Skip to content

Commit

Permalink
SSTI attack mitigation - GHSA-9436-3gmp-4f53
Browse files Browse the repository at this point in the history
  • Loading branch information
rhukster committed Jul 18, 2023
1 parent 950cd08 commit b4c6210
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
# v1.7.42.2
## mm/dd/2023

2. [](#improved)
* In `Utils::isDangerousFunction`, handle double `\\` in `|map` twig filter to mitigate SSTI attack
* Better handle empty email in `Validatoin::typeEmail()`

# v1.7.42.1
## 06/15/2023

Expand Down
4 changes: 4 additions & 0 deletions system/src/Grav/Common/Data/Validation.php
Original file line number Diff line number Diff line change
Expand Up @@ -631,6 +631,10 @@ public static function typeColor($value, array $params, array $field)
*/
public static function typeEmail($value, array $params, array $field)
{
if (empty($value)) {
return false;
}

if (!isset($params['max'])) {
$params['max'] = 320;
}
Expand Down
2 changes: 1 addition & 1 deletion system/src/Grav/Common/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -2069,7 +2069,7 @@ public static function isDangerousFunction($name): bool
}

if (strpos($name, "\\") !== false) {
return false;
return true;
}

if (in_array($name, $commandExecutionFunctions)) {
Expand Down

0 comments on commit b4c6210

Please sign in to comment.