more SSTI fixes in Utils::isDangerousFunction()

Author: rhukster

CHANGELOG.md

@@ -5,6 +5,7 @@
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
 1. [](#improved)
    * More robust SSTI handling in `|filter` and `|map`
+   * Various SSTI improvements `Utils::isDangerousFunction()`
 1. [](#bugfix)
    * Fixed Twig `|map()` allowing code execution
 

system/src/Grav/Common/Utils.php

@@ -1950,7 +1950,7 @@ public static function getSupportPageTypes(array $defaults = null)
     }
 
     /**
-     * @param string|array $name
+     * @param string|array|Closure $name
      * @return bool
      */
     public static function isDangerousFunction($name): bool
@@ -2048,8 +2048,24 @@ public static function isDangerousFunction($name): bool
             'posix_setpgid',
             'posix_setsid',
             'posix_setuid',
+            'unserialize',
+            'ini_alter',
+            'simplexml_load_file',
+            'simplexml_load_string',
+            'forward_static_call',
+            'forward_static_call_array',
         ];
 
+        $name = strtolower($name);
+
+        if ($name instanceof \Closure) {
+            return false;
+        }
+
+        if (strpos($name, "\\") !== false) {
+            return false;
+        }
+
         if (is_array($name) || strpos($name, ":") !== false) {
             return false;
         }