Now Security::encrypt() and Security::decrypt() works with openssl
if the mcrypt extension is unavailable.
Note that Security::rijndael() doesn't work with openssl.
## did
- void unReturn
- miss return void
- add return type
- type miss typing
- add param type and return type
- string → string|array
- change ClassName
When creating from an array with elements like this: `[ "a" => [ 0 ] ]` or `[ "a" => [ '0' ] ]` it fails and produces XML like this `<a/>` instant of `<a>0</a>`.
The problem is that in PHP `empty('0')` is true, so an exception to this case is needed.
Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.
Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
By removing a bunch of empty() guards we can make '' behave like all the
other key names. This does change the existing behavior/tests around ''
key, but I think that is ok given the need to manipulate ''.
Refs #9632
The current checks are way too relaxed, and are more like testing
for a substring, which makes it easy for invalid paths to slip
trough, for example `/foo/var/www` is falsely tested to reside in
`/var/www`.
Passing an empty path never worked properly, it was triggering a
warning, didn't worked on Windows, and the behavior that the current
top level directory would be assumed for empty paths wasn't
documented.
Similar is true for relative paths. While they did match at one point,
this was incorrect behavior, and matching actual path fragments seems
out of scope for this method.
This change makes the `$path` argument required, requires it to be an
absolute path, and throws an exception in case a non-absolute path is
being passed.
