Security patch.

Changelog excerpt:
- Added a method to check whether a name is reserved, and applied it as a
  guard at the point where signature files are read in. Attempting to
  perform file operations on reserved names under Windows and some other
  operating systems could cause the underlying file system to attempt to
  communicate with a serial port instead of the intended file. PHP is
  likely to then wait indefinitely for a response it's unlikely to ever
  receive, thus locking up the process and preventing further requests
  unless the process is restarted. Although it's infinitesimally unlikely
  that a user would actually want to use a reserved name for one of their
  signature files, as the solution is exceedingly simple, with no
  particular performance impact, I've implemented it accordingly.

Author: Maikuolan

Changelog.md

@@ -143,3 +143,5 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
 ### v3.5.0
 
 [2023.12.01; Maikuolan]: Improved escaping. Added support for specifying a Redis database number to the supplementary cache options.
+
+[2023.12.12; Security; Maikuolan]: Added a method to check whether a name is reserved, and applied it as a guard at the point where signature files are read in. Attempting to perform file operations on reserved names under Windows and some other operating systems could cause the underlying file system to attempt to communicate with a serial port instead of the intended file. PHP is likely to then wait indefinitely for a response it's unlikely to ever receive, thus locking up the process and preventing further requests unless the process is restarted. Although it's infinitesimally unlikely that a user would actually want to use a reserved name for one of their signature files, as the solution is exceedingly simple, with no particular performance impact, I've implemented it accordingly.

src/Loader.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: The loader (last modified: 2023.12.01).
+ * This file: The loader (last modified: 2023.12.12).
  */
 
 namespace phpMussel\Core;
@@ -1180,7 +1180,7 @@ public function updateConfiguration(): bool
                         /** Multiline support. */
                         $DirValue = preg_replace('~[^\x00-\xFF]~', '', str_replace(
                             ['\\', "\0", "\7", "\8", "\t", "\n", "\x0B", "\x0C", "\r", "\x1B"],
-                            ["\\\\", '\0', '\a', '\b', '\t', '\n', '\v', '\f', '\r', '\e'],
+                            ['\\\\', '\0', '\a', '\b', '\t', '\n', '\v', '\f', '\r', '\e'],
                             $DirValue
                         ));
 
@@ -1221,6 +1221,19 @@ public function loadShorthandData(): bool
         return true;
     }
 
+    /**
+     * Check whether a name is reserved. Important, because attempting to read
+     * from, write to, or otherwise work with names reserved at the file system
+     * can result in unexpected behaviour and potential security risks.
+     *
+     * @param string $Name The name to check.
+     * @return bool True if reserved; False if not.
+     */
+    public function isReserved(string $Name): bool
+    {
+        return preg_match('~(?:^|\\\\|/)(?:\.{1,3}|aux|com(?:\d+|¹|²|³)|con|lpt(?:\d+|¹|²|³)|nul|prn)(?:(?:\..*)?$|\\\\|/)|[ .]$~i', $Name);
+    }
+
     /**
      * Decodes for multiline support (needed when using INI configuration files).
      *
@@ -1240,7 +1253,7 @@ private function decodeForMultilineSupport(): void
                     continue;
                 }
                 $DirVal = str_replace(
-                    ["\\\\", '\0', '\a', '\b', '\t', '\n', '\v', '\f', '\r', '\e'],
+                    ['\\\\', '\0', '\a', '\b', '\t', '\n', '\v', '\f', '\r', '\e'],
                     ['\\', "\0", "\7", "\8", "\t", "\n", "\x0B", "\x0C", "\r", "\x1B"],
                     $DirVal
                 );

src/Scanner.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: The scanner (last modified: 2023.12.01).
+ * This file: The scanner (last modified: 2023.12.12).
  */
 
 namespace phpMussel\Core;
@@ -1833,7 +1833,7 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
 
             $SigFiles = isset($this->Loader->InstanceCache[$ThisConf[0]]) ? explode(',', $this->Loader->InstanceCache[$ThisConf[0]]) : [];
             foreach ($SigFiles as $SigFile) {
-                if (!$SigFile) {
+                if ($SigFile === '' || $this->Loader->isReserved($SigFile)) {
                     continue;
                 }
                 if (!isset($this->Loader->InstanceCache[$SigFile])) {