diff --git a/CHANGELOG.md b/CHANGELOG.md index 014bff7d51..2989e724d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,19 @@ +# v1.7.46 +## 05/15/2024 + +1. [](#improved) + * Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc. + * Handle `GRAV_ROOT` or `GRAV_WEBROOT` when `/` [#3667](https://github.com/getgrav/grav/pull/3667) +1. [](#bugfix) + * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) + * Ensure the full filepath is checked for invalid filename in `MediaUploadTrait::checkFileMetadata()` + * Fixed a bug in the `on_events` REGEX pattern of `Security::detectXss()` as it was not matching correctly. + * Fixed an issue where `read_file()` Twig function could be used nefariously in content [#GHSA-f8v5-jmfh-pr69](https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69) + # v1.7.45 ## 03/18/2024 -1. [](#news) +1. [](#new) * Added new Image trait for `decoding` attribute [#3796](https://github.com/getgrav/grav/pull/3796) 1. [](#bugfix) * Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732) @@ -117,6 +129,7 @@ 1. [](#improved) * Removed outdated `xcache` setting [#3615](https://github.com/getgrav/grav/pull/3615) * Updated `robots.txt` [#3625](https://github.com/getgrav/grav/pull/3625) + * Handle the situation when GRAV_ROOT or GRAV_WEBROOT are `/` [#3625](https://github.com/getgrav/grav/pull/3667) 1. [](#bugfix) * Fixed `force_ssl` redirect in case of undefined hostname [#3702](https://github.com/getgrav/grav/pull/3702) * Fixed an issue with duplicate identical page paths diff --git a/system/defines.php b/system/defines.php index 2bb2fd858e..f090bde296 100644 --- a/system/defines.php +++ b/system/defines.php @@ -9,7 +9,7 @@ // Some standard defines define('GRAV', true); -define('GRAV_VERSION', '1.7.45'); +define('GRAV_VERSION', '1.7.46'); define('GRAV_SCHEMA', '1.7.0_2020-11-20_1'); define('GRAV_TESTING', false); @@ -26,12 +26,12 @@ // Absolute path to Grav root. This is where Grav is installed into. if (!defined('GRAV_ROOT')) { $path = rtrim(str_replace(DIRECTORY_SEPARATOR, DS, getenv('GRAV_ROOT') ?: getcwd()), DS); - define('GRAV_ROOT', $path); + define('GRAV_ROOT', $path ?: DS); } // Absolute path to Grav webroot. This is the path where your site is located in. if (!defined('GRAV_WEBROOT')) { $path = rtrim(getenv('GRAV_WEBROOT') ?: GRAV_ROOT, DS); - define('GRAV_WEBROOT', $path); + define('GRAV_WEBROOT', $path ?: DS); } // Relative path to user folder. This path needs to be located under GRAV_WEBROOT. if (!defined('GRAV_USER_PATH')) { diff --git a/system/src/Grav/Common/Backup/Backups.php b/system/src/Grav/Common/Backup/Backups.php index 5114634643..dd2cf379c9 100644 --- a/system/src/Grav/Common/Backup/Backups.php +++ b/system/src/Grav/Common/Backup/Backups.php @@ -218,7 +218,7 @@ public static function backup($id = 0, callable $status = null) if ($locator->isStream($backup_root)) { $backup_root = $locator->findResource($backup_root); } else { - $backup_root = rtrim(GRAV_ROOT . $backup_root, '/'); + $backup_root = rtrim(GRAV_ROOT . $backup_root, DS) ?: DS; } if (!$backup_root || !file_exists($backup_root)) { diff --git a/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php b/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php index 36becdfbac..2b1c3bbeec 100644 --- a/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php +++ b/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php @@ -156,7 +156,7 @@ public function checkFileMetadata(array $metadata, string $filename = null, arra $filepath = $folder . $filename; // Check if the filename is allowed. - if (!Utils::checkFilename($filename)) { + if (!Utils::checkFilename($filepath)) { throw new RuntimeException( sprintf($this->translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), $filepath, $this->translate('PLUGIN_ADMIN.BAD_FILENAME')) ); diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 8b4783089c..6fabf4eec3 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -225,7 +225,7 @@ public static function detectXss($string, array $options = null): ?string // Set the patterns we'll test against $patterns = [ // Match any attribute starting with "on" or xmlns - 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu', + 'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols 'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu', @@ -279,6 +279,7 @@ public static function cleanDangerousTwig(string $string): string 'twig.getFunction', 'core.setEscaper', 'twig.safe_functions', + 'read_file', ]; $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string); return $string; diff --git a/system/src/Grav/Common/Taxonomy.php b/system/src/Grav/Common/Taxonomy.php index d9cb930ba7..3ce2173170 100644 --- a/system/src/Grav/Common/Taxonomy.php +++ b/system/src/Grav/Common/Taxonomy.php @@ -10,6 +10,7 @@ namespace Grav\Common; use Grav\Common\Config\Config; +use Grav\Common\Language\Language; use Grav\Common\Page\Collection; use Grav\Common\Page\Interfaces\PageInterface; use function is_string; @@ -37,6 +38,8 @@ class Taxonomy protected $taxonomy_map; /** @var Grav */ protected $grav; + /** @var Language */ + protected $language; /** * Constructor that resets the map @@ -45,8 +48,9 @@ class Taxonomy */ public function __construct(Grav $grav) { - $this->taxonomy_map = []; $this->grav = $grav; + $this->language = $grav['language']; + $this->taxonomy_map[$this->language->getLanguage()] = []; } /** @@ -107,7 +111,8 @@ public function iterateTaxonomy(PageInterface $page, string $taxonomy, string $k if (!empty($key)) { $taxonomy .= $key; } - $this->taxonomy_map[$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()]; + $active = $this->language->getLanguage(); + $this->taxonomy_map[$active][$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()]; } } @@ -123,14 +128,11 @@ public function findTaxonomy($taxonomies, $operator = 'and') { $matches = []; $results = []; + $active = $this->language->getLanguage(); foreach ((array)$taxonomies as $taxonomy => $items) { foreach ((array)$items as $item) { - if (isset($this->taxonomy_map[$taxonomy][$item])) { - $matches[] = $this->taxonomy_map[$taxonomy][$item]; - } else { - $matches[] = []; - } + $matches[] = $this->taxonomy_map[$active][$taxonomy][$item] ?? []; } } @@ -156,11 +158,13 @@ public function findTaxonomy($taxonomies, $operator = 'and') */ public function taxonomy($var = null) { + $active = $this->language->getLanguage(); + if ($var) { - $this->taxonomy_map = $var; + $this->taxonomy_map[$active] = $var; } - return $this->taxonomy_map; + return $this->taxonomy_map[$active] ?? []; } /** @@ -171,6 +175,7 @@ public function taxonomy($var = null) */ public function getTaxonomyItemKeys($taxonomy) { - return isset($this->taxonomy_map[$taxonomy]) ? array_keys($this->taxonomy_map[$taxonomy]) : []; + $active = $this->language->getLanguage(); + return isset($this->taxonomy_map[$active][$taxonomy]) ? array_keys($this->taxonomy_map[$active][$taxonomy]) : []; } } diff --git a/system/src/Grav/Common/Uri.php b/system/src/Grav/Common/Uri.php index 9d3ef5bb94..2d4386017c 100644 --- a/system/src/Grav/Common/Uri.php +++ b/system/src/Grav/Common/Uri.php @@ -206,7 +206,7 @@ public function init() $uri = $language->setActiveFromUri($uri); // split the URL and params (and make sure that the path isn't seen as domain) - $bits = parse_url('http://domain.com' . $uri); + $bits = static::parseUrl('http://domain.com' . $uri); //process fragment if (isset($bits['fragment'])) { @@ -265,6 +265,7 @@ public function paths($id = null) return $this->paths; } + /** * Return route to the current URI. By default route doesn't include base path. * @@ -742,7 +743,7 @@ public static function getCurrentRoute() */ public static function isExternal($url) { - return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//')); + return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//') || 0 === strpos($url, 'mailto:') || 0 === strpos($url, 'tel:') || 0 === strpos($url, 'ftp://') || 0 === strpos($url, 'ftps://') || 0 === strpos($url, 'news:') || 0 === strpos($url, 'irc:') || 0 === strpos($url, 'gopher:') || 0 === strpos($url, 'nntp:') || 0 === strpos($url, 'feed:') || 0 === strpos($url, 'cvs:') || 0 === strpos($url, 'ssh:') || 0 === strpos($url, 'git:') || 0 === strpos($url, 'svn:') || 0 === strpos($url, 'hg:')); } /** @@ -954,9 +955,7 @@ public static function parseUrl($url) $grav = Grav::instance(); // Remove extra slash from streams, parse_url() doesn't like it. - if ($pos = strpos($url, ':///')) { - $url = substr_replace($url, '://', $pos, 4); - } + $url = preg_replace('/([^:])(\/{2,})/', '$1/', $url); $encodedUrl = preg_replace_callback( '%[^:/@?&=#]+%usD', diff --git a/tests/unit/Grav/Common/UriTest.php b/tests/unit/Grav/Common/UriTest.php index 3e52ef877b..c36ce52daf 100644 --- a/tests/unit/Grav/Common/UriTest.php +++ b/tests/unit/Grav/Common/UriTest.php @@ -1,6 +1,7 @@ [ 'scheme' => '', @@ -704,7 +708,7 @@ class UriTest extends \Codeception\TestCase\Test 'route' => '/localhost', 'paths' => ['localhost'], 'params' => '/script%3E:', - 'url' => '//localhost', + 'url' => '/localhost', 'environment' => 'unknown', 'basename' => 'localhost', 'base' => '', @@ -859,6 +863,7 @@ protected function _before(): void $grav = Fixtures::get('grav'); $this->grav = $grav(); $this->uri = $this->grav['uri']; + $this->config = $this->grav['config']; } protected function _after(): void @@ -1149,4 +1154,25 @@ public function testAddNonce(): void { $this->runTestSet($this->tests, 'addNonce'); } + + public function testCustomBase(): void + { + $current_base = $this->config->get('system.custom_base_url'); + $this->config->set('system.custom_base_url', '/test'); + $this->uri->initializeWithURL('https://mydomain.example.com:8090/test/korteles/kodai%20something?test=true#some-fragment')->init(); + + $this->assertSame([ + "scheme" => "https", + "host" => "mydomain.example.com", + "port" => 8090, + "user" => null, + "pass" => null, + "path" => "/korteles/kodai%20something", + "params" => [], + "query" => "test=true", + "fragment" => "some-fragment", + ], $this->uri->toArray()); + + $this->config->set('system.custom_base_url', $current_base); + } } diff --git a/tests/unit/Grav/Common/UtilsTest.php b/tests/unit/Grav/Common/UtilsTest.php index 0e530497cb..9a29ad7e2f 100644 --- a/tests/unit/Grav/Common/UtilsTest.php +++ b/tests/unit/Grav/Common/UtilsTest.php @@ -461,7 +461,7 @@ public function testUrl(): void self::assertSame('pop://domain.com', Utils::url('pop://domain.com')); self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz')); self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz', true)); - // self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <- + self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <- } public function testUrlWithRoot(): void