From 9c0d67de98a1bb0de56793aec4a21062ec7e0405 Mon Sep 17 00:00:00 2001
From: Pierre-Yves LEBECQ <py.lebecq@gmail.com>
Date: Mon, 26 Nov 2012 16:31:15 +0100
Subject: [PATCH] RELEASE_1_4_20 => v1.4.20 commit

Conflicts:
	CHANGELOG
	lib/autoload/sfAutoloadAgain.class.php
	lib/autoload/sfCoreAutoload.class.php
	lib/widget/sfWidget.class.php
	lib/widget/sfWidgetForm.class.php
	test/unit/form/sfFormTest.php
	test/unit/widget/sfWidgetFormTest.php
	test/unit/widget/sfWidgetTest.php
---
 lib/debug/sfTimerManager.class.php            |  8 ++++---
 lib/form/sfForm.class.php                     | 24 ++++++++++++++++++-
 .../sfDoctrineConnectionProfiler.class.php    |  8 +++----
 lib/widget/sfWidget.class.php                 |  4 ++--
 lib/widget/sfWidgetForm.class.php             |  4 ++--
 5 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/lib/debug/sfTimerManager.class.php b/lib/debug/sfTimerManager.class.php
index a165d7640a..ecda0b6c97 100644
--- a/lib/debug/sfTimerManager.class.php
+++ b/lib/debug/sfTimerManager.class.php
@@ -14,7 +14,7 @@
  * @package    symfony
  * @subpackage util
  * @author     Fabien Potencier <fabien.potencier@symfony-project.com>
- * @version    SVN: $Id: sfTimerManager.class.php 13339 2008-11-25 14:58:05Z fabien $
+ * @version    SVN: $Id: sfTimerManager.class.php 33570 2012-10-25 09:44:55Z fabien $
  */
 class sfTimerManager
 {
@@ -29,14 +29,16 @@ class sfTimerManager
    *
    * @return sfTimer The timer instance
    */
-  public static function getTimer($name)
+  public static function getTimer($name,$reset=true)
   {
     if (!isset(self::$timers[$name]))
     {
       self::$timers[$name] = new sfTimer($name);
     }
 
-    self::$timers[$name]->startTimer();
+    if($reset){
+       self::$timers[$name]->startTimer();
+    }
 
     return self::$timers[$name];
   }
diff --git a/lib/form/sfForm.class.php b/lib/form/sfForm.class.php
index 8067b7b49e..2a470d5ee4 100644
--- a/lib/form/sfForm.class.php
+++ b/lib/form/sfForm.class.php
@@ -23,7 +23,7 @@
  * @package    symfony
  * @subpackage form
  * @author     Fabien Potencier <fabien.potencier@symfony-project.com>
- * @version    SVN: $Id: sfForm.class.php 29678 2010-05-30 14:38:42Z Kris.Wallsmith $
+ * @version    SVN: $Id: sfForm.class.php 33598 2012-11-25 09:57:29Z fabien $
  */
 class sfForm implements ArrayAccess, Iterator, Countable
 {
@@ -222,6 +222,8 @@ public function bind(array $taintedValues = null, array $taintedFiles = null)
       $this->taintedFiles = array();
     }
 
+    $this->checkTaintedValues($this->taintedValues);
+
     try
     {
       $this->doBind(self::deepArrayUnion($this->taintedValues, self::convertFileInformation($this->taintedFiles)));
@@ -1336,4 +1338,24 @@ static protected function deepArrayUnion($array1, $array2)
 
     return $array1;
   }
+
+  /**
+   * Checks that the $_POST values do not contain something that
+   * looks like a file upload (coming from $_FILE).
+   */
+  protected function checkTaintedValues($values)
+  {
+    foreach ($values as $name => $value)
+    {
+      if (!is_array($value)) {
+        continue;
+      }
+
+      if (isset($value['tmp_name'])) {
+        throw new InvalidArgumentException('Do not try to fake a file upload.');
+      }
+
+      $this->checkTaintedValues($value);
+    }
+  }
 }
diff --git a/lib/plugins/sfDoctrinePlugin/lib/database/sfDoctrineConnectionProfiler.class.php b/lib/plugins/sfDoctrinePlugin/lib/database/sfDoctrineConnectionProfiler.class.php
index 84c1d93655..a79ce70f72 100644
--- a/lib/plugins/sfDoctrinePlugin/lib/database/sfDoctrineConnectionProfiler.class.php
+++ b/lib/plugins/sfDoctrinePlugin/lib/database/sfDoctrineConnectionProfiler.class.php
@@ -6,7 +6,7 @@
  * @package    sfDoctrinePlugin
  * @subpackage database
  * @author     Kris Wallsmith <kris.wallsmith@symfony-project.com>
- * @version    SVN: $Id: sfDoctrineConnectionProfiler.class.php 20157 2009-07-13 17:00:12Z Kris.Wallsmith $
+ * @version    SVN: $Id: sfDoctrineConnectionProfiler.class.php 33570 2012-10-25 09:44:55Z fabien $
  */
 class sfDoctrineConnectionProfiler extends Doctrine_Connection_Profiler
 {
@@ -82,7 +82,7 @@ public function preQuery(Doctrine_Event $event)
    */
   public function postQuery(Doctrine_Event $event)
   {
-    sfTimerManager::getTimer('Database (Doctrine)')->addTime();
+    sfTimerManager::getTimer('Database (Doctrine)',false)->addTime();
 
     $args = func_get_args();
     $this->__call(__FUNCTION__, $args);
@@ -118,7 +118,7 @@ public function preExec(Doctrine_Event $event)
    */
   public function postExec(Doctrine_Event $event)
   {
-    sfTimerManager::getTimer('Database (Doctrine)')->addTime();
+    sfTimerManager::getTimer('Database (Doctrine)',false)->addTime();
 
     $args = func_get_args();
     $this->__call(__FUNCTION__, $args);
@@ -154,7 +154,7 @@ public function preStmtExecute(Doctrine_Event $event)
    */
   public function postStmtExecute(Doctrine_Event $event)
   {
-    sfTimerManager::getTimer('Database (Doctrine)')->addTime();
+    sfTimerManager::getTimer('Database (Doctrine)',false)->addTime();
 
     $args = func_get_args();
     $this->__call(__FUNCTION__, $args);
diff --git a/lib/widget/sfWidget.class.php b/lib/widget/sfWidget.class.php
index 87f8abaf9f..c4e4bbae09 100644
--- a/lib/widget/sfWidget.class.php
+++ b/lib/widget/sfWidget.class.php
@@ -14,7 +14,7 @@
  * @package    symfony
  * @subpackage widget
  * @author     Fabien Potencier <fabien.potencier@symfony-project.com>
- * @version    SVN: $Id: sfWidget.class.php 22933 2009-10-11 22:42:56Z Kris.Wallsmith $
+ * @version    SVN: $Id: sfWidget.class.php 33596 2012-11-21 14:14:21Z fabien $
  */
 abstract class sfWidget
 {
@@ -361,7 +361,7 @@ public function renderContentTag($tag, $content = null, $attributes = array())
    */
   static public function escapeOnce($value)
   {
-    return self::fixDoubleEscape(htmlspecialchars((string) $value, ENT_QUOTES, self::getCharset()));
+    return self::fixDoubleEscape(htmlspecialchars(!is_array($value) ? (string) $value : null, ENT_QUOTES, self::getCharset()));
   }
 
   /**
diff --git a/lib/widget/sfWidgetForm.class.php b/lib/widget/sfWidgetForm.class.php
index be2ce90c68..2121c6eaf9 100644
--- a/lib/widget/sfWidgetForm.class.php
+++ b/lib/widget/sfWidgetForm.class.php
@@ -14,7 +14,7 @@
  * @package    symfony
  * @subpackage widget
  * @author     Fabien Potencier <fabien.potencier@symfony-project.com>
- * @version    SVN: $Id: sfWidgetForm.class.php 24137 2009-11-18 13:12:40Z fabien $
+ * @version    SVN: $Id: sfWidgetForm.class.php 33596 2012-11-21 14:14:21Z fabien $
  */
 abstract class sfWidgetForm extends sfWidget
 {
@@ -244,7 +244,7 @@ public function generateId($name, $value = null)
     // check to see if we have an array variable for a field name
     if (strstr($name, '['))
     {
-      $name = str_replace(array('[]', '][', '[', ']'), array((null !== $value ? '_'.$value : ''), '_', '_', ''), $name);
+      $name = str_replace(array('[]', '][', '[', ']'), array(((null !== $value) && !is_array($value) ? '_'.$value : ''), '_', '_', ''), $name);
     }
 
     if (false !== strpos($this->getOption('id_format'), '%s'))