From ad1bbba0b32baa9161579ac025ee2800b55d606b Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Sat, 6 Oct 2018 16:35:54 -0600 Subject: [PATCH 1/5] Added configurable dangerous upload extensions --- system/blueprints/config/security.yaml | 17 ++++++++++++++++- system/config/security.yaml | 7 ++++++- system/src/Grav/Common/Utils.php | 9 ++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/system/blueprints/config/security.yaml b/system/blueprints/config/security.yaml index b309f1168..9f7241657 100644 --- a/system/blueprints/config/security.yaml +++ b/system/blueprints/config/security.yaml @@ -4,7 +4,7 @@ form: validation: loose fields: - security_section: + xss_section: type: section title: PLUGIN_ADMIN.XSS_SECURITY underline: true @@ -82,3 +82,18 @@ form: validate: type: commalist + uploads_section: + type: section + title: PLUGIN_ADMIN.UPLOADS_SECURITY + underline: true + + + uploads_dangerous_extensions: + type: selectize + size: large + label: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS + help: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS_HELP + classes: fancy + validate: + type: commalist + diff --git a/system/config/security.yaml b/system/config/security.yaml index fce3e3f9b..77e5de0d8 100644 --- a/system/config/security.yaml +++ b/system/config/security.yaml @@ -23,4 +23,9 @@ xss_dangerous_tags: - bgsound - title - base - +uploads_dangerous_extensions: + - php + - html + - htm + - js + - exe diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index 83dd22480..b49abddb7 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -573,6 +573,13 @@ abstract class Utils */ public static function checkFilename($filename) { + $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []); + array_walk($dangerous_extensions, function(&$val) { + $val = '.' . $val; + }); + + $extension = '.' . pathinfo($filename, PATHINFO_EXTENSION); + return !( // Empty filenames are not allowed. !$filename @@ -581,7 +588,7 @@ abstract class Utils // Filename should not start or end with dot or space. || trim($filename, '. ') !== $filename // Filename should not contain .php in it. - || strpos($filename, '.php') !== false + || static::contains($extension, $dangerous_extensions) ); } From 073d601b6752f9c4a348a79eb710203069fc6181 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Sat, 6 Oct 2018 16:37:11 -0600 Subject: [PATCH 2/5] Updated changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c01f5e75c..c738c9c28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ 1. [](#new) * Added `Utils::getMimeByFilename()`, `Utils::getMimeByLocalFile()` and `Utils::checkFilename()` methods + * Added configurable dangerous upload extensions in `security.yaml` # v1.5.2 ## 10/01/2018 From 235a5cc76574107522d699ec64458ebd3dfa2328 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 Oct 2018 17:33:49 -0600 Subject: [PATCH 3/5] vendor updates --- CHANGELOG.md | 4 ++- composer.lock | 84 +++++++++++++++++++++++++-------------------------- 2 files changed, 45 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c738c9c28..e1e04fc43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,9 @@ 1. [](#new) * Added `Utils::getMimeByFilename()`, `Utils::getMimeByLocalFile()` and `Utils::checkFilename()` methods * Added configurable dangerous upload extensions in `security.yaml` - +1. [](#improved) + * Updated vendor libraries to latest + # v1.5.2 ## 10/01/2018 diff --git a/composer.lock b/composer.lock index ac8b42adc..e54c23bc9 100644 --- a/composer.lock +++ b/composer.lock @@ -1311,16 +1311,16 @@ }, { "name": "symfony/console", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/console.git", - "reference": "1cbaac35024c9dfc9612b7e2310e82677bf85709" + "reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/console/zipball/1cbaac35024c9dfc9612b7e2310e82677bf85709", - "reference": "1cbaac35024c9dfc9612b7e2310e82677bf85709", + "url": "https://api.github.com/repos/symfony/console/zipball/3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b", + "reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b", "shasum": "" }, "require": { @@ -1376,20 +1376,20 @@ ], "description": "Symfony Console Component", "homepage": "https://symfony.com", - "time": "2018-09-30T03:37:36+00:00" + "time": "2018-10-02T16:33:53+00:00" }, { "name": "symfony/debug", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/debug.git", - "reference": "b70cfaae39009ecde3164bb8cba4d029220d27b1" + "reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/debug/zipball/b70cfaae39009ecde3164bb8cba4d029220d27b1", - "reference": "b70cfaae39009ecde3164bb8cba4d029220d27b1", + "url": "https://api.github.com/repos/symfony/debug/zipball/0a612e9dfbd2ccce03eb174365f31ecdca930ff6", + "reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6", "shasum": "" }, "require": { @@ -1432,11 +1432,11 @@ ], "description": "Symfony Debug Component", "homepage": "https://symfony.com", - "time": "2018-09-22T18:25:03+00:00" + "time": "2018-10-02T16:33:53+00:00" }, { "name": "symfony/event-dispatcher", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher.git", @@ -1675,16 +1675,16 @@ }, { "name": "symfony/var-dumper", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/var-dumper.git", - "reference": "e57a24dc13accad1d5f90d232c5564910c5eb7b0" + "reference": "ff8ac19e97e5c7c3979236b584719a1190f84181" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/var-dumper/zipball/e57a24dc13accad1d5f90d232c5564910c5eb7b0", - "reference": "e57a24dc13accad1d5f90d232c5564910c5eb7b0", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/ff8ac19e97e5c7c3979236b584719a1190f84181", + "reference": "ff8ac19e97e5c7c3979236b584719a1190f84181", "shasum": "" }, "require": { @@ -1740,20 +1740,20 @@ "debug", "dump" ], - "time": "2018-09-18T08:05:59+00:00" + "time": "2018-10-02T16:33:53+00:00" }, { "name": "symfony/yaml", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/yaml.git", - "reference": "61973ecda60e9f3561e929e19c07d4878b960fc1" + "reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/yaml/zipball/61973ecda60e9f3561e929e19c07d4878b960fc1", - "reference": "61973ecda60e9f3561e929e19c07d4878b960fc1", + "url": "https://api.github.com/repos/symfony/yaml/zipball/640b6c27fed4066d64b64d5903a86043f4a4de7f", + "reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f", "shasum": "" }, "require": { @@ -1799,7 +1799,7 @@ ], "description": "Symfony Yaml Component", "homepage": "https://symfony.com", - "time": "2018-09-24T08:15:45+00:00" + "time": "2018-10-02T16:33:53+00:00" }, { "name": "twig/twig", @@ -3335,7 +3335,7 @@ }, { "name": "symfony/browser-kit", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/browser-kit.git", @@ -3392,16 +3392,16 @@ }, { "name": "symfony/css-selector", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/css-selector.git", - "reference": "b2d6f39145261c082537264b7624f49847915711" + "reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/css-selector/zipball/b2d6f39145261c082537264b7624f49847915711", - "reference": "b2d6f39145261c082537264b7624f49847915711", + "url": "https://api.github.com/repos/symfony/css-selector/zipball/3503415d4aafabc31cd08c3a4ebac7f43fde8feb", + "reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb", "shasum": "" }, "require": { @@ -3441,20 +3441,20 @@ ], "description": "Symfony CssSelector Component", "homepage": "https://symfony.com", - "time": "2018-09-08T13:15:14+00:00" + "time": "2018-10-02T16:33:53+00:00" }, { "name": "symfony/dom-crawler", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/dom-crawler.git", - "reference": "d844f826b15709e3e87a8cf9276899496edf12a5" + "reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/d844f826b15709e3e87a8cf9276899496edf12a5", - "reference": "d844f826b15709e3e87a8cf9276899496edf12a5", + "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/c705bee03ade5b47c087807dd9ffaaec8dda2722", + "reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722", "shasum": "" }, "require": { @@ -3498,20 +3498,20 @@ ], "description": "Symfony DomCrawler Component", "homepage": "https://symfony.com", - "time": "2018-09-21T12:47:54+00:00" + "time": "2018-10-02T12:28:39+00:00" }, { "name": "symfony/finder", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/finder.git", - "reference": "e8db87d755e14271e920e31ba834a4ae99483232" + "reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/finder/zipball/e8db87d755e14271e920e31ba834a4ae99483232", - "reference": "e8db87d755e14271e920e31ba834a4ae99483232", + "url": "https://api.github.com/repos/symfony/finder/zipball/54ba444dddc5bd5708a34bd095ea67c6eb54644d", + "reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d", "shasum": "" }, "require": { @@ -3547,20 +3547,20 @@ ], "description": "Symfony Finder Component", "homepage": "https://symfony.com", - "time": "2018-09-21T12:47:54+00:00" + "time": "2018-10-03T08:46:40+00:00" }, { "name": "symfony/process", - "version": "v3.4.16", + "version": "v3.4.17", "source": { "type": "git", "url": "https://github.com/symfony/process.git", - "reference": "8b87aca97f341d65dee430c60863f2442605c88b" + "reference": "1dc2977afa7d70f90f3fefbcd84152813558910e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/process/zipball/8b87aca97f341d65dee430c60863f2442605c88b", - "reference": "8b87aca97f341d65dee430c60863f2442605c88b", + "url": "https://api.github.com/repos/symfony/process/zipball/1dc2977afa7d70f90f3fefbcd84152813558910e", + "reference": "1dc2977afa7d70f90f3fefbcd84152813558910e", "shasum": "" }, "require": { @@ -3596,7 +3596,7 @@ ], "description": "Symfony Process Component", "homepage": "https://symfony.com", - "time": "2018-09-08T13:15:14+00:00" + "time": "2018-10-02T12:28:39+00:00" }, { "name": "victorjonsson/markdowndocs", From 7b5a1b2c1444e872fc9882ed7322819c86d167ee Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 Oct 2018 17:41:18 -0600 Subject: [PATCH 4/5] Prepare for release --- CHANGELOG.md | 2 +- system/defines.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1e04fc43..355c06136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # v1.5.3 -## mm/dd/2018 +## 10/08/2018 1. [](#new) * Added `Utils::getMimeByFilename()`, `Utils::getMimeByLocalFile()` and `Utils::checkFilename()` methods diff --git a/system/defines.php b/system/defines.php index 82cc8ce84..d75c5525a 100644 --- a/system/defines.php +++ b/system/defines.php @@ -8,7 +8,7 @@ // Some standard defines define('GRAV', true); -define('GRAV_VERSION', '1.5.2'); +define('GRAV_VERSION', '1.5.3'); define('GRAV_TESTING', false); define('DS', '/'); From a3caa13c23372ccf5ece98acf62daa4eed0e140e Mon Sep 17 00:00:00 2001 From: MattAppleton Date: Wed, 17 Oct 2018 03:18:32 +0100 Subject: [PATCH 5/5] fix .webm typo (#2220) Media type should be 'video' not file! --- system/config/media.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/config/media.yaml b/system/config/media.yaml index 1a4c451ca..7326b03cb 100644 --- a/system/config/media.yaml +++ b/system/config/media.yaml @@ -53,7 +53,7 @@ types: thumb: media/thumb-flv.png mime: video/x-flv webm: - type: file + type: video thumb: media/thumb-webm.png mime: video/webm ogv: