From 072ef77ea5ca412dc476ca15d3789cf2c8f5ac37 Mon Sep 17 00:00:00 2001
From: SilverFire - Dmitry Naumenko <d.naumenko.a@gmail.com>
Date: Fri, 22 Dec 2017 12:21:32 +0200
Subject: [PATCH] Prevent source path disclosure when form is represented by an
 anonymous class

---
 framework/CHANGELOG.md                            |  1 +
 framework/base/Model.php                          |  5 +++++
 tests/framework/base/ModelTest.php                | 15 +++++++++++++++
 tests/framework/base/stub/AnonymousModelClass.php |  6 ++++++
 4 files changed, 27 insertions(+)
 create mode 100644 tests/framework/base/stub/AnonymousModelClass.php

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index 1d44a092d8..0d384c1bf8 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -47,6 +47,7 @@ Yii Framework 2 Change Log
 - Enh #15360: Refactored `BaseConsole::updateProgress()` (developeruz)
 - Bug #15317: Regenerate CSRF token if an empty value is given (sammousa)
 - Bug #15380: `FormatConverter::convertDateIcuToPhp()` now converts `a` ICU symbols to `A` (brandonkelly)
+- Enh: Added check to `yii\base\Model::formName()` to prevent source path disclosure when form is represented by an anonymous class (silverfire)
 
 
 
diff --git a/framework/base/Model.php b/framework/base/Model.php
index 5e1ddc73c1..68879f5853 100644
--- a/framework/base/Model.php
+++ b/framework/base/Model.php
@@ -246,10 +246,15 @@ class Model extends Component implements StaticInstanceInterface, IteratorAggreg
      *
      * @return string the form name of this model class.
      * @see load()
+     * @throws InvalidConfigException when form is defined with anonymous class and `formName()` method is
+     * not overridden.
      */
     public function formName()
     {
         $reflector = new ReflectionClass($this);
+        if (PHP_VERSION_ID >= 70000 && $reflector->isAnonymous()) {
+            throw new InvalidConfigException('The "formName()" method should be explicitly defined for anonymous models');
+        }
         return $reflector->getShortName();
     }
 
diff --git a/tests/framework/base/ModelTest.php b/tests/framework/base/ModelTest.php
index ca7f1c8bee..bfe0fe1acc 100644
--- a/tests/framework/base/ModelTest.php
+++ b/tests/framework/base/ModelTest.php
@@ -474,6 +474,21 @@ class ModelTest extends TestCase
         $this->assertTrue($model->validate('name'), 'Should validate only name attribute');
         $this->assertFalse($model->validate(), 'Should validate all attributes');
     }
+
+    public function testFormNameWithAnonymousClass()
+    {
+        if (PHP_VERSION_ID < 70000) {
+            $this->markTestSkipped('Can not be tested on PHP < 7.0');
+            return;
+        }
+
+        $model = include 'stub/AnonymousModelClass.php';
+
+        $this->expectException('yii\base\InvalidConfigException');
+        $this->expectExceptionMessage('The "formName()" method should be explicitly defined for anonymous models');
+
+        $model->formName();
+    }
 }
 
 class ComplexModel1 extends Model
diff --git a/tests/framework/base/stub/AnonymousModelClass.php b/tests/framework/base/stub/AnonymousModelClass.php
new file mode 100644
index 0000000000..9c3f26c097
--- /dev/null
+++ b/tests/framework/base/stub/AnonymousModelClass.php
@@ -0,0 +1,6 @@
+<?php
+
+return new class() extends \yii\base\Model
+{
+
+};