Merge branch '5.x' into 5.6

craftcms · Dec 21, 2024 · 3cf48d4 · 3cf48d4
2 parents e4cf030 + 9fbe2db
commit 3cf48d4
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,9 @@
 ## Unreleased
 
 - Fixed a bug where custom fields were getting included in rendered field layout forms, even if their `getInputHtml()` method returned an empty string.
+- Fixed a bug where the password input on the Set Password page wasn’t including the “Show” button.
 - Fixed an error that could occur when creating nested entries within Matrix fields. ([#16331](https://github.com/craftcms/cms/issues/16331))
+- Fixed an RCE vulnerability.
 
 ## 5.5.7 - 2024-12-17
 

diff --git a/src/controllers/UpdaterController.php b/src/controllers/UpdaterController.php
@@ -11,6 +11,7 @@
 use Craft;
 use craft\errors\InvalidPluginException;
 use craft\helpers\App;
+use craft\helpers\FileHelper;
 use RequirementsChecker;
 use Symfony\Component\Process\Process;
 use Throwable;
@@ -99,8 +100,13 @@ public function actionBackup(): Response
      */
     public function actionRestoreDb(): Response
     {
+        $backupPath = $this->data['dbBackupPath'];
+        if (!file_exists($backupPath) || !FileHelper::isWithin($backupPath, Craft::$app->getPath()->getDbBackupPath())) {
+            throw new BadRequestHttpException("Invalid backup path: $backupPath");
+        }
+
         try {
-            Craft::$app->getDb()->restore($this->data['dbBackupPath']);
+            Craft::$app->getDb()->restore($backupPath);
         } catch (Throwable $e) {
             Craft::error('Error restoring up the database: ' . $e->getMessage(), __METHOD__);
             return $this->send([

diff --git a/src/templates/setpassword.twig b/src/templates/setpassword.twig
@@ -8,8 +8,6 @@
 {% endif %}
 
 {% block message %}
-
-
     <form method="post" accept-charset="UTF-8">
         {{ hiddenInput('code', code) }}
         {{ hiddenInput('id', id) }}
@@ -31,3 +29,9 @@
         </div>
     </form>
 {% endblock %}
+
+{% js %}
+    (() => {
+        new Craft.PasswordInput($('#newPassword'));
+    })();
+{% endjs %}
diff --git a/src/web/assets/cp/dist/css/cp.css b/src/web/assets/cp/dist/css/cp.css
diff --git a/src/web/assets/cp/dist/css/cp.css.map b/src/web/assets/cp/dist/css/cp.css.map
diff --git a/src/web/assets/cp/src/css/_main.scss b/src/web/assets/cp/src/css/_main.scss
@@ -8365,7 +8365,7 @@ td.errors .text,
     border: none;
     background: transparent;
     padding-inline-end: 4rem;
-    box-shadow: none;
+    box-shadow: none !important;
   }
 
   .password-toggle {