From 7999cdba95abb67a84153dc160bf7f0f301c7d53 Mon Sep 17 00:00:00 2001
From: Simon Gadient <simon.gadient@swisscom.com>
Date: Tue, 16 Feb 2021 07:32:43 +0100
Subject: [PATCH] TASK: only support Closures for callbacks in
 DefaultFieldResolver

When resolving an object through the "magic" ObjectAccess returning a property value that is callable, the resolver previously called this function. This was a risk when working with user input, or even lead to misbehaviour. E.g. user Max resolved and then called as max() function.
---
 Classes/Service/DefaultFieldResolver.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Classes/Service/DefaultFieldResolver.php b/Classes/Service/DefaultFieldResolver.php
index 7cff094..006dc12 100644
--- a/Classes/Service/DefaultFieldResolver.php
+++ b/Classes/Service/DefaultFieldResolver.php
@@ -29,7 +29,7 @@ public static function resolve($source, array $args, $context, ResolveInfo $info
             $resolvedProperty = ObjectAccess::getProperty($source, $fieldName);
         }
 
-        if (is_callable($resolvedProperty)) {
+        if ($resolvedProperty instanceof \Closure) {
             return $resolvedProperty($source, $args, $context, $info);
         }