SSTI attack mitigation - GHSA-9436-3gmp-4f53

getgrav · Jul 18, 2023 · b4c6210 · b4c6210
1 parent 950cd08
commit b4c6210
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v1.7.42.2
+## mm/dd/2023
+
+2. [](#improved)
+   * In `Utils::isDangerousFunction`, handle double `\\` in `|map` twig filter to mitigate SSTI attack
+   * Better handle empty email in `Validatoin::typeEmail()`
+
 # v1.7.42.1
 ## 06/15/2023
 

diff --git a/system/src/Grav/Common/Data/Validation.php b/system/src/Grav/Common/Data/Validation.php
@@ -631,6 +631,10 @@ public static function typeColor($value, array $params, array $field)
      */
     public static function typeEmail($value, array $params, array $field)
     {
+        if (empty($value)) {
+            return false;
+        }
+
         if (!isset($params['max'])) {
             $params['max'] = 320;
         }

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ public static function isDangerousFunction($name): bool
         }
 
         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }
 
         if (in_array($name, $commandExecutionFunctions)) {