Merge branch 'release/1.7.34'

CHANGELOG.md

@@ -1,3 +1,16 @@
+# v1.7.34
+## 06/14/2022
+
+1. [](#new)
+    * Added back Yiddish to Language Codes [#3336](https://github.com/getgrav/grav/pull/3336)
+    * Ignore upcoming `media.json` file in media
+1. [](#bugfix)
+    * Regression: Fixed saving page with a new language causing cache corruption [getgrav/grav-plugin-admin#2282](https://github.com/getgrav/grav-plugin-admin/issues/2282)
+    * Fixed a potential fatal error when using watermark in images
+    * Fixed `bin/grav install` command with arbitrary destination folder name
+    * Fixed Twig `|filter()` allowing code execution
+    * Fixed login and user search by email not being case-insensitive when using Flex Users
+
 # v1.7.33
 ## 04/25/2022
 

system/defines.php

@@ -9,7 +9,7 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.7.33');
+define('GRAV_VERSION', '1.7.34');
 define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
 define('GRAV_TESTING', false);
 

system/src/Grav/Common/File/CompiledFile.php

@@ -138,6 +138,10 @@ public function save($data = null)
             $class = get_class($this);
             $size = filesize($filename);
 
+            // Reload data from the filesystem. This ensures that we always cache the correct data (see issue #2282).
+            $this->raw = $this->content = null;
+            $data = (array)$this->decode($this->raw());
+
             // Decode data into compiled array.
             $cache = [
                 '@class' => $class,

system/src/Grav/Common/Flex/Types/Users/UserIndex.php

@@ -142,7 +142,7 @@ public function find($query, $fields = ['username', 'email']): UserInterface
                 } elseif ($field === 'flex_key') {
                     $user = $this->withKeyField('flex_key')->get($query);
                 } elseif ($field === 'email') {
-                    $user = $this->withKeyField('email')->get($query);
+                    $user = $this->withKeyField('email')->get(static::filterUsername($query, $this->getFlexDirectory()->getStorage()));
                 } elseif ($field === 'username') {
                     $user = $this->get(static::filterUsername($query, $this->getFlexDirectory()->getStorage()));
                 } else {

system/src/Grav/Common/GPM/GPM.php

@@ -12,6 +12,7 @@
 use Exception;
 use Grav\Common\Grav;
 use Grav\Common\Filesystem\Folder;
+use Grav\Common\HTTP\Response;
 use Grav\Common\Inflector;
 use Grav\Common\Iterator;
 use Grav\Common\Utils;

system/src/Grav/Common/GPM/Remote/AbstractPackageCollection.php

@@ -10,8 +10,8 @@
 namespace Grav\Common\GPM\Remote;
 
 use Grav\Common\Grav;
+use Grav\Common\HTTP\Response;
 use Grav\Common\GPM\Common\AbstractPackageCollection as BaseCollection;
-use Grav\Common\GPM\Response;
 use \Doctrine\Common\Cache\FilesystemCache;
 use RuntimeException;
 

system/src/Grav/Common/Language/LanguageCodes.php

@@ -153,6 +153,8 @@ class LanguageCodes
         'vi'         => [ 'name' => 'Vietnamese',                'nativeName' => 'Tiếng Việt' ],
         'wo'         => [ 'name' => 'Wolof',                     'nativeName' => 'Wolof' ],
         'xh'         => [ 'name' => 'Xhosa',                     'nativeName' => 'isiXhosa' ],
+        'yi'         => [ 'name' => 'Yiddish',                   'nativeName' => 'ייִדיש', 'orientation' => 'rtl'  ],
+        'ydd'        => [ 'name' => 'Yiddish',                   'nativeName' => 'ייִדיש', 'orientation' => 'rtl'  ],
         'zh'         => [ 'name' => 'Chinese (Simplified)',      'nativeName' => '中文 (简体)' ],
         'zh-CN'      => [ 'name' => 'Chinese (Simplified)',      'nativeName' => '中文 (简体)' ],
         'zh-TW'      => [ 'name' => 'Chinese (Traditional)',     'nativeName' => '正體中文 (繁體)' ],

system/src/Grav/Common/Page/Media.php

@@ -152,7 +152,7 @@ protected function init()
         foreach ($iterator as $file => $info) {
             // Ignore folders and Markdown files.
             $filename = $info->getFilename();
-            if (!$info->isFile() || $info->getExtension() === 'md' || $filename === 'frontmatter.yaml' || strpos($filename, '.') === 0) {
+            if (!$info->isFile() || $info->getExtension() === 'md' || $filename === 'frontmatter.yaml' || $filename === 'media.json' || strpos($filename, '.') === 0) {
                 continue;
             }
 

system/src/Grav/Common/Page/Medium/ImageMedium.php

@@ -361,8 +361,8 @@ public function watermark($image = null, $position = null, $scale = null)
 
         // Scaling operations
         $scale     = ($scale ?? $config->get('system.images.watermark.scale', 100)) / 100;
-        $wwidth    = $this->get('width')  * $scale;
-        $wheight   = $this->get('height') * $scale;
+        $wwidth    = (int)$this->get('width')  * $scale;
+        $wheight   = (int)$this->get('height') * $scale;
         $watermark->resize($wwidth, $wheight);
 
         // Position operations
@@ -377,11 +377,11 @@ public function watermark($image = null, $position = null, $scale = null)
                 break;
 
             case 'bottom':
-                $positionY = $this->get('height')-$wheight;
+                $positionY = (int)$this->get('height')-$wheight;
                 break;
 
             case 'center':
-                $positionY = ($this->get('height')/2) - ($wheight/2);
+                $positionY = ((int)$this->get('height')/2) - ($wheight/2);
                 break;
         }
 
@@ -392,11 +392,11 @@ public function watermark($image = null, $position = null, $scale = null)
                 break;
 
             case 'right':
-                $positionX = $this->get('width')-$wwidth;
+                $positionX = (int)$this->get('width')-$wwidth;
                 break;
 
             case 'center':
-                $positionX = ($this->get('width')/2) - ($wwidth/2);
+                $positionX = ((int)$this->get('width')/2) - ($wwidth/2);
                 break;
         }
 

system/src/Grav/Common/Service/FlexServiceProvider.php

@@ -97,7 +97,9 @@ private function getFlexAccountsStorage(Config $config): array
                 'options' => [
                     'file' => 'user',
                     'pattern' => '{FOLDER}/{KEY:2}/{KEY}/{FILE}{EXT}',
-                    'key' => 'storage_key'
+                    'key' => 'storage_key',
+                    'indexed' => true,
+                    'case_sensitive' => false
                 ],
             ];
         }
@@ -107,7 +109,9 @@ private function getFlexAccountsStorage(Config $config): array
                 'class' => UserFileStorage::class,
                 'options' => [
                     'pattern' => '{FOLDER}/{KEY}{EXT}',
-                    'key' => 'username'
+                    'key' => 'username',
+                    'indexed' => true,
+                    'case_sensitive' => false
                 ],
             ];
         }

system/src/Grav/Common/Twig/Extension/GravExtension.php

@@ -9,6 +9,7 @@
 
 namespace Grav\Common\Twig\Extension;
 
+use CallbackFilterIterator;
 use Cron\CronExpression;
 use Grav\Common\Config\Config;
 use Grav\Common\Data\Data;
@@ -41,6 +42,7 @@
 use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
 use Traversable;
 use Twig\Environment;
+use Twig\Error\RuntimeError;
 use Twig\Extension\AbstractExtension;
 use Twig\Extension\GlobalsInterface;
 use Twig\Loader\FilesystemLoader;
@@ -167,6 +169,9 @@ public function getFilters(): array
             // PHP methods
             new TwigFilter('count', 'count'),
             new TwigFilter('array_diff', 'array_diff'),
+
+            // Security fix
+            new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
         ];
     }
 
@@ -1676,4 +1681,20 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
                 return is_string($var);
         }
     }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function filterFilter(Environment $env, $array, $arrow)
+    {
+        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_filter($env, $array, $arrow);
+    }
 }

system/src/Grav/Console/Cli/InstallCommand.php

@@ -147,7 +147,7 @@ private function gitclone(): int
         foreach ($this->config['git'] as $repo => $data) {
             $path = $this->destination . DS . $data['path'];
             if (!file_exists($path)) {
-                exec('cd "' . $this->destination . '" && git clone -b ' . $data['branch'] . ' --depth 1 ' . $data['url'] . ' ' . $data['path'], $output, $return);
+                exec('cd ' . escapeshellarg($this->destination) . ' && git clone -b ' . $data['branch'] . ' --depth 1 ' . $data['url'] . ' ' . $data['path'], $output, $return);
 
                 if (!$return) {
                     $io->writeln('<green>SUCCESS</green> cloned <magenta>' . $data['url'] . '</magenta> -> <cyan>' . $path . '</cyan>');

system/src/Grav/Console/ConsoleTrait.php

@@ -288,7 +288,7 @@ public function composerUpdate($path, $action = 'install')
     {
         $composer = Composer::getComposerExecutor();
 
-        return system($composer . ' --working-dir="'.$path.'" --no-interaction --no-dev --prefer-dist -o '. $action);
+        return system($composer . ' --working-dir=' . escapeshellarg($path) . ' --no-interaction --no-dev --prefer-dist -o '. $action);
     }
 
     /**

system/src/Grav/Console/Gpm/DirectInstallCommand.php

@@ -10,12 +10,11 @@
 namespace Grav\Console\Gpm;
 
 use Exception;
-use Grav\Common\Cache;
 use Grav\Common\Grav;
 use Grav\Common\Filesystem\Folder;
+use Grav\Common\HTTP\Response;
 use Grav\Common\GPM\GPM;
 use Grav\Common\GPM\Installer;
-use Grav\Common\GPM\Response;
 use Grav\Console\GpmCommand;
 use RuntimeException;
 use Symfony\Component\Console\Input\InputArgument;

system/src/Grav/Console/Gpm/InstallCommand.php

@@ -11,10 +11,10 @@
 
 use Exception;
 use Grav\Common\Filesystem\Folder;
+use Grav\Common\HTTP\Response;
 use Grav\Common\GPM\GPM;
 use Grav\Common\GPM\Installer;
 use Grav\Common\GPM\Licenses;
-use Grav\Common\GPM\Response;
 use Grav\Common\GPM\Remote\Package;
 use Grav\Common\Grav;
 use Grav\Common\Utils;
@@ -485,7 +485,7 @@ private function processSymlink(Package $package): void
     {
         $io = $this->getIO();
 
-        exec('cd ' . $this->destination);
+        exec('cd ' . escapeshellarg($this->destination));
 
         $to = $this->destination . DS . $package->install_path;
         $from = $this->getSymlinkSource($package);

system/src/Grav/Console/Gpm/SelfupgradeCommand.php

@@ -11,8 +11,8 @@
 
 use Exception;
 use Grav\Common\Filesystem\Folder;
+use Grav\Common\HTTP\Response;
 use Grav\Common\GPM\Installer;
-use Grav\Common\GPM\Response;
 use Grav\Common\GPM\Upgrader;
 use Grav\Common\Grav;
 use Grav\Console\GpmCommand;

tests/phpstan/phpstan.neon

@@ -156,13 +156,20 @@ parameters:
         - '#Call to deprecated method stopPropagation\(\) of class Symfony\\Component\\EventDispatcher\\Event#'
         - '#Parameter \#2 \$listener of method Symfony\\Component\\EventDispatcher\\EventDispatcher::addListener\(\)#'
         - '#Parameter \#2 \$listener of method Symfony\\Component\\EventDispatcher\\EventDispatcher::removeListener\(\)#'
+        - '#Class Grav\\Common\\GPM\\Response not found#'
 
         # Installer updates
         -
             message: '#Variable \$this in PHPDoc tag @var does not exist#'
             path: '*/system/src/Grav/Installer/updates/*'
+        -
+            message: '#YamlUpdater::isInlineComment\(\) is unused#'
+            path: '*/system/src/Grav/Installer/YamlUpdater.php'
 
         # Twig Deferred extension compatibility
         -
             message: '#typehint with deprecated interface#'
             path: '*/system/src/Twig/DeferredExtension/DeferredNodeVisitorCompat.php'
+        -
+            message: '#Function twig_array_filter not found#'
+            path: '*/system/src/Grav/Common/Twig/Extension/GravExtension.php'