diff --git a/CHANGELOG.md b/CHANGELOG.md index 19511c0002..0510670b1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Regression: Fixed saving page with a new language causing cache corruption [getgrav/grav-plugin-admin#2282](https://github.com/getgrav/grav-plugin-admin/issues/2282) * Fixed a potential fatal error when using watermark in images * Fixed `bin/grav install` command with arbitrary destination folder name + * Fixed Twig `|filter()` allowing code execution # v1.7.33 ## 04/25/2022 diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php index a2a76b3172..41c8528d83 100644 --- a/system/src/Grav/Common/Twig/Extension/GravExtension.php +++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php @@ -9,6 +9,7 @@ namespace Grav\Common\Twig\Extension; +use CallbackFilterIterator; use Cron\CronExpression; use Grav\Common\Config\Config; use Grav\Common\Data\Data; @@ -41,6 +42,7 @@ use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator; use Traversable; use Twig\Environment; +use Twig\Error\RuntimeError; use Twig\Extension\AbstractExtension; use Twig\Extension\GlobalsInterface; use Twig\Loader\FilesystemLoader; @@ -167,6 +169,9 @@ public function getFilters(): array // PHP methods new TwigFilter('count', 'count'), new TwigFilter('array_diff', 'array_diff'), + + // Security fix + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; } @@ -1676,4 +1681,20 @@ public function ofTypeFunc($var, $typeTest = null, $className = null) return is_string($var); } } + + /** + * @param Environment $env + * @param array $array + * @param callable|string $arrow + * @return array|CallbackFilterIterator + * @throws RuntimeError + */ + function filterFilter(Environment $env, $array, $arrow) + { + if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); + } + + return \twig_array_filter($env, $array, $arrow); + } }