Merge branch 'release/1.7.42.2'

getgrav · Jul 18, 2023 · 45103f8 · 45103f8
2 parents 4cd1378 + 0d27f2d
commit 45103f8
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 64 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v1.7.42.2
+## 07/18/2023
+
+2. [](#improved)
+   * In `Utils::isDangerousFunction`, handle double `\\` in `|map` twig filter to mitigate SSTI attack
+   * Better handle empty email in `Validatoin::typeEmail()`
+
 # v1.7.42.1
 ## 06/15/2023
 

diff --git a/composer.lock b/composer.lock
diff --git a/system/defines.php b/system/defines.php
@@ -9,7 +9,7 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.7.42.1');
+define('GRAV_VERSION', '1.7.42.2');
 define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
 define('GRAV_TESTING', false);
 

diff --git a/system/src/Grav/Common/Data/Validation.php b/system/src/Grav/Common/Data/Validation.php
@@ -631,6 +631,10 @@ public static function typeColor($value, array $params, array $field)
      */
     public static function typeEmail($value, array $params, array $field)
     {
+        if (empty($value)) {
+            return false;
+        }
+
         if (!isset($params['max'])) {
             $params['max'] = 320;
         }

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ public static function isDangerousFunction($name): bool
         }
 
         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }
 
         if (in_array($name, $commandExecutionFunctions)) {