Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-03-01 18:11:25 +01:00
Code Issues Packages Projects Releases Activity
8,053 Commits 9 Branches 318 Tags
c191b0b47efb25fe28effe00dcebc623fffa0177
Commit Graph

5848 Commits

Author SHA1 Message Date
Andy Miller
c191b0b47e impoved yaml linter to be more use built-in grav for more detail 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-05 12:16:42 -07:00
Andy Miller
b85e87ae3f Added -v for YamlLinter 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-02-04 12:33:32 -07:00
Andy Miller
607ef2797c cache-cleanup command 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2026-01-30 09:48:38 -07:00
Andy Miller
07de0cb4e6 prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-27 19:52:39 -07:00
Andy Miller
007b168ad9 don’t do internal gzip, rely on webserver 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 21:41:20 -07:00
Andy Miller
952830b529 fix gzip encoding issue with newer PHP 8 versions 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 21:17:22 -07:00
Andy Miller
853ccb6464 fix for broken symlinks 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-25 16:32:20 -07:00
Andy Miller
0e4f37eca7 fix of setEscaper move in Twig 3.9+ 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-22 21:43:10 -07:00
Andy Miller
6b54b32140 fix for user editing causing hashed_password to be removed 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-17 14:36:53 -07:00
Andy Miller
368982cb46 fix for nested config changes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-17 12:06:59 -07:00
Andy Miller
b086561160 fix for unusual format SVGs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-15 15:08:15 -07:00
Andy Miller
15cb068f95 fix for grav not picking up config + page changes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-12 16:29:43 -07:00
Andy Miller
d34213232b avoid mail in twig content trigger security error 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-12 16:20:35 -07:00
Andy Miller
7a6b8a90d4 prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-08 20:46:53 -07:00
Andy Miller
306f33f4ae fixes for twig3 loader + improve recovery mode 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-08 18:07:32 -07:00
Andy Miller
6cb8229806 fix for missing file 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-08 10:58:46 -07:00
Andy Miller
80410dae13 opcache fix in CompiledFile 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-05 20:59:46 -07:00
Andy Miller
fae70e5fc9 fixes #4002 - Backups blocking /var/www 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 19:30:32 -07:00
Andy Miller
9d9247a32f fix false positives in Security with on_events 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 14:17:17 -07:00
Andy Miller
94d85cd873 add support for environment in grav scheduler 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-12-03 10:41:29 -07:00
Andy Miller
63bbc1cac6 flex-objects caching fix 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-30 16:06:31 -07:00
Andy Miller
528032b11a update changelog 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 21:18:57 -07:00
Andy Miller
a4c3a3af6d Add isindex to XSS dangerous tags (CVE-2023-31506 / GHSA-h85h-xm8x-vfw7) 
The original CVE-2023-31506 fix missed the deprecated <isindex> HTML tag,
which can still be used for XSS via event handlers like onmouseover.

The <isindex> tag is deprecated in HTML5 and has no legitimate modern use.
 2025-11-29 21:07:23 -07:00
Andy Miller
0c38968c58 Fix email disclosure in user edit page title (GHSA-4cwq-j7jv-qmwg) 
Security fix for IDOR-style information disclosure where the admin
email address was leaked in the <title> tag even on 403 Forbidden
responses.

The edit view title template previously included the email:
  {{ fullname ?? username }} <{{ email }}>

Now shows only the name/username without email:
  {{ fullname ?? username }}

This prevents low-privilege users from enumerating admin email
addresses by accessing /admin/accounts/users/{username} URLs.
 2025-11-29 18:27:08 -07:00
Andy Miller
9d11094e41 Merge branch 'fix/GHSA-x62q-p736-3997-GHSA-gq3g-666w-7h85-admin-security' into 1.8 2025-11-29 17:52:03 -07:00
Andy Miller
ed640a1314 Merge branch 'fix/GHSA-p4ww-mcp9-j6f2-GHSA-m8vh-v6r6-w7p6-GHSA-j422-qmxp-hv94-file-path-security' into 1.8 2025-11-29 17:45:33 -07:00
Andy Miller
e37259527d Merge branch 'fix/GHSA-662m-56v4-3r8f-GHSA-858q-77wx-hhx6-GHSA-8535-hvm8-2hmv-GHSA-gjc5-8cfh-653x-GHSA-52hh-vxfw-p6rg-ssti-sandbox' into 1.8 2025-11-29 17:30:39 -07:00
Andy Miller
19c2f8da76 Fix path traversal and uniqueness vulnerabilities in username validation 
Security fixes for:
- GHSA-h756-wh59-hhjv: Path traversal via username during account creation
- GHSA-cjcp-qxvg-4rjm: Username uniqueness bypass

Changes:

Framework/Flex/Storage/AbstractFilesystemStorage.php:
- Added validateKey() to check for path traversal attempts
- Blocks: .., /, \, null bytes, control characters
- Added assertValidKey() public method for external validation

Framework/Flex/Storage/FolderStorage.php:
- Key validation now enforced in createRows()

User/DataUser/User.php:
- Added isValidUsername() static method for reusable validation
- Added uniqueness check in save() - blocks if user already exists
- Validation blocks: path traversal, hidden files, dangerous characters

Flex/Types/Users/UserObject.php:
- Validation now blocks hidden files (starting with .)

Added unit tests:
- tests/unit/Grav/Common/Security/UsernameValidationTest.php
- 50 tests covering path traversal, dangerous characters, and valid usernames
 2025-11-29 17:25:02 -07:00
Andy Miller
a161399c84 Fix DoS via cron expressions and password hash exposure 
Security fixes for:
- GHSA-x62q-p736-3997: DoS via invalid cron expression in scheduler
- GHSA-gq3g-666w-7h85: Password hash exposure to frontend

Changes:

Scheduler/Job.php:
- Added try-catch around CronExpression::factory() to prevent DoS
- Added isValidCronExpression() static validation method
- Returns null instead of throwing on invalid expressions

Scheduler/IntervalTrait.php:
- Added try-catch in at() method for graceful handling

Twig/Extension/GravExtension.php:
- Protected cronFunc() from invalid expressions

Console/Cli/SchedulerCommand.php:
- Handle null cron expressions (shows "Invalid cron" error)

Flex/Types/Users/UserObject.php:
- Override jsonSerialize() to filter out hashed_password, secret, twofa_secret
- Prevents sensitive data from being exposed to frontend/HTML

User/DataUser/User.php:
- Same jsonSerialize() override for DataUser implementation

Added unit tests:
- tests/unit/Grav/Common/Security/AdminSecurityTest.php
- 53 tests covering cron validation and password hash protection
 2025-11-29 17:24:41 -07:00
Andy Miller
5f120c328b Fix file read, DoS, and path traversal vulnerabilities 
Security fixes for:
- GHSA-p4ww-mcp9-j6f2: Arbitrary file read via read_file() Twig function
- GHSA-m8vh-v6r6-w7p6: DoS via malformed language code in regex
- GHSA-j422-qmxp-hv94: Path traversal in backup root configuration

Changes:

GravExtension.php - readFileFunc():
- Added realpath validation to prevent path traversal
- Blocked reading files outside GRAV_ROOT
- Blocked sensitive files: accounts/*.yaml, .env, .git, logs, backups, vendor

Language.php:
- Fixed regex delimiter in setActiveFromUri() to properly escape language codes
- Added validation in setLanguages() to only allow valid language codes
- Pattern: /^[a-zA-Z]{2,3}(?:[-_][a-zA-Z0-9]{2,8})?$/

Backups.php:
- Added path traversal protection with realpath validation
- Blocked access to system directories: /etc, /root, /home, /var, etc.

Added unit tests:
- tests/unit/Grav/Common/Security/FilePathSecurityTest.php
- 55 tests covering language code validation and regex injection prevention
 2025-11-29 17:24:22 -07:00
Andy Miller
db924c4a26 Expand SSTI sandbox blacklist to block known attack vectors 
Security fixes for:
- GHSA-662m-56v4-3r8f: SSTI sandbox bypass via nested evaluate_twig
- GHSA-858q-77wx-hhx6: Privilege escalation via grav.user/scheduler
- GHSA-8535-hvm8-2hmv: Context leak via Forms _context access
- GHSA-gjc5-8cfh-653x: Sandbox bypass via grav.config.set
- GHSA-52hh-vxfw-p6rg: CVE-2024-28116 bypass via string concatenation

Changes to cleanDangerousTwig():
- Added 150+ dangerous PHP functions to blacklist
- Blocked access to grav.scheduler, grav.twig.twig, grav.backups, grav.gpm
- Blocked config modification via config.set()
- Blocked user modification via grav.user.update()/save()
- Blocked context/internal access via _context, _self, twig_vars
- Blocked evaluate_twig/evaluate to prevent nested bypass
- Added string concatenation pattern detection for bypass attempts
- Blocked SSRF vectors (curl, fsockopen, stream_socket)
- Blocked file operations, serialization, reflection classes

Performance optimizations:
- Early exit if string has no Twig blocks ({{ or {%})
- Static caching of compiled regex patterns (built once, reused)
- Combined all patterns into 4 single regex operations instead of ~190 loops
- Consolidated property patterns using regex alternation groups

Added unit tests:
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php
- 104 tests covering all GHSA advisories and dangerous patterns
 2025-11-29 17:24:06 -07:00
Andy Miller
9fc1b42d59 prepare beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-29 11:02:20 -07:00
Andy Miller
779661ab8a more improvements for JS minification and now pulls any broken JS out of pipeline 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 20:56:07 +00:00
Andy Miller
3985638a8f more debug in the Pipeline.php to identify issues 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-27 19:19:02 +00:00
Andy Miller
caa127cd53 disallow xref/xhref in SVGs 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-24 21:04:44 +00:00
Andy Miller
5f087d3a43 fix range requests for partial content in Utils::downloads() - Fixes #3990 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-23 17:55:28 +00:00
Andy Miller
1bc6e5e13a prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-22 11:17:37 +00:00
Andy Miller
27789991ae prepare for beta release 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 12:45:03 +00:00
Andy Miller
114aebae7c more robust deferred logic + deprecated fixes 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 12:25:58 +00:00
Andy Miller
1d05e6bdc4 pages rebuild optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-21 11:16:34 +00:00
Andy Miller
ea59bdb1d4 Fix double execution of preflight checks during self-upgrade 2025-11-20 11:16:07 +00:00
Andy Miller
02330b96d9 Optimize preflight Monolog checks by skipping vendor directories 2025-11-20 11:12:03 +00:00
Andy Miller
4e11ca7c8e Fix slow SafeUpgradeServiceTest by optimizing snapshot pruning 2025-11-20 10:51:45 +00:00
Andy Miller
591e2e4563 revert missing line 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-19 22:26:59 +00:00
Andy Miller
2161ffeb5e gated the debugger addEvent call 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:55:55 +00:00
Andy Miller
b856978211 reuse regex for better optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:50:35 +00:00
Andy Miller
19ee2d883e lazy load page optimization 
Signed-off-by: Andy Miller <rhuk@mac.com>
 2025-11-18 21:24:50 +00:00
Andy Miller
93089241c3 Ensure file permissions are preserved during safe-upgrade copy operations 2025-11-18 18:28:46 +00:00
Andy Miller
3b1c332932 Fix safe-upgrade snapshot creation (copy vs move) and implement pruning 2025-11-18 18:21:34 +00:00
Andy Miller
7fd614f8b6 Add Twig 3 compatibility transformations for raw, divisibleby, and none 2025-11-18 17:46:20 +00:00