From afb5b02e5750f0f9c0bcc73de5d3f62947881722 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Thu, 21 Mar 2024 15:08:44 -0600 Subject: [PATCH 01/10] Fixes for multilang taxonomy --- CHANGELOG.md | 6 ++++++ system/src/Grav/Common/Taxonomy.php | 25 +++++++++++++++---------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 014bff7d51..d9443babb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# v1.7.46 +## mm/dd/2024 + +1. [](#bugfix) + * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) + # v1.7.45 ## 03/18/2024 diff --git a/system/src/Grav/Common/Taxonomy.php b/system/src/Grav/Common/Taxonomy.php index d9cb930ba7..3ce2173170 100644 --- a/system/src/Grav/Common/Taxonomy.php +++ b/system/src/Grav/Common/Taxonomy.php @@ -10,6 +10,7 @@ namespace Grav\Common; use Grav\Common\Config\Config; +use Grav\Common\Language\Language; use Grav\Common\Page\Collection; use Grav\Common\Page\Interfaces\PageInterface; use function is_string; @@ -37,6 +38,8 @@ class Taxonomy protected $taxonomy_map; /** @var Grav */ protected $grav; + /** @var Language */ + protected $language; /** * Constructor that resets the map @@ -45,8 +48,9 @@ class Taxonomy */ public function __construct(Grav $grav) { - $this->taxonomy_map = []; $this->grav = $grav; + $this->language = $grav['language']; + $this->taxonomy_map[$this->language->getLanguage()] = []; } /** @@ -107,7 +111,8 @@ public function iterateTaxonomy(PageInterface $page, string $taxonomy, string $k if (!empty($key)) { $taxonomy .= $key; } - $this->taxonomy_map[$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()]; + $active = $this->language->getLanguage(); + $this->taxonomy_map[$active][$taxonomy][(string) $value][$page->path()] = ['slug' => $page->slug()]; } } @@ -123,14 +128,11 @@ public function findTaxonomy($taxonomies, $operator = 'and') { $matches = []; $results = []; + $active = $this->language->getLanguage(); foreach ((array)$taxonomies as $taxonomy => $items) { foreach ((array)$items as $item) { - if (isset($this->taxonomy_map[$taxonomy][$item])) { - $matches[] = $this->taxonomy_map[$taxonomy][$item]; - } else { - $matches[] = []; - } + $matches[] = $this->taxonomy_map[$active][$taxonomy][$item] ?? []; } } @@ -156,11 +158,13 @@ public function findTaxonomy($taxonomies, $operator = 'and') */ public function taxonomy($var = null) { + $active = $this->language->getLanguage(); + if ($var) { - $this->taxonomy_map = $var; + $this->taxonomy_map[$active] = $var; } - return $this->taxonomy_map; + return $this->taxonomy_map[$active] ?? []; } /** @@ -171,6 +175,7 @@ public function taxonomy($var = null) */ public function getTaxonomyItemKeys($taxonomy) { - return isset($this->taxonomy_map[$taxonomy]) ? array_keys($this->taxonomy_map[$taxonomy]) : []; + $active = $this->language->getLanguage(); + return isset($this->taxonomy_map[$active][$taxonomy]) ? array_keys($this->taxonomy_map[$active][$taxonomy]) : []; } } From 04f9385aa8005014d64f3bd908d0ab63d1d9ce26 Mon Sep 17 00:00:00 2001 From: "pmoreno.rodriguez" Date: Tue, 16 Apr 2024 19:51:22 +0200 Subject: [PATCH 02/10] Fixed "news" to "new" in Changelog V1.7.45 (#3810) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9443babb7..cf395779b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ # v1.7.45 ## 03/18/2024 -1. [](#news) +1. [](#new) * Added new Image trait for `decoding` attribute [#3796](https://github.com/getgrav/grav/pull/3796) 1. [](#bugfix) * Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732) From d184e25f057b3f586656ce617c4cc3d0eb08bb03 Mon Sep 17 00:00:00 2001 From: thebodzio Date: Tue, 16 Apr 2024 19:52:38 +0200 Subject: [PATCH 03/10] Handle the situation when GRAV_ROOT or GRAV_WEBROOT are `/` (#3667) * Handle the situation when GRAV_ROOT or GARV_WEBROOT are `/` * Update defines.php Replaced `/` with `DS` * Update Backups.php Replaced `/` with `DS` in `backup` function --- CHANGELOG.md | 1 + system/defines.php | 4 ++-- system/src/Grav/Common/Backup/Backups.php | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf395779b4..7758825c4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -123,6 +123,7 @@ 1. [](#improved) * Removed outdated `xcache` setting [#3615](https://github.com/getgrav/grav/pull/3615) * Updated `robots.txt` [#3625](https://github.com/getgrav/grav/pull/3625) + * Handle the situation when GRAV_ROOT or GRAV_WEBROOT are `/` [#3625](https://github.com/getgrav/grav/pull/3667) 1. [](#bugfix) * Fixed `force_ssl` redirect in case of undefined hostname [#3702](https://github.com/getgrav/grav/pull/3702) * Fixed an issue with duplicate identical page paths diff --git a/system/defines.php b/system/defines.php index 2bb2fd858e..10388666f3 100644 --- a/system/defines.php +++ b/system/defines.php @@ -26,12 +26,12 @@ // Absolute path to Grav root. This is where Grav is installed into. if (!defined('GRAV_ROOT')) { $path = rtrim(str_replace(DIRECTORY_SEPARATOR, DS, getenv('GRAV_ROOT') ?: getcwd()), DS); - define('GRAV_ROOT', $path); + define('GRAV_ROOT', $path ?: DS); } // Absolute path to Grav webroot. This is the path where your site is located in. if (!defined('GRAV_WEBROOT')) { $path = rtrim(getenv('GRAV_WEBROOT') ?: GRAV_ROOT, DS); - define('GRAV_WEBROOT', $path); + define('GRAV_WEBROOT', $path ?: DS); } // Relative path to user folder. This path needs to be located under GRAV_WEBROOT. if (!defined('GRAV_USER_PATH')) { diff --git a/system/src/Grav/Common/Backup/Backups.php b/system/src/Grav/Common/Backup/Backups.php index 5114634643..dd2cf379c9 100644 --- a/system/src/Grav/Common/Backup/Backups.php +++ b/system/src/Grav/Common/Backup/Backups.php @@ -218,7 +218,7 @@ public static function backup($id = 0, callable $status = null) if ($locator->isStream($backup_root)) { $backup_root = $locator->findResource($backup_root); } else { - $backup_root = rtrim(GRAV_ROOT . $backup_root, '/'); + $backup_root = rtrim(GRAV_ROOT . $backup_root, DS) ?: DS; } if (!$backup_root || !file_exists($backup_root)) { From ee8d783d050588aaf35261b7d1832e2bdc433fe6 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Sat, 20 Apr 2024 15:42:42 +0100 Subject: [PATCH 04/10] better support for external urls in Utils::url() --- CHANGELOG.md | 2 ++ system/src/Grav/Common/Uri.php | 2 +- tests/unit/Grav/Common/UtilsTest.php | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7758825c4e..966b2f2edc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # v1.7.46 ## mm/dd/2024 +1. [](#improved) + * Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc. 1. [](#bugfix) * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) diff --git a/system/src/Grav/Common/Uri.php b/system/src/Grav/Common/Uri.php index 9d3ef5bb94..374dccce27 100644 --- a/system/src/Grav/Common/Uri.php +++ b/system/src/Grav/Common/Uri.php @@ -742,7 +742,7 @@ public static function getCurrentRoute() */ public static function isExternal($url) { - return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//')); + return (0 === strpos($url, 'http://') || 0 === strpos($url, 'https://') || 0 === strpos($url, '//') || 0 === strpos($url, 'mailto:') || 0 === strpos($url, 'tel:') || 0 === strpos($url, 'ftp://') || 0 === strpos($url, 'ftps://') || 0 === strpos($url, 'news:') || 0 === strpos($url, 'irc:') || 0 === strpos($url, 'gopher:') || 0 === strpos($url, 'nntp:') || 0 === strpos($url, 'feed:') || 0 === strpos($url, 'cvs:') || 0 === strpos($url, 'ssh:') || 0 === strpos($url, 'git:') || 0 === strpos($url, 'svn:') || 0 === strpos($url, 'hg:')); } /** diff --git a/tests/unit/Grav/Common/UtilsTest.php b/tests/unit/Grav/Common/UtilsTest.php index 0e530497cb..9a29ad7e2f 100644 --- a/tests/unit/Grav/Common/UtilsTest.php +++ b/tests/unit/Grav/Common/UtilsTest.php @@ -461,7 +461,7 @@ public function testUrl(): void self::assertSame('pop://domain.com', Utils::url('pop://domain.com')); self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz')); self::assertSame('foo://bar/baz', Utils::url('foo://bar/baz', true)); - // self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <- + self::assertSame('mailto:joe@domain.com', Utils::url('mailto:joe@domain.com', true)); // FIXME <- } public function testUrlWithRoot(): void From 77adfcb8313d4e8fabc55e1faca568931817c66e Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 6 May 2024 11:31:23 +0100 Subject: [PATCH 05/10] missed a check in MediaUploadTrait::checkFileMetadata() --- CHANGELOG.md | 1 + system/src/Grav/Common/Media/Traits/MediaUploadTrait.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 966b2f2edc..913a581514 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc. 1. [](#bugfix) * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) + * Ensure the full filepath is checked for invalid filename in `Utils::checkFileMetadata()` # v1.7.45 ## 03/18/2024 diff --git a/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php b/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php index 36becdfbac..2b1c3bbeec 100644 --- a/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php +++ b/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php @@ -156,7 +156,7 @@ public function checkFileMetadata(array $metadata, string $filename = null, arra $filepath = $folder . $filename; // Check if the filename is allowed. - if (!Utils::checkFilename($filename)) { + if (!Utils::checkFilename($filepath)) { throw new RuntimeException( sprintf($this->translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), $filepath, $this->translate('PLUGIN_ADMIN.BAD_FILENAME')) ); From b6bba9eb99bf8cb55b8fa8d23f18873ca594e348 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 6 May 2024 12:48:45 +0100 Subject: [PATCH 06/10] fixes #GHSA-f8v5-jmfh-pr69 --- system/src/Grav/Common/Security.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php index 8b4783089c..6fabf4eec3 100644 --- a/system/src/Grav/Common/Security.php +++ b/system/src/Grav/Common/Security.php @@ -225,7 +225,7 @@ public static function detectXss($string, array $options = null): ?string // Set the patterns we'll test against $patterns = [ // Match any attribute starting with "on" or xmlns - 'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu', + 'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu', // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols 'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu', @@ -279,6 +279,7 @@ public static function cleanDangerousTwig(string $string): string 'twig.getFunction', 'core.setEscaper', 'twig.safe_functions', + 'read_file', ]; $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string); return $string; From 8c941cc6d31c2a1a220137457ba93c3d950a842f Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 6 May 2024 12:48:52 +0100 Subject: [PATCH 07/10] update changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 913a581514..2c29cc5d80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,9 @@ * Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc. 1. [](#bugfix) * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) - * Ensure the full filepath is checked for invalid filename in `Utils::checkFileMetadata()` + * Ensure the full filepath is checked for invalid filename in `MediaUploadTrait::checkFileMetadata()` + * Fixed a bug in the `on_events` REGEX pattern of `Security::detectXss()` as it was not matching correctly. + * Fixed an issue where `read_file()` Twig function could be used nefariously in content [#GHSA-f8v5-jmfh-pr69](https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69) # v1.7.45 ## 03/18/2024 From 51623ee0daef3f5770302d3370fed58331ab1e18 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Wed, 8 May 2024 12:35:16 +0100 Subject: [PATCH 08/10] Added custom_base test --- tests/unit/Grav/Common/UriTest.php | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/tests/unit/Grav/Common/UriTest.php b/tests/unit/Grav/Common/UriTest.php index 3e52ef877b..c36ce52daf 100644 --- a/tests/unit/Grav/Common/UriTest.php +++ b/tests/unit/Grav/Common/UriTest.php @@ -1,6 +1,7 @@ [ 'scheme' => '', @@ -704,7 +708,7 @@ class UriTest extends \Codeception\TestCase\Test 'route' => '/localhost', 'paths' => ['localhost'], 'params' => '/script%3E:', - 'url' => '//localhost', + 'url' => '/localhost', 'environment' => 'unknown', 'basename' => 'localhost', 'base' => '', @@ -859,6 +863,7 @@ protected function _before(): void $grav = Fixtures::get('grav'); $this->grav = $grav(); $this->uri = $this->grav['uri']; + $this->config = $this->grav['config']; } protected function _after(): void @@ -1149,4 +1154,25 @@ public function testAddNonce(): void { $this->runTestSet($this->tests, 'addNonce'); } + + public function testCustomBase(): void + { + $current_base = $this->config->get('system.custom_base_url'); + $this->config->set('system.custom_base_url', '/test'); + $this->uri->initializeWithURL('https://mydomain.example.com:8090/test/korteles/kodai%20something?test=true#some-fragment')->init(); + + $this->assertSame([ + "scheme" => "https", + "host" => "mydomain.example.com", + "port" => 8090, + "user" => null, + "pass" => null, + "path" => "/korteles/kodai%20something", + "params" => [], + "query" => "test=true", + "fragment" => "some-fragment", + ], $this->uri->toArray()); + + $this->config->set('system.custom_base_url', $current_base); + } } From c97a0ffb161856c48571a3d79771f62acd4640f8 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Wed, 8 May 2024 12:45:52 +0100 Subject: [PATCH 09/10] reworked to use the modified Uri::parseUrl(), plus better fix for multi slashes --- system/src/Grav/Common/Uri.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/system/src/Grav/Common/Uri.php b/system/src/Grav/Common/Uri.php index 374dccce27..2d4386017c 100644 --- a/system/src/Grav/Common/Uri.php +++ b/system/src/Grav/Common/Uri.php @@ -206,7 +206,7 @@ public function init() $uri = $language->setActiveFromUri($uri); // split the URL and params (and make sure that the path isn't seen as domain) - $bits = parse_url('http://domain.com' . $uri); + $bits = static::parseUrl('http://domain.com' . $uri); //process fragment if (isset($bits['fragment'])) { @@ -265,6 +265,7 @@ public function paths($id = null) return $this->paths; } + /** * Return route to the current URI. By default route doesn't include base path. * @@ -954,9 +955,7 @@ public static function parseUrl($url) $grav = Grav::instance(); // Remove extra slash from streams, parse_url() doesn't like it. - if ($pos = strpos($url, ':///')) { - $url = substr_replace($url, '://', $pos, 4); - } + $url = preg_replace('/([^:])(\/{2,})/', '$1/', $url); $encodedUrl = preg_replace_callback( '%[^:/@?&=#]+%usD', From 013ff7ee1b4dc5e7a735911abbfdf80239a8693a Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Wed, 15 May 2024 17:15:30 +0100 Subject: [PATCH 10/10] prepare for release --- CHANGELOG.md | 3 ++- system/defines.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c29cc5d80..2989e724d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,9 @@ # v1.7.46 -## mm/dd/2024 +## 05/15/2024 1. [](#improved) * Better handling of external protocols in `Utils::url()` such as `mailto:`, `tel:`, etc. + * Handle `GRAV_ROOT` or `GRAV_WEBROOT` when `/` [#3667](https://github.com/getgrav/grav/pull/3667) 1. [](#bugfix) * Fixes for multi-lang taxonomy when reinitializing the languages (e.g. LangSwitcher plugin) * Ensure the full filepath is checked for invalid filename in `MediaUploadTrait::checkFileMetadata()` diff --git a/system/defines.php b/system/defines.php index 10388666f3..f090bde296 100644 --- a/system/defines.php +++ b/system/defines.php @@ -9,7 +9,7 @@ // Some standard defines define('GRAV', true); -define('GRAV_VERSION', '1.7.45'); +define('GRAV_VERSION', '1.7.46'); define('GRAV_SCHEMA', '1.7.0_2020-11-20_1'); define('GRAV_TESTING', false);