more SSTI fixes in Utils::isDangerousFunction()

2025-02-20 19:56:53 +01:00 · 2023-06-13 17:57:11 -06:00 · 2023-06-13 17:57:11 -06:00 · 71bbed12f9
commit 71bbed12f9
parent 8c2c1cb726
2 changed files with 18 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,7 @@
   * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
 1. [](#improved)
   * More robust SSTI handling in `|filter` and `|map`
+   * Various SSTI improvements `Utils::isDangerousFunction()`
 1. [](#bugfix)
   * Fixed Twig `|map()` allowing code execution

--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@ -1950,7 +1950,7 @@ abstract class Utils
    }

    /**
-     * @param string|array $name
+     * @param string|array|Closure $name
     * @return bool
     */
    public static function isDangerousFunction($name): bool
@ -2048,8 +2048,24 @@ abstract class Utils
            'posix_setpgid',
            'posix_setsid',
            'posix_setuid',
+            'unserialize',
+            'ini_alter',
+            'simplexml_load_file',
+            'simplexml_load_string',
+            'forward_static_call',
+            'forward_static_call_array',
        ];

+        $name = strtolower($name);
+
+        if ($name instanceof \Closure) {
+            return false;
+        }
+
+        if (strpos($name, "\\") !== false) {
+            return false;
+        }
+
        if (is_array($name) || strpos($name, ":") !== false) {
            return false;
        }