Skip to content

Commit

Permalink
better SSTI in |map and |filter
Browse files Browse the repository at this point in the history
  • Loading branch information
rhukster committed Jun 13, 2023
1 parent 9d01140 commit 8c2c1cb
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 5 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@

1. [](#new)
* Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
1. [](#improved)
* More robust SSTI handling in `|filter` and `|map`
1. [](#bugfix)
* * Fixed Twig `|map()` allowing code execution
* Fixed Twig `|map()` allowing code execution

# v1.7.41.2
## 06/01/2023
Expand Down
4 changes: 2 additions & 2 deletions system/src/Grav/Common/Twig/Extension/GravExtension.php
Original file line number Diff line number Diff line change
Expand Up @@ -1708,7 +1708,7 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
*/
function filterFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
}

Expand All @@ -1724,7 +1724,7 @@ function filterFilter(Environment $env, $array, $arrow)
*/
function mapFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
}

Expand Down
8 changes: 6 additions & 2 deletions system/src/Grav/Common/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -1950,10 +1950,10 @@ public static function getSupportPageTypes(array $defaults = null)
}

/**
* @param string $name
* @param string|array $name
* @return bool
*/
public static function isDangerousFunction(string $name): bool
public static function isDangerousFunction($name): bool
{
static $commandExecutionFunctions = [
'exec',
Expand Down Expand Up @@ -2050,6 +2050,10 @@ public static function isDangerousFunction(string $name): bool
'posix_setuid',
];

if (is_array($name) || strpos($name, ":") !== false) {
return false;
}

if (in_array($name, $commandExecutionFunctions)) {
return true;
}
Expand Down

0 comments on commit 8c2c1cb

Please sign in to comment.