Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-03-01 10:01:26 +01:00
Code Issues Packages Projects Releases Activity
8,025 Commits 9 Branches 318 Tags
0f879bd1d44863dfcf77d7cb640dab604a0dcce2
Commit Graph

8025 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andy Miller
0f879bd1d4 prepare for beta.27 release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.27 		2025-11-30 16:17:37 -07:00
Andy Miller
fd828d452e trim down default user/config/system.yaml 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-30 16:14:35 -07:00
Andy Miller
63bbc1cac6 flex-objects caching fix 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-30 16:06:31 -07:00
Andy Miller
528032b11a update changelog 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 21:18:57 -07:00
Andy Miller
a4c3a3af6d Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7) 
The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag,
which can still be used for XSS via event handlers like onmouseover.

The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
 2025-11-29 21:07:23 -07:00
Andy Miller
b7e1958a6e Merge branch 'fix/GHSA-4cwq-j7jv-qmwg-title-email-leak' into 1.8 2025-11-29 18:29:39 -07:00
Andy Miller
0c38968c58 Fix email disclosure in user edit page title (GHSA-4cwq-j7jv-qmwg) 
Security fix for IDOR-style information disclosure where the admin
email address was leaked in the <title> tag even on 403 Forbidden
responses.

The edit view title template previously included the email:
  {{ fullname ?? username }} <{{ email }}>

Now shows only the name/username without email:
  {{ fullname ?? username }}

This prevents low-privilege users from enumerating admin email
addresses by accessing /admin/accounts/users/{username} URLs.
 2025-11-29 18:27:08 -07:00
Andy Miller
9d11094e41 Merge branch 'fix/GHSA-x62q-p736-3997-GHSA-gq3g-666w-7h85-admin-security' into 1.8 2025-11-29 17:52:03 -07:00
Andy Miller
ed640a1314 Merge branch 'fix/GHSA-p4ww-mcp9-j6f2-GHSA-m8vh-v6r6-w7p6-GHSA-j422-qmxp-hv94-file-path-security' into 1.8 2025-11-29 17:45:33 -07:00
Andy Miller
e37259527d Merge branch 'fix/GHSA-662m-56v4-3r8f-GHSA-858q-77wx-hhx6-GHSA-8535-hvm8-2hmv-GHSA-gjc5-8cfh-653x-GHSA-52hh-vxfw-p6rg-ssti-sandbox' into 1.8 2025-11-29 17:30:39 -07:00
Andy Miller
3462d94d57 Merge branch 'fix/GHSA-h756-wh59-hhjv-GHSA-cjcp-qxvg-4rjm-username-validation' into 1.8 2025-11-29 17:29:15 -07:00
Andy Miller
19c2f8da76 Fix path traversal and uniqueness vulnerabilities in username validation 
Security fixes for:
- GHSA-h756-wh59-hhjv: Path traversal via username during account creation
- GHSA-cjcp-qxvg-4rjm: Username uniqueness bypass

Changes:

Framework/Flex/Storage/AbstractFilesystemStorage.php:
- Added validateKey() to check for path traversal attempts
- Blocks: .., /, \, null bytes, control characters
- Added assertValidKey() public method for external validation

Framework/Flex/Storage/FolderStorage.php:
- Key validation now enforced in createRows()

User/DataUser/User.php:
- Added isValidUsername() static method for reusable validation
- Added uniqueness check in save() - blocks if user already exists
- Validation blocks: path traversal, hidden files, dangerous characters

Flex/Types/Users/UserObject.php:
- Validation now blocks hidden files (starting with .)

Added unit tests:
- tests/unit/Grav/Common/Security/UsernameValidationTest.php
- 50 tests covering path traversal, dangerous characters, and valid usernames
 2025-11-29 17:25:02 -07:00
Andy Miller
a161399c84 Fix DoS via cron expressions and password hash exposure 
Security fixes for:
- GHSA-x62q-p736-3997: DoS via invalid cron expression in scheduler
- GHSA-gq3g-666w-7h85: Password hash exposure to frontend

Changes:

Scheduler/Job.php:
- Added try-catch around CronExpression::factory() to prevent DoS
- Added isValidCronExpression() static validation method
- Returns null instead of throwing on invalid expressions

Scheduler/IntervalTrait.php:
- Added try-catch in at() method for graceful handling

Twig/Extension/GravExtension.php:
- Protected cronFunc() from invalid expressions

Console/Cli/SchedulerCommand.php:
- Handle null cron expressions (shows "Invalid cron" error)

Flex/Types/Users/UserObject.php:
- Override jsonSerialize() to filter out hashed_password, secret, twofa_secret
- Prevents sensitive data from being exposed to frontend/HTML

User/DataUser/User.php:
- Same jsonSerialize() override for DataUser implementation

Added unit tests:
- tests/unit/Grav/Common/Security/AdminSecurityTest.php
- 53 tests covering cron validation and password hash protection
 2025-11-29 17:24:41 -07:00
Andy Miller
5f120c328b Fix file read, DoS, and path traversal vulnerabilities 
Security fixes for:
- GHSA-p4ww-mcp9-j6f2: Arbitrary file read via read_file() Twig function
- GHSA-m8vh-v6r6-w7p6: DoS via malformed language code in regex
- GHSA-j422-qmxp-hv94: Path traversal in backup root configuration

Changes:

GravExtension.php - readFileFunc():
- Added realpath validation to prevent path traversal
- Blocked reading files outside GRAV_ROOT
- Blocked sensitive files: accounts/*.yaml, .env, .git, logs, backups, vendor

Language.php:
- Fixed regex delimiter in setActiveFromUri() to properly escape language codes
- Added validation in setLanguages() to only allow valid language codes
- Pattern: /^[a-zA-Z]{2,3}(?:[-_][a-zA-Z0-9]{2,8})?$/

Backups.php:
- Added path traversal protection with realpath validation
- Blocked access to system directories: /etc, /root, /home, /var, etc.

Added unit tests:
- tests/unit/Grav/Common/Security/FilePathSecurityTest.php
- 55 tests covering language code validation and regex injection prevention
 2025-11-29 17:24:22 -07:00
Andy Miller
db924c4a26 Expand SSTI sandbox blacklist to block known attack vectors 
Security fixes for:
- GHSA-662m-56v4-3r8f: SSTI sandbox bypass via nested evaluate_twig
- GHSA-858q-77wx-hhx6: Privilege escalation via grav.user/scheduler
- GHSA-8535-hvm8-2hmv: Context leak via Forms _context access
- GHSA-gjc5-8cfh-653x: Sandbox bypass via grav.config.set
- GHSA-52hh-vxfw-p6rg: CVE-2024-28116 bypass via string concatenation

Changes to cleanDangerousTwig():
- Added 150+ dangerous PHP functions to blacklist
- Blocked access to grav.scheduler, grav.twig.twig, grav.backups, grav.gpm
- Blocked config modification via config.set()
- Blocked user modification via grav.user.update()/save()
- Blocked context/internal access via _context, _self, twig_vars
- Blocked evaluate_twig/evaluate to prevent nested bypass
- Added string concatenation pattern detection for bypass attempts
- Blocked SSRF vectors (curl, fsockopen, stream_socket)
- Blocked file operations, serialization, reflection classes

Performance optimizations:
- Early exit if string has no Twig blocks ({{ or {%})
- Static caching of compiled regex patterns (built once, reused)
- Combined all patterns into 4 single regex operations instead of ~190 loops
- Consolidated property patterns using regex alternation groups

Added unit tests:
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php
- 104 tests covering all GHSA advisories and dangerous patterns
 2025-11-29 17:24:06 -07:00
Andy Miller
9fc1b42d59 prepare beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.26 		2025-11-29 11:02:20 -07:00
Andy Miller
c8878dfc80 upgrade to symfony 7.4 stable 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 10:58:03 -07:00
Andy Miller
779661ab8a more improvements for JS minification and now pulls any broken JS out of pipeline 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 20:56:07 +00:00
Andy Miller
3985638a8f more debug in the Pipeline.php to identify issues 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 19:19:02 +00:00
Andy Miller
a78789b291 upgrade compoer libs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-24 21:05:46 +00:00
Andy Miller
caa127cd53 disallow xref/xhref in SVGs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-24 21:04:44 +00:00
Andy Miller
5f087d3a43 fix range requests for partial content in Utils::downloads() - Fixes #3990 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-23 17:55:28 +00:00
Andy Miller
1bc6e5e13a prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.25 		2025-11-22 11:17:37 +00:00
Andy Miller
f339bb83c5 update composer 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-22 11:16:08 +00:00
Andy Miller
27789991ae prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.24 		2025-11-21 12:45:03 +00:00
Andy Miller
114aebae7c more robust deferred logic + deprecated fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 12:25:58 +00:00
Andy Miller
370dfd6016 updated vendor libs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 11:37:28 +00:00
Andy Miller
1d05e6bdc4 pages rebuild optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 11:16:34 +00:00
Andy Miller
3acff8a9f8 update changelog 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-20 11:18:20 +00:00
Andy Miller
ea59bdb1d4 Fix double execution of preflight checks during self-upgrade 2025-11-20 11:16:07 +00:00
Andy Miller
02330b96d9 Optimize preflight Monolog checks by skipping vendor directories 2025-11-20 11:12:03 +00:00
Andy Miller
2b1d73fd26 fix for slow tests 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-20 10:54:24 +00:00
Andy Miller
4e11ca7c8e Fix slow SafeUpgradeServiceTest by optimizing snapshot pruning 2025-11-20 10:51:45 +00:00
Andy Miller
591e2e4563 revert missing line 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-19 22:26:59 +00:00
Andy Miller
2161ffeb5e gated the debugger addEvent call 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:55:55 +00:00
Andy Miller
b856978211 reuse regex for better optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:50:35 +00:00
Andy Miller
19ee2d883e lazy load page optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:24:50 +00:00
Andy Miller
93089241c3 Ensure file permissions are preserved during safe-upgrade copy operations 2025-11-18 18:28:46 +00:00
Andy Miller
3b1c332932 Fix safe-upgrade snapshot creation (copy vs move) and implement pruning 2025-11-18 18:21:34 +00:00
Andy Miller
7fd614f8b6 Add Twig 3 compatibility transformations for raw, divisibleby, and none 2025-11-18 17:46:20 +00:00
Andy Miller
5567a5a1cd twig3 compatibility fixes + tests 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 17:25:07 +00:00
Andy Miller
334e1dcabc prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
1.8.0-beta.23 		2025-11-14 14:42:09 +00:00
Andy Miller
cbf5ec57c6 test fixes + major/minor plugin warnings 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:33:24 +00:00
Andy Miller
9f33e247cf added configurable snapshot pruning amount 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:33:07 +00:00
Andy Miller
8c7e970603 some installer fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:33:04 +00:00
Andy Miller
360b418c97 checkout correct version 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:33:01 +00:00
Andy Miller
af0db0c2a1 preflight integration for cli 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:32:58 +00:00
Andy Miller
4c74192191 ui things 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:32:56 +00:00
Andy Miller
ee5fccd2c8 added back snapshots in Install.php 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:32:52 +00:00
Andy Miller
5bc89bf32b simplified safe-upgrade 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-14 11:32:49 +00:00