63161e62a2
* Remove deprecated "getNonceOldStyle" function This commit removes the following functions: - getNonceOldStyle - generateNonceStringOldStyle The functions have been replaced in newer versions of grav. It seems to me that they only existed in order to make a upgrade to a newer version of grav painless (i.e. accept both types of nonce tokens). Nowadays, existing old style nonces are expired long time ago so it should be save to delete the deprecated funtions. * Fix caching of nonces in static class variable Currently, the behavior of `getNonce` is broken because it saves the generated nonce in an array and only use the $action as the key. However, the generated nonce does not only depend on the $action, but also on $plusOneTick. * Fix broken "plusOneTick" for nonces It looks to me that there is a bug in the current implemention of verifyNonce. Here is an example: - 2018-08-01 10:00: We respond to a request and generate a nonce. The current tick is at 35489 - 2018-08-01 10:05: We use the previously generated nonce to make another request. We compare the given nounce with a new generated one (based on the same tick). The result is exactly the same and the request succeeds. - 2018-08-01 14:00: We're now one tick ahead. Remember: A day (24 hours) is separated into two ticks (each 12 hours). A request comes in, we compare the given nounce with a newly generated one based on the current tick (now at 35490). They don't match (which is totally okay). If the comparison fails, we then compare the given nounce with a another, newly generated one. This time, we pass "plusOneTick", to the function, which increases the current tick by one. Our tick is now at 35491. We generate a nonce based on that tick and of course, it still does not match the given nonce. Instead of increasing the tick, we should rather decreasing it by one (i.e. use the previous tick). If the first comparison fails, we use the current tick (35490), decrease it by one (35489) and then compare it again. 35489 is the same tick as in the very first request. This bug leads to a maximum life time of 12 hours for a nonce and in worst case only a few seconds (!) I would like to prove the bug with an unit test but I'm too unexperienced in PHP. Furthermore it seems that we need some kind of library which is able to mock builtin functions (like "time"). Maybe <https://github.com/Codeception/AspectMock> would be a good canditate?
Grav
Grav is a Fast, Simple, and Flexible, file-based Web-platform. There is Zero installation required. Just extract the ZIP archive, and you are already up and running. It follows similar principles to other flat-file CMS platforms, but has a different design philosophy than most. Grav comes with a powerful Package Management System to allow for simple installation and upgrading of plugins and themes, as well as simple updating of Grav itself.
The underlying architecture of Grav is designed to use well-established and best-in-class technologies to ensure that Grav is simple to use and easy to extend. Some of these key technologies include:
- Twig Templating: for powerful control of the user interface
- Markdown: for easy content creation
- YAML: for simple configuration
- Parsedown: for fast Markdown and Markdown Extra support
- Doctrine Cache: layer for performance
- Pimple Dependency Injection Container: for extensibility and maintainability
- Symfony Event Dispatcher: for plugin event handling
- Symfony Console: for CLI interface
- Gregwar Image Library: for dynamic image manipulation
Requirements
- PHP 5.5.9 or higher. Check the required modules list
- Check the Apache or IIS requirements
QuickStart
These are the options to get Grav:
Downloading a Grav Package
You can download a ready-built package from the Downloads page on https://getgrav.org
With Composer
You can create a new project with the latest stable Grav release with the following command:
$ composer create-project getgrav/grav ~/webroot/grav
From GitHub
-
Clone the Grav repository from https://github.com/getgrav/grav to a folder in the webroot of your server, e.g.
~/webroot/grav. Launch a terminal or console and navigate to the webroot folder:$ cd ~/webroot $ git clone https://github.com/getgrav/grav.git -
Install the plugin and theme dependencies by using the Grav CLI application
bin/grav:$ cd ~/webroot/grav $ bin/grav install
Check out the install procedures for more information.
Adding Functionality
You can download plugins or themes manually from the appropriate tab on the Downloads page on https://getgrav.org, but the preferred solution is to use the Grav Package Manager or GPM:
$ bin/gpm index
This will display all the available plugins and then you can install one or more with:
$ bin/gpm install <plugin/theme>
Updating
To update Grav you should use the Grav Package Manager or GPM:
$ bin/gpm selfupgrade
To update plugins and themes:
$ bin/gpm update
Contributing
We appreciate any contribution to Grav, whether it is related to bugs, grammar, or simply a suggestion or improvement! Please refer to the Contributing guide for more guidance on this topic.
Security issues
If you discover a possible security issue related to Grav or one of its plugins, please email the core team at contact@getgrav.org and we'll address it as soon as possible.
Getting Started
- What is Grav?
- Install Grav in few seconds
- Understand the Configuration
- Take a peek at our available free Skeletons
- If you have questions, jump on our Slack Room!
- Have fun!
Exploring More
- Have a look at our Basic Tutorial
- Dive into more advanced functions
- Learn about the Grav CLI
- Review examples in the Grav Cookbook
Backers
Support Grav with a monthly donation to help us continue development. [Become a backer]
Sponsors
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
License
See LICENSE
Running Tests
First install the dev dependencies by running composer update from the Grav root.
Then composer test will run the Unit Tests, which should be always executed successfully on any site.
Windows users should use the composer test-windows command.
You can also run a single unit test file, e.g. composer test tests/unit/Grav/Common/AssetsTest.php