Backport fixes from 2.0

modules/cms/controllers/Themes.php

@@ -265,6 +265,10 @@ protected function makeExportFormWidget($theme)
 
     public function index_onLoadImportForm()
     {
+        if (\Cms\Helpers\Cms::safeModeEnabled()) {
+            throw new ApplicationException(trans('cms::lang.cms_object.safe_mode_enabled'));
+        }
+
         $theme = $this->findThemeObject();
         $this->vars['widget'] = $this->makeImportFormWidget($theme);
         $this->vars['themeDir'] = $theme->getDirName();
@@ -274,6 +278,10 @@ public function index_onLoadImportForm()
 
     public function index_onImport()
     {
+        if (\Cms\Helpers\Cms::safeModeEnabled()) {
+            throw new ApplicationException(trans('cms::lang.cms_object.safe_mode_enabled'));
+        }
+
         $theme = $this->findThemeObject();
         $widget = $this->makeImportFormWidget($theme);
 

modules/system/twig/SecurityPolicy.php

@@ -18,18 +18,22 @@ final class SecurityPolicy implements SecurityPolicyInterface
      * @var array List of forbidden methods.
      */
     protected $blockedMethods = [
-        // \October\Rain\Extension\ExtendableTrait
+        // Prevent manipulating Twig itself
+        'getTwig',
+
+        // Prevent dynamic methods and props
         'addDynamicMethod',
         'addDynamicProperty',
 
-        // \October\Rain\Support\Traits\Emitter
+        // Prevent binding event logic
         'bindEvent',
         'bindEventOnce',
 
         // Eloquent & Halcyon data modification
         'insert',
         'update',
         'delete',
+        'write',
     ];
 
     /**