Skip to content

Commit 4149c81

Browse files
committed
fix for safe_functions attack #GHSA-c9gp-64c4-2rrh
1 parent 2da91d9 commit 4149c81

File tree

2 files changed

+2
-1
lines changed

2 files changed

+2
-1
lines changed

Diff for: CHANGELOG.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732)
88
* Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394)
99
* Fixed a path traversal vulnerability with file uploads [#GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc)
10-
* Fixed a security issue with insecure Twig functions be processed [#GHSA-2m7x-c7px-hp58](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) [#GHSA-r6vw-8v8r-pmp4](https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4) [#GHSA-qfv4-q44r-g7rv](https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv)
10+
* Fixed a security issue with insecure Twig functions be processed [#GHSA-2m7x-c7px-hp58](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) [#GHSA-r6vw-8v8r-pmp4](https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4) [#GHSA-qfv4-q44r-g7rv](https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv) [#GHSA-c9gp-64c4-2rrh](https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh)
1111

1212
# v1.7.44
1313
## 01/05/2024

Diff for: system/src/Grav/Common/Security.php

+1
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,7 @@ public static function cleanDangerousTwig(string $string): string
278278
'undefined_functions',
279279
'twig.getFunction',
280280
'core.setEscaper',
281+
'twig.safe_functions',
281282
];
282283
$string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
283284
return $string;

0 commit comments

Comments
 (0)