Merge branch 'release/1.7.42'

2025-02-20 19:56:53 +01:00 · 2023-06-14 14:19:10 -06:00 · 2023-06-14 14:19:10 -06:00 · dc209453d0
commit dc209453d0
parent d4c617ff19 50ee844759
6 changed files with 98 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,15 @@
+# v1.7.42
+## 06/14/2023
+
+1. [](#new)
+   * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
+1. [](#improved)
+   * More robust SSTI handling in `filter`, `map`, and `reduce` Twig filters and functions
+   * Various SSTI improvements `Utils::isDangerousFunction()`
+1. [](#bugfix)
+   * Fixed Twig `|map()` allowing code execution
+   * Fixed Twig `|reduce()` allowing code execution
+
 # v1.7.41.2
 ## 06/01/2023

--- a/system/blueprints/config/system.yaml
+++ b/system/blueprints/config/system.yaml
@ -448,6 +448,17 @@ form:
              validate:
                type: bool

+            languages.debug:
+              type: toggle
+              label: PLUGIN_ADMIN.LANGUAGE_DEBUG
+              help: PLUGIN_ADMIN.LANGUAGE_DEBUG_HELP
+              highlight: 0
+              options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+              validate:
+                type: bool
+
        http_headers:
          type: tab
          title: PLUGIN_ADMIN.HTTP_HEADERS
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@ -28,6 +28,7 @@ languages:
  override_locale: false                         # Override the default or system locale with language specific one
  content_fallback: {}                           # Custom language fallbacks. eg: {fr: ['fr', 'en']}
  pages_fallback_only: false                     # DEPRECATED: Use `content_fallback` instead
+  debug: false                                   # Debug language detection

 home:
  alias: '/home'                                 # Default path for home, ie /
--- a/system/defines.php
+++ b/system/defines.php
@ -9,7 +9,7 @@

 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.7.41.2');
+define('GRAV_VERSION', '1.7.42');
 define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
 define('GRAV_TESTING', false);

--- a/system/src/Grav/Common/Twig/Extension/GravExtension.php
+++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php
@ -46,6 +46,7 @@ use Twig\Error\RuntimeError;
 use Twig\Extension\AbstractExtension;
 use Twig\Extension\GlobalsInterface;
 use Twig\Loader\FilesystemLoader;
+use Twig\Markup;
 use Twig\TwigFilter;
 use Twig\TwigFunction;
 use function array_slice;
@ -170,8 +171,10 @@ class GravExtension extends AbstractExtension implements GlobalsInterface
            new TwigFilter('count', 'count'),
            new TwigFilter('array_diff', 'array_diff'),

-            // Security fix
-            new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
+            // Security fixes
+            new TwigFilter('filter', [$this, 'filterFunc'], ['needs_environment' => true]),
+            new TwigFilter('map', [$this, 'mapFunc'], ['needs_environment' => true]),
+            new TwigFilter('reduce', [$this, 'reduceFunc'], ['needs_environment' => true]),
        ];
    }

@ -248,6 +251,11 @@ class GravExtension extends AbstractExtension implements GlobalsInterface
            new TwigFunction('count', 'count'),
            new TwigFunction('array_diff', 'array_diff'),
            new TwigFunction('parse_url', 'parse_url'),
+
+            // Security fixes
+            new TwigFunction('filter', [$this, 'filterFunc'], ['needs_environment' => true]),
+            new TwigFunction('map', [$this, 'mapFunc'], ['needs_environment' => true]),
+            new TwigFunction('reduce', [$this, 'reduceFunc'], ['needs_environment' => true]),
        ];
    }

@ -905,8 +913,13 @@ class GravExtension extends AbstractExtension implements GlobalsInterface
            return $this->grav['admin']->translate($args, $lang);
        }

-        // else use the default grav translate functionality
-        return $this->grav['language']->translate($args);
+        $translation = $this->grav['language']->translate($args);
+
+        if ($this->config->get('system.languages.debug', false)) {
+            return new Markup("<span class=\"translate-debug\" data-toggle=\"tooltip\" title=\"" . $args[0] . "\">$translation</span>", 'UTF-8');
+        } else {
+            return $translation;
+        }
    }

    /**
@ -1699,12 +1712,44 @@ class GravExtension extends AbstractExtension implements GlobalsInterface
     * @return array|CallbackFilterIterator
     * @throws RuntimeError
     */
-    function filterFilter(Environment $env, $array, $arrow)
+    function filterFunc(Environment $env, $array, $arrow)
    {
-        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
            throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
        }

        return twig_array_filter($env, $array, $arrow);
    }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function mapFunc(Environment $env, $array, $arrow)
+    {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_map($env, $array, $arrow);
+    }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function reduceFunc(Environment $env, $array, $arrow)
+    {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_map($env, $array, $arrow);
+    }
 }
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@ -1950,10 +1950,10 @@ abstract class Utils
    }

    /**
-     * @param string $name
+     * @param string|array|Closure $name
     * @return bool
     */
-    public static function isDangerousFunction(string $name): bool
+    public static function isDangerousFunction($name): bool
    {
        static $commandExecutionFunctions = [
            'exec',
@ -2048,8 +2048,28 @@ abstract class Utils
            'posix_setpgid',
            'posix_setsid',
            'posix_setuid',
+            'unserialize',
+            'ini_alter',
+            'simplexml_load_file',
+            'simplexml_load_string',
+            'forward_static_call',
+            'forward_static_call_array',
        ];

+        $name = strtolower($name);
+
+        if ($name instanceof \Closure) {
+            return false;
+        }
+
+        if (strpos($name, "\\") !== false) {
+            return false;
+        }
+
+        if (is_array($name) || strpos($name, ":") !== false) {
+            return false;
+        }
+
        if (in_array($name, $commandExecutionFunctions)) {
            return true;
        }