Bump symfony/http-foundation from 7.3.7 to 8.1.0 in /plugins

Bumps [symfony/http-foundation](https://github.com/symfony/http-foundation) from 7.3.7 to 8.1.0.
- [Release notes](https://github.com/symfony/http-foundation/releases)
- [Changelog](https://github.com/symfony/http-foundation/blob/8.2/CHANGELOG.md)
- [Commits](https://github.com/symfony/http-foundation/compare/v7.3.7...v8.1.0)

---
updated-dependencies:
- dependency-name: symfony/http-foundation
  dependency-version: 8.1.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 This file documents all notable changes made to ITFlow.
 
+## [26.05.1] Stable Release
+- Security Fixes.
+
 ## [26.05] Stable Release
 ### Bug Fixes
 - Stripe Payment: Fix adding saved cards on client portal.

agent/ajax.php

@@ -454,6 +454,12 @@ if (isset($_POST['update_kanban_ticket'])) {
 
     foreach ($positions as $position) {
         $ticket_id = intval($position['ticket_id']);
+
+        // Client perms check
+        $client_query = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT ticket_client_id FROM tickets WHERE ticket_id = $ticket_id"));
+        $client_id = intval($client_query['ticket_client_id']);
+        enforceClientAccess();
+
         $kanban = intval($position['ticket_order']); // ticket kanban position
         $status = intval($position['ticket_status']); // ticket statuses
         $oldStatus = intval($position['ticket_oldStatus']); // ticket old status if moved

agent/post/invoice.php

@@ -542,8 +542,8 @@ if (isset($_GET['email_invoice'])) {
     $invoice_number = intval($row['invoice_number']);
     $invoice_scope = sanitizeInput($row['invoice_scope']);
     $invoice_status = sanitizeInput($row['invoice_status']);
-    $invoice_date = sanitizeInput($row['invoice_date']);
-    $invoice_due = sanitizeInput($row['invoice_due']);
+    $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
+    $invoice_due = sanitizeInput(validateDate($row['invoice_due']));
     $invoice_amount = floatval($row['invoice_amount']);
     $invoice_url_key = sanitizeInput($row['invoice_url_key']);
     $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);

agent/post/recurring_invoice.php

@@ -13,13 +13,13 @@ if (isset($_POST['add_invoice_recurring'])) {
     enforceUserPermission('module_sales', 2);
 
     $invoice_id = intval($_POST['invoice_id']);
-    $recurring_invoice_frequency = sanitizeInput($_POST['frequency']);
+    $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
 
     $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
     $row = mysqli_fetch_assoc($sql);
     $invoice_prefix = sanitizeInput($row['invoice_prefix']);
     $invoice_number = intval($row['invoice_number']);
-    $invoice_date = sanitizeInput($row['invoice_date']);
+    $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
     $invoice_amount = floatval($row['invoice_amount']);
     $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
     $invoice_scope = sanitizeInput($row['invoice_scope']);
@@ -394,7 +394,7 @@ if (isset($_GET['force_recurring'])) {
     $row = mysqli_fetch_assoc($sql_recurring_invoices);
     $recurring_invoice_id = intval($row['recurring_invoice_id']);
     $recurring_invoice_scope = sanitizeInput($row['recurring_invoice_scope']);
-    $recurring_invoice_frequency = sanitizeInput($row['recurring_invoice_frequency']);
+    $recurring_invoice_frequency = ($_POST['frequency'] === 'year') ? 'year' : 'month';
     $recurring_invoice_status = sanitizeInput($row['recurring_invoice_status']);
     $recurring_invoice_last_sent = sanitizeInput($row['recurring_invoice_last_sent']);
     $recurring_invoice_next_date = sanitizeInput($row['recurring_invoice_next_date']);
@@ -480,7 +480,7 @@ if (isset($_GET['force_recurring'])) {
         $invoice_prefix = sanitizeInput($row['invoice_prefix']);
         $invoice_number = intval($row['invoice_number']);
         $invoice_scope = sanitizeInput($row['invoice_scope']);
-        $invoice_date = sanitizeInput($row['invoice_date']);
+        $invoice_date = sanitizeInput(validateDate($row['invoice_date']));
         $invoice_due = sanitizeInput($row['invoice_due']);
         $invoice_amount = floatval($row['invoice_amount']);
         $invoice_url_key = sanitizeInput($row['invoice_url_key']);

client/post.php

@@ -524,12 +524,6 @@ if (isset($_GET['add_payment_by_provider'])) {
     $contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
     $contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code']));
 
-    // Check to make sure saved payment method belongs to logged in client
-    if ($client_id !== $session_client_id) {
-        flash_alert("Saved Payment method does not belong to you!", 'danger');
-        redirect();
-    }
-
     // Get ITFlow company details
     $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
     $row = mysqli_fetch_assoc($sql);
@@ -548,7 +542,7 @@ if (isset($_GET['add_payment_by_provider'])) {
     $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
 
     // Get Client Payment Details
-    $sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id LIMIT 1");
+    $sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id AND saved_payment_client_id = $session_client_id LIMIT 1");
     $row = mysqli_fetch_assoc($sql);
 
     $public_key = sanitizeInput($row['payment_provider_public_key']);
@@ -561,9 +555,17 @@ if (isset($_GET['add_payment_by_provider'])) {
     $payment_provider_client = sanitizeInput($row['payment_provider_client']);
     $saved_payment_method = sanitizeInput($row['saved_payment_provider_method']);
     $saved_payment_description = sanitizeInput($row['saved_payment_description']);
+    $payment_client_id = intval($row['saved_payment_client_id']);
 
     // Sanity checks
-    if (!$payment_provider_client || !$saved_payment_method) {
+    // Check to make invoice belongs to logged in client
+    if ($client_id !== $session_client_id) {
+        flash_alert("Invoice does not belong to you!", 'danger');
+        redirect();
+    } elseif ($payment_client_id !== $session_client_id) {
+        flash_alert("Saved Payment method does not belong to you!", 'danger');
+        redirect();
+    } elseif (!$payment_provider_client || !$saved_payment_method) {
         flash_alert("Stripe not enabled or no client card saved", 'error');
         redirect();
     } elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') {

functions.php

@@ -1512,8 +1512,8 @@ function logAction($type, $action, $description, $client_id = 0, $entity_id = 0)
 function logApp($category, $type, $details) {
     global $mysqli;
 
-    $category = substr($category, 0, 200);
-    $details = substr($details, 0, 1000);
+    $category = mysqli_real_escape_string($mysqli, substr($category, 0, 200));
+    $details = mysqli_real_escape_string($mysqli, substr($details, 0, 1000));
 
     mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'");
 }
@@ -2073,3 +2073,10 @@ function formatDuration($time) {
 
     return implode(' ', $parts);
 }
+
+function validateDate($date) {
+    if (preg_match('/^\d{4}-\d{2}-\d{2}$/', $date)) {
+        return $date;
+    }
+    return date('Y-m-d'); // Fallback
+}

includes/app_version.php

@@ -5,4 +5,4 @@
  * Update this file each time we merge develop into master. Format is YY.MM (add a .v if there is more than one release a month.
  */
 
-DEFINE("APP_VERSION", "26.05");
+DEFINE("APP_VERSION", "26.05.1");

plugins/composer.lock

@@ -826,16 +826,16 @@
         },
         {
             "name": "symfony/deprecation-contracts",
-            "version": "v3.6.0",
+            "version": "v3.7.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62"
+                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62",
-                "reference": "63afe740e99a13ba87ec199bb07bbdee937a5b62",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/50f59d1f3ca46d41ac911f97a78626b6756af35b",
+                "reference": "50f59d1f3ca46d41ac911f97a78626b6756af35b",
                 "shasum": ""
             },
             "require": {
@@ -848,7 +848,7 @@
                     "name": "symfony/contracts"
                 },
                 "branch-alias": {
-                    "dev-main": "3.6-dev"
+                    "dev-main": "3.7-dev"
                 }
             },
             "autoload": {
@@ -873,7 +873,7 @@
             "description": "A generic function and convention to trigger deprecation notices",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.6.0"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.7.0"
             },
             "funding": [
                 {
@@ -884,47 +884,49 @@
                     "url": "https://github.com/fabpot",
                     "type": "github"
                 },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
                 {
                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-25T14:21:43+00:00"
+            "time": "2026-04-13T15:52:40+00:00"
         },
         {
             "name": "symfony/http-foundation",
-            "version": "v7.3.7",
+            "version": "v8.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/http-foundation.git",
-                "reference": "db488a62f98f7a81d5746f05eea63a74e55bb7c4"
+                "reference": "af11474600f06718086c2cda4fa6fa8d0a672e7e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/db488a62f98f7a81d5746f05eea63a74e55bb7c4",
-                "reference": "db488a62f98f7a81d5746f05eea63a74e55bb7c4",
+                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/af11474600f06718086c2cda4fa6fa8d0a672e7e",
+                "reference": "af11474600f06718086c2cda4fa6fa8d0a672e7e",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.2",
-                "symfony/deprecation-contracts": "^2.5|^3.0",
-                "symfony/polyfill-mbstring": "~1.1",
-                "symfony/polyfill-php83": "^1.27"
+                "php": ">=8.4.1",
+                "symfony/deprecation-contracts": "^2.5|^3",
+                "symfony/polyfill-mbstring": "^1.1"
             },
             "conflict": {
-                "doctrine/dbal": "<3.6",
-                "symfony/cache": "<6.4.12|>=7.0,<7.1.5"
+                "doctrine/dbal": "<4.3"
             },
             "require-dev": {
-                "doctrine/dbal": "^3.6|^4",
+                "doctrine/dbal": "^4.3",
                 "predis/predis": "^1.1|^2.0",
-                "symfony/cache": "^6.4.12|^7.1.5",
-                "symfony/clock": "^6.4|^7.0",
-                "symfony/dependency-injection": "^6.4|^7.0",
-                "symfony/expression-language": "^6.4|^7.0",
-                "symfony/http-kernel": "^6.4|^7.0",
-                "symfony/mime": "^6.4|^7.0",
-                "symfony/rate-limiter": "^6.4|^7.0"
+                "symfony/cache": "^7.4|^8.0",
+                "symfony/clock": "^7.4|^8.0",
+                "symfony/dependency-injection": "^7.4|^8.0",
+                "symfony/expression-language": "^7.4|^8.0",
+                "symfony/http-kernel": "^7.4|^8.0",
+                "symfony/mime": "^7.4|^8.0",
+                "symfony/rate-limiter": "^7.4|^8.0"
             },
             "type": "library",
             "autoload": {
@@ -952,7 +954,7 @@
             "description": "Defines an object-oriented layer for the HTTP specification",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/http-foundation/tree/v7.3.7"
+                "source": "https://github.com/symfony/http-foundation/tree/v8.1.0"
             },
             "funding": [
                 {
@@ -972,20 +974,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-11-08T16:41:12+00:00"
+            "time": "2026-05-29T05:06:50+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.33.0",
+            "version": "v1.38.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493"
+                "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493",
-                "reference": "6d857f4d76bd4b343eac26d6b539585d2bc56493",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
+                "reference": "d3d318bad5e7a1bfbd026009c8bfb8d8f99ae6b6",
                 "shasum": ""
             },
             "require": {
@@ -1037,7 +1039,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.38.2"
             },
             "funding": [
                 {
@@ -1057,20 +1059,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-23T08:48:59+00:00"
+            "time": "2026-05-27T06:59:30+00:00"
         },
         {
             "name": "symfony/polyfill-php83",
-            "version": "v1.33.0",
+            "version": "v1.38.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php83.git",
-                "reference": "17f6f9a6b1735c0f163024d959f700cfbc5155e5"
+                "reference": "796a26abb75ce49f3a84433cd81bf1009d73d5f8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php83/zipball/17f6f9a6b1735c0f163024d959f700cfbc5155e5",
-                "reference": "17f6f9a6b1735c0f163024d959f700cfbc5155e5",
+                "url": "https://api.github.com/repos/symfony/polyfill-php83/zipball/796a26abb75ce49f3a84433cd81bf1009d73d5f8",
+                "reference": "796a26abb75ce49f3a84433cd81bf1009d73d5f8",
                 "shasum": ""
             },
             "require": {
@@ -1117,7 +1119,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php83/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php83/tree/v1.38.2"
             },
             "funding": [
                 {
@@ -1137,7 +1139,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-07-08T02:45:35+00:00"
+            "time": "2026-05-27T06:51:48+00:00"
         },
         {
             "name": "symfony/polyfill-php84",
@@ -1636,10 +1638,10 @@
     "packages-dev": [],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {},
     "prefer-stable": false,
     "prefer-lowest": false,
-    "platform": [],
-    "platform-dev": [],
-    "plugin-api-version": "2.2.0"
+    "platform": {},
+    "platform-dev": {},
+    "plugin-api-version": "2.9.0"
 }