better SSTI in |map and |filter

getgrav · Jun 13, 2023 · 8c2c1cb · 8c2c1cb
1 parent 9d01140
commit 8c2c1cb
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,8 +3,10 @@
 
 1. [](#new)
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
+1. [](#improved)
+   * More robust SSTI handling in `|filter` and `|map`
 1. [](#bugfix)
-   * * Fixed Twig `|map()` allowing code execution
+   * Fixed Twig `|map()` allowing code execution
 
 # v1.7.41.2
 ## 06/01/2023

diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php
@@ -1708,7 +1708,7 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
      */
     function filterFilter(Environment $env, $array, $arrow)
     {
-        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
         }
 
@@ -1724,7 +1724,7 @@ function filterFilter(Environment $env, $array, $arrow)
      */
     function mapFilter(Environment $env, $array, $arrow)
     {
-        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
         }
 

diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
@@ -1950,10 +1950,10 @@ public static function getSupportPageTypes(array $defaults = null)
     }
 
     /**
-     * @param string $name
+     * @param string|array $name
      * @return bool
      */
-    public static function isDangerousFunction(string $name): bool
+    public static function isDangerousFunction($name): bool
     {
         static $commandExecutionFunctions = [
             'exec',
@@ -2050,6 +2050,10 @@ public static function isDangerousFunction(string $name): bool
             'posix_setuid',
         ];
 
+        if (is_array($name) || strpos($name, ":") !== false) {
+            return false;
+        }
+
         if (in_array($name, $commandExecutionFunctions)) {
             return true;
         }