Skip to content

Commit

Permalink
Merge branch 'release/1.7.46'
Browse files Browse the repository at this point in the history
  • Loading branch information
rhukster committed May 15, 2024
2 parents 4187a04 + 013ff7e commit faa8ee5
Show file tree
Hide file tree
Showing 9 changed files with 68 additions and 24 deletions.
15 changes: 14 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,19 @@
# v1.7.46
## 05/15/2024

1. [](#improved)
* Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc.
* Handle `GRAV_ROOT` or `GRAV_WEBROOT` when `/` [#3667](https://github.com/getgrav/grav/pull/3667)
1. [](#bugfix)
* Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin)
* Ensure the full filepath is checked for invalid filename in `MediaUploadTrait::checkFileMetadata()`
* Fixed a bug in the `on_events` REGEX pattern of `Security::detectXss()` as it was not matching correctly.
* Fixed an issue where `read_file()` Twig function could be used nefariously in content [#GHSA-f8v5-jmfh-pr69](https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69)

# v1.7.45
## 03/18/2024

1. [](#news)
1. [](#new)
* Added new Image trait for `decoding` attribute [#3796](https://github.com/getgrav/grav/pull/3796)
1. [](#bugfix)
* Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732)
Expand Down Expand Up @@ -117,6 +129,7 @@
1. [](#improved)
* Removed outdated `xcache` setting [#3615](https://github.com/getgrav/grav/pull/3615)
* Updated `robots.txt` [#3625](https://github.com/getgrav/grav/pull/3625)
* Handle the situation when GRAV_ROOT or GRAV_WEBROOT are `/` [#3625](https://github.com/getgrav/grav/pull/3667)
1. [](#bugfix)
* Fixed `force_ssl` redirect in case of undefined hostname [#3702](https://github.com/getgrav/grav/pull/3702)
* Fixed an issue with duplicate identical page paths
Expand Down
6 changes: 3 additions & 3 deletions system/defines.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

// Some standard defines
define('GRAV', true);
define('GRAV_VERSION', '1.7.45');
define('GRAV_VERSION', '1.7.46');
define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
define('GRAV_TESTING', false);

Expand All @@ -26,12 +26,12 @@
// Absolute path to Grav root. This is where Grav is installed into.
if (!defined('GRAV_ROOT')) {
$path = rtrim(str_replace(DIRECTORY_SEPARATOR, DS, getenv('GRAV_ROOT') ?: getcwd()), DS);
define('GRAV_ROOT', $path);
define('GRAV_ROOT', $path ?: DS);
}
// Absolute path to Grav webroot. This is the path where your site is located in.
if (!defined('GRAV_WEBROOT')) {
$path = rtrim(getenv('GRAV_WEBROOT') ?: GRAV_ROOT, DS);
define('GRAV_WEBROOT', $path);
define('GRAV_WEBROOT', $path ?: DS);
}
// Relative path to user folder. This path needs to be located under GRAV_WEBROOT.
if (!defined('GRAV_USER_PATH')) {
Expand Down
2 changes: 1 addition & 1 deletion system/src/Grav/Common/Backup/Backups.php
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ public static function backup($id = 0, callable $status = null)
if ($locator->isStream($backup_root)) {
$backup_root = $locator->findResource($backup_root);
} else {
$backup_root = rtrim(GRAV_ROOT . $backup_root, '/');
$backup_root = rtrim(GRAV_ROOT . $backup_root, DS) ?: DS;
}

if (!$backup_root || !file_exists($backup_root)) {
Expand Down
2 changes: 1 addition & 1 deletion system/src/Grav/Common/Media/Traits/MediaUploadTrait.php
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ public function checkFileMetadata(array $metadata, string $filename = null, arra
$filepath = $folder . $filename;

// Check if the filename is allowed.
if (!Utils::checkFilename($filename)) {
if (!Utils::checkFilename($filepath)) {
throw new RuntimeException(
sprintf($this->translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), $filepath, $this->translate('PLUGIN_ADMIN.BAD_FILENAME'))
);
Expand Down
3 changes: 2 additions & 1 deletion system/src/Grav/Common/Security.php
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ public static function detectXss($string, array $options = null): ?string
// Set the patterns we'll test against
$patterns = [
// Match any attribute starting with "on" or xmlns
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',

// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
Expand Down Expand Up @@ -279,6 +279,7 @@ public static function cleanDangerousTwig(string $string): string
'twig.getFunction',
'core.setEscaper',
'twig.safe_functions',
'read_file',
];
$string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
return $string;
Expand Down
25 changes: 15 additions & 10 deletions system/src/Grav/Common/Taxonomy.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
namespace Grav\Common;

use Grav\Common\Config\Config;
use Grav\Common\Language\Language;
use Grav\Common\Page\Collection;
use Grav\Common\Page\Interfaces\PageInterface;
use function is_string;
Expand Down Expand Up @@ -37,6 +38,8 @@ class Taxonomy
protected $taxonomy_map;
/** @var Grav */
protected $grav;
/** @var Language */
protected $language;

/**
* Constructor that resets the map
Expand All @@ -45,8 +48,9 @@ class Taxonomy
*/
public function __construct(Grav $grav)
{
$this->taxonomy_map = [];
$this->grav = $grav;
$this->language = $grav['language'];
$this->taxonomy_map[$this->language->getLanguage()] = [];
}

/**
Expand Down Expand Up @@ -107,7 +111,8 @@ public function iterateTaxonomy(PageInterface $page, string $taxonomy, string $k
if (!empty($key)) {
$taxonomy .= $key;
}
$this->taxonomy_map[$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()];
$active = $this->language->getLanguage();
$this->taxonomy_map[$active][$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()];
}
}

Expand All @@ -123,14 +128,11 @@ public function findTaxonomy($taxonomies, $operator = 'and')
{
$matches = [];
$results = [];
$active = $this->language->getLanguage();

foreach ((array)$taxonomies as $taxonomy => $items) {
foreach ((array)$items as $item) {
if (isset($this->taxonomy_map[$taxonomy][$item])) {
$matches[] = $this->taxonomy_map[$taxonomy][$item];
} else {
$matches[] = [];
}
$matches[] = $this->taxonomy_map[$active][$taxonomy][$item] ?? [];
}
}

Expand All @@ -156,11 +158,13 @@ public function findTaxonomy($taxonomies, $operator = 'and')
*/
public function taxonomy($var = null)
{
$active = $this->language->getLanguage();

if ($var) {
$this->taxonomy_map = $var;
$this->taxonomy_map[$active] = $var;
}

return $this->taxonomy_map;
return $this->taxonomy_map[$active] ?? [];
}

/**
Expand All @@ -171,6 +175,7 @@ public function taxonomy($var = null)
*/
public function getTaxonomyItemKeys($taxonomy)
{
return isset($this->taxonomy_map[$taxonomy]) ? array_keys($this->taxonomy_map[$taxonomy]) : [];
$active = $this->language->getLanguage();
return isset($this->taxonomy_map[$active][$taxonomy]) ? array_keys($this->taxonomy_map[$active][$taxonomy]) : [];
}
}
9 changes: 4 additions & 5 deletions system/src/Grav/Common/Uri.php
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ public function init()
$uri = $language->setActiveFromUri($uri);

// split the URL and params (and make sure that the path isn't seen as domain)
$bits = parse_url('http://domain.com' . $uri);
$bits = static::parseUrl('http://domain.com' . $uri);

//process fragment
if (isset($bits['fragment'])) {
Expand Down Expand Up @@ -265,6 +265,7 @@ public function paths($id = null)
return $this->paths;
}


/**
* Return route to the current URI. By default route doesn't include base path.
*
Expand Down Expand Up @@ -742,7 +743,7 @@ public static function getCurrentRoute()
*/
public static function isExternal($url)
{
return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//'));
return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//') || 0 === strpos($url, 'mailto:') || 0 === strpos($url, 'tel:') || 0 === strpos($url, 'ftp://') || 0 === strpos($url, 'ftps://') || 0 === strpos($url, 'news:') || 0 === strpos($url, 'irc:') || 0 === strpos($url, 'gopher:') || 0 === strpos($url, 'nntp:') || 0 === strpos($url, 'feed:') || 0 === strpos($url, 'cvs:') || 0 === strpos($url, 'ssh:') || 0 === strpos($url, 'git:') || 0 === strpos($url, 'svn:') || 0 === strpos($url, 'hg:'));
}

/**
Expand Down Expand Up @@ -954,9 +955,7 @@ public static function parseUrl($url)
$grav = Grav::instance();

// Remove extra slash from streams, parse_url() doesn't like it.
if ($pos = strpos($url, ':///')) {
$url = substr_replace($url, '://', $pos, 4);
}
$url = preg_replace('/([^:])(\/{2,})/', '$1/', $url);

$encodedUrl = preg_replace_callback(
'%[^:/@?&=#]+%usD',
Expand Down
28 changes: 27 additions & 1 deletion tests/unit/Grav/Common/UriTest.php
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

use Codeception\Util\Fixtures;
use Grav\Common\Config\Config;
use Grav\Common\Grav;
use Grav\Common\Uri;
use Grav\Common\Utils;
Expand All @@ -16,6 +17,9 @@ class UriTest extends \Codeception\TestCase\Test
/** @var Uri $uri */
protected $uri;

/** @var Config $config */
protected $config;

protected $tests = [
'/path' => [
'scheme' => '',
Expand Down Expand Up @@ -704,7 +708,7 @@ class UriTest extends \Codeception\TestCase\Test
'route' => '/localhost',
'paths' => ['localhost'],
'params' => '/script%3E:',
'url' => '//localhost',
'url' => '/localhost',
'environment' => 'unknown',
'basename' => 'localhost',
'base' => '',
Expand Down Expand Up @@ -859,6 +863,7 @@ protected function _before(): void
$grav = Fixtures::get('grav');
$this->grav = $grav();
$this->uri = $this->grav['uri'];
$this->config = $this->grav['config'];
}

protected function _after(): void
Expand Down Expand Up @@ -1149,4 +1154,25 @@ public function testAddNonce(): void
{
$this->runTestSet($this->tests, 'addNonce');
}

public function testCustomBase(): void
{
$current_base = $this->config->get('system.custom_base_url');
$this->config->set('system.custom_base_url', '/test');
$this->uri->initializeWithURL('https://mydomain.example.com:8090/test/korteles/kodai%20something?test=true#some-fragment')->init();

$this->assertSame([
"scheme" => "https",
"host" => "mydomain.example.com",
"port" => 8090,
"user" => null,
"pass" => null,
"path" => "/korteles/kodai%20something",
"params" => [],
"query" => "test=true",
"fragment" => "some-fragment",
], $this->uri->toArray());

$this->config->set('system.custom_base_url', $current_base);
}
}
2 changes: 1 addition & 1 deletion tests/unit/Grav/Common/UtilsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -461,7 +461,7 @@ public function testUrl(): void
self::assertSame('pop://domain.com', Utils::url('pop://domain.com'));
self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz'));
self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz', true));
// self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <-
self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <-
}

public function testUrlWithRoot(): void
Expand Down

0 comments on commit faa8ee5

Please sign in to comment.