo($filename, PATHINFO_EXTENSION);
         if (array_key_exists(strtolower($filetype), self::CONTENT_TYPES) === false) {
-            throw new Exception("Invalid filetype: {$filetype} cannot be downloaded");
+            throw new Exception('Invalid filetype: cannot be downloaded');
         }
         $this->filetype = strtolower($filetype);
     }