eessppeelllloo/grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2025-12-05 15:29:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'release/1.5.3'

Browse Source
This commit is contained in:
Andy Miller
2018-10-08 17:41:28 -06:00
parent 0e973dab07 7b5a1b2c14
commit 9944486c17
6 changed files with 146 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@@ -1,3 +1,12 @@
# v1.5.3
## 10/08/2018
1. [](#new)
* Added `Utils::getMimeByFilename()`, `Utils::getMimeByLocalFile()` and `Utils::checkFilename()` methods
* Added configurable dangerous upload extensions in `security.yaml`
1. [](#improved)
* Updated vendor libraries to latest
# v1.5.2
## 10/01/2018

84
composer.lock generated
View File

@@ -1311,16 +1311,16 @@
},
{
"name": "symfony/console",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/console.git",
"reference": "1cbaac35024c9dfc9612b7e2310e82677bf85709"
"reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/console/zipball/1cbaac35024c9dfc9612b7e2310e82677bf85709",
"reference": "1cbaac35024c9dfc9612b7e2310e82677bf85709",
"url": "https://api.github.com/repos/symfony/console/zipball/3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b",
"reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b",
"shasum": ""
},
"require": {
@@ -1376,20 +1376,20 @@
],
"description": "Symfony Console Component",
"homepage": "https://symfony.com",
"time": "2018-09-30T03:37:36+00:00"
"time": "2018-10-02T16:33:53+00:00"
},
{
"name": "symfony/debug",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/debug.git",
"reference": "b70cfaae39009ecde3164bb8cba4d029220d27b1"
"reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/debug/zipball/b70cfaae39009ecde3164bb8cba4d029220d27b1",
"reference": "b70cfaae39009ecde3164bb8cba4d029220d27b1",
"url": "https://api.github.com/repos/symfony/debug/zipball/0a612e9dfbd2ccce03eb174365f31ecdca930ff6",
"reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6",
"shasum": ""
},
"require": {
@@ -1432,11 +1432,11 @@
],
"description": "Symfony Debug Component",
"homepage": "https://symfony.com",
"time": "2018-09-22T18:25:03+00:00"
"time": "2018-10-02T16:33:53+00:00"
},
{
"name": "symfony/event-dispatcher",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/event-dispatcher.git",
@@ -1675,16 +1675,16 @@
},
{
"name": "symfony/var-dumper",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/var-dumper.git",
"reference": "e57a24dc13accad1d5f90d232c5564910c5eb7b0"
"reference": "ff8ac19e97e5c7c3979236b584719a1190f84181"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/var-dumper/zipball/e57a24dc13accad1d5f90d232c5564910c5eb7b0",
"reference": "e57a24dc13accad1d5f90d232c5564910c5eb7b0",
"url": "https://api.github.com/repos/symfony/var-dumper/zipball/ff8ac19e97e5c7c3979236b584719a1190f84181",
"reference": "ff8ac19e97e5c7c3979236b584719a1190f84181",
"shasum": ""
},
"require": {
@@ -1740,20 +1740,20 @@
"debug",
"dump"
],
"time": "2018-09-18T08:05:59+00:00"
"time": "2018-10-02T16:33:53+00:00"
},
{
"name": "symfony/yaml",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/yaml.git",
"reference": "61973ecda60e9f3561e929e19c07d4878b960fc1"
"reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/yaml/zipball/61973ecda60e9f3561e929e19c07d4878b960fc1",
"reference": "61973ecda60e9f3561e929e19c07d4878b960fc1",
"url": "https://api.github.com/repos/symfony/yaml/zipball/640b6c27fed4066d64b64d5903a86043f4a4de7f",
"reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f",
"shasum": ""
},
"require": {
@@ -1799,7 +1799,7 @@
],
"description": "Symfony Yaml Component",
"homepage": "https://symfony.com",
"time": "2018-09-24T08:15:45+00:00"
"time": "2018-10-02T16:33:53+00:00"
},
{
"name": "twig/twig",
@@ -3335,7 +3335,7 @@
},
{
"name": "symfony/browser-kit",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/browser-kit.git",
@@ -3392,16 +3392,16 @@
},
{
"name": "symfony/css-selector",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/css-selector.git",
"reference": "b2d6f39145261c082537264b7624f49847915711"
"reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/css-selector/zipball/b2d6f39145261c082537264b7624f49847915711",
"reference": "b2d6f39145261c082537264b7624f49847915711",
"url": "https://api.github.com/repos/symfony/css-selector/zipball/3503415d4aafabc31cd08c3a4ebac7f43fde8feb",
"reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb",
"shasum": ""
},
"require": {
@@ -3441,20 +3441,20 @@
],
"description": "Symfony CssSelector Component",
"homepage": "https://symfony.com",
"time": "2018-09-08T13:15:14+00:00"
"time": "2018-10-02T16:33:53+00:00"
},
{
"name": "symfony/dom-crawler",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/dom-crawler.git",
"reference": "d844f826b15709e3e87a8cf9276899496edf12a5"
"reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/dom-crawler/zipball/d844f826b15709e3e87a8cf9276899496edf12a5",
"reference": "d844f826b15709e3e87a8cf9276899496edf12a5",
"url": "https://api.github.com/repos/symfony/dom-crawler/zipball/c705bee03ade5b47c087807dd9ffaaec8dda2722",
"reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722",
"shasum": ""
},
"require": {
@@ -3498,20 +3498,20 @@
],
"description": "Symfony DomCrawler Component",
"homepage": "https://symfony.com",
"time": "2018-09-21T12:47:54+00:00"
"time": "2018-10-02T12:28:39+00:00"
},
{
"name": "symfony/finder",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/finder.git",
"reference": "e8db87d755e14271e920e31ba834a4ae99483232"
"reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/finder/zipball/e8db87d755e14271e920e31ba834a4ae99483232",
"reference": "e8db87d755e14271e920e31ba834a4ae99483232",
"url": "https://api.github.com/repos/symfony/finder/zipball/54ba444dddc5bd5708a34bd095ea67c6eb54644d",
"reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d",
"shasum": ""
},
"require": {
@@ -3547,20 +3547,20 @@
],
"description": "Symfony Finder Component",
"homepage": "https://symfony.com",
"time": "2018-09-21T12:47:54+00:00"
"time": "2018-10-03T08:46:40+00:00"
},
{
"name": "symfony/process",
"version": "v3.4.16",
"version": "v3.4.17",
"source": {
"type": "git",
"url": "https://github.com/symfony/process.git",
"reference": "8b87aca97f341d65dee430c60863f2442605c88b"
"reference": "1dc2977afa7d70f90f3fefbcd84152813558910e"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/process/zipball/8b87aca97f341d65dee430c60863f2442605c88b",
"reference": "8b87aca97f341d65dee430c60863f2442605c88b",
"url": "https://api.github.com/repos/symfony/process/zipball/1dc2977afa7d70f90f3fefbcd84152813558910e",
"reference": "1dc2977afa7d70f90f3fefbcd84152813558910e",
"shasum": ""
},
"require": {
@@ -3596,7 +3596,7 @@
],
"description": "Symfony Process Component",
"homepage": "https://symfony.com",
"time": "2018-09-08T13:15:14+00:00"
"time": "2018-10-02T12:28:39+00:00"
},
{
"name": "victorjonsson/markdowndocs",

17
system/blueprints/config/security.yaml
View File

@@ -4,7 +4,7 @@ form:
validation: loose
fields:
security_section:
xss_section:
type: section
title: PLUGIN_ADMIN.XSS_SECURITY
underline: true
@@ -82,3 +82,18 @@ form:
validate:
type: commalist
uploads_section:
type: section
title: PLUGIN_ADMIN.UPLOADS_SECURITY
underline: true
uploads_dangerous_extensions:
type: selectize
size: large
label: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS
help: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS_HELP
classes: fancy
validate:
type: commalist

7
system/config/security.yaml
View File

@@ -23,4 +23,9 @@ xss_dangerous_tags:
- bgsound
- title
- base
uploads_dangerous_extensions:
- php
- html
- htm
- js
- exe

2
system/defines.php
View File

@@ -8,7 +8,7 @@
// Some standard defines
define('GRAV', true);
define('GRAV_VERSION', '1.5.2');
define('GRAV_VERSION', '1.5.3');
define('GRAV_TESTING', false);
define('DS', '/');

72
system/src/Grav/Common/Utils.php
View File

@@ -478,6 +478,51 @@ abstract class Utils
return $default;
}
/**
* Return the mimetype based on filename
*
* @param string $filename Filename or path to file
* @param string $default default value
*
* @return string
*/
public static function getMimeByFilename($filename, $default = 'application/octet-stream')
{
return static::getMimeByExtension(pathinfo($filename, PATHINFO_EXTENSION), $default);
}
/**
* Return the mimetype based on existing local file
*
* @param string $filename Path to the file
*
* @return string|bool
*/
public static function getMimeByLocalFile($filename, $default = 'application/octet-stream')
{
$type = false;
// For local files we can detect type by the file content.
if (!stream_is_local($filename) || !file_exists($filename)) {
return false;
}
// Prefer using finfo if it exists.
if (\extension_loaded('fileinfo')) {
$finfo = finfo_open(FILEINFO_SYMLINK | FILEINFO_MIME_TYPE);
$type = finfo_file($finfo, $filename);
finfo_close($finfo);
} else {
// Fall back to use getimagesize() if it is available (not recommended, but better than nothing)
$info = @getimagesize($filename);
if ($info) {
$type = $info['mime'];
}
}
return $type ?: static::getMimeByFilename($filename, $default);
}
/**
* Return the mimetype based on filename extension
*
@@ -520,6 +565,33 @@ abstract class Utils
return $default;
}
/**
* Returns true if filename is considered safe.
*
* @param string $filename
* @return bool
*/
public static function checkFilename($filename)
{
$dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []);
array_walk($dangerous_extensions, function(&$val) {
$val = '.' . $val;
});
$extension = '.' . pathinfo($filename, PATHINFO_EXTENSION);
return !(
// Empty filenames are not allowed.
!$filename
// Filename should not contain horizontal/vertical tabs, newlines, nils or back/forward slashes.
|| strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename
// Filename should not start or end with dot or space.
|| trim($filename, '. ') !== $filename
// Filename should not contain .php in it.
|| static::contains($extension, $dangerous_extensions)
);
}
/**
* Normalize path by processing relative `.` and `..` syntax and merging path
*