Permalink
Show file tree
Hide file tree
13 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Security fixes for v1.0.469
Temporarily disables SVG uploads Improves path validation in FileDatasource & reorgs / cleans up Halcyon Builder Adds XSS filtering to SystemException messages (related c16fefd#diff-4915b631d3234e0c5232490be34effe4)
- Loading branch information
Luke Towers
committed
Sep 4, 2020
1 parent
0989697
commit 80aab47
Showing
3 changed files
with
113 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,29 @@ | ||
| <?php namespace October\Rain\Exception; | ||
|
|
||
| use Exception; | ||
| use October\Rain\Html\HtmlBuilder; | ||
|
|
||
| /** | ||
| * This class represents a critical system exception. | ||
| * System exceptions are logged in the error log. | ||
| * | ||
| * @package october\exception | ||
| * @author Alexey Bobkov, Samuel Georges | ||
| * @author Alexey Bobkov, Samuel Georges, Luke Towers | ||
| */ | ||
| class SystemException extends ExceptionBase | ||
| { | ||
| /** | ||
| * Override the constructor to escape all messages to protect against potential XSS | ||
| * from user provided inputs being included in the exception message | ||
| * | ||
| * @param string $message Error message. | ||
| * @param int $code Error code. | ||
| * @param Exception $previous Previous exception. | ||
| */ | ||
| public function __construct($message = "", $code = 0, Exception $previous = null) | ||
| { | ||
| $message = HtmlBuilder::clean($message); | ||
|
|
||
| parent::__construct($message, $code, $previous); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LukeTowers Not sure why, but this change seems to be the reason, a lot of my code broke.
Previously it was possible to load a template using base path:
Now trying to so this, I get an error:
Seems like it's connected to some maxNesting level changes. Is there any workaround?
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar use the System Twig environment instead of the CMS one. CMS partials should not be loading from anywhere but the theme itself.
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And possible !== actually supported.
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any documentation on how to do that? Do I need to write the entire Twig initialization logic myself?
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar nope, just do the following:
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LukeTowers Sadly that's not suitable for me, since I still need support for tags like {% patrial '...' %} etc.
I know the "correct" solution would be to structure the project a bit differently, but I'd have to do that on 170+ websites, which is not really an option. I guess I'll need to find some other workaround....
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up extending Halcyon Builder to re-add support for absolute paths:
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar message me on Slack or Discord and I'll help you come up with a better solution, we can have a video call too if you'd like.
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar I've come up with a possible fix for your use case so you don't have to change any code at all, as long as you aren't expecting
base_path('template/somewhere/in/the/project.htm')to be treated as a Partial object (i.e. with support for a PHP code section and an INI configuration section)80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar try applying octobercms/october@dca6128 locally. Please let me know if that resolves your issue.
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LukeTowers Yes, the octobercms/october@dca6128 works great and solves my issue. Thanks a lot!👍
And sorry for late reply, was unavailable during the weekend.
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@acasar Upon further review from myself, this change will likely continue to break your implementation (octobercms/october@f9e14b0)
The approach you've taken is not (and will not ever be) supported natively by the system, that is the direct inclusion of external files in the theme engine outside the theme path, or in the Twig engine.
Try placing your reusable files in a views directory, using Laravel's engine.
View::make('vendor.plugin::someview.htm')=>{% include 'vendor.plugin::someview.htm' %}However, Luke may have further input on this, so watch this space, I suppose
80aab47There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daftspunk ok, thanks for notifying me. Will keep my workaround in place for all existing projects all I'll structure new projects differently.