|
9 | 9 |
|
10 | 10 | namespace Grav\Common\Twig\Extension; |
11 | 11 |
|
| 12 | +use CallbackFilterIterator; |
12 | 13 | use Cron\CronExpression; |
13 | 14 | use Grav\Common\Config\Config; |
14 | 15 | use Grav\Common\Data\Data; |
|
41 | 42 | use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator; |
42 | 43 | use Traversable; |
43 | 44 | use Twig\Environment; |
| 45 | +use Twig\Error\RuntimeError; |
44 | 46 | use Twig\Extension\AbstractExtension; |
45 | 47 | use Twig\Extension\GlobalsInterface; |
46 | 48 | use Twig\Loader\FilesystemLoader; |
@@ -167,6 +169,9 @@ public function getFilters(): array |
167 | 169 | // PHP methods |
168 | 170 | new TwigFilter('count', 'count'), |
169 | 171 | new TwigFilter('array_diff', 'array_diff'), |
| 172 | + |
| 173 | + // Security fix |
| 174 | + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), |
170 | 175 | ]; |
171 | 176 | } |
172 | 177 |
|
@@ -1676,4 +1681,20 @@ public function ofTypeFunc($var, $typeTest = null, $className = null) |
1676 | 1681 | return is_string($var); |
1677 | 1682 | } |
1678 | 1683 | } |
| 1684 | + |
| 1685 | + /** |
| 1686 | + * @param Environment $env |
| 1687 | + * @param array $array |
| 1688 | + * @param callable|string $arrow |
| 1689 | + * @return array|CallbackFilterIterator |
| 1690 | + * @throws RuntimeError |
| 1691 | + */ |
| 1692 | + function filterFilter(Environment $env, $array, $arrow) |
| 1693 | + { |
| 1694 | + if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { |
| 1695 | + throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); |
| 1696 | + } |
| 1697 | + |
| 1698 | + return \twig_array_filter($env, $array, $arrow); |
| 1699 | + } |
1679 | 1700 | } |
0 commit comments