Headline
CVE-2021-29440: getgrav/grav - Packagist
Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.
Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS
1.7.37.1 2022-10-05 21:06 UTC
Requires
- php: ^7.3.6 || ^8.0
- ext-curl: *
- ext-dom: *
- ext-gd: *
- ext-json: *
- ext-libxml: *
- ext-openssl: *
- ext-zip: *
- composer/ca-bundle: ^1.2
- composer/semver: ^1.4
- doctrine/cache: ^1.10
- doctrine/collections: ^1.6
- donatj/phpuseragentparser: ~1.1
- dragonmantank/cron-expression: ^1.2
- erusev/parsedown: ^1.7
- erusev/parsedown-extra: ~0.8
- filp/whoops: ~2.9
- getgrav/cache: ^2.0
- getgrav/image: ^3.0
- guzzlehttp/psr7: ^1.7
- itsgoingd/clockwork: ^5.0
- league/climate: ^3.6
- matthiasmullie/minify: ^1.3
- maximebf/debugbar: ~1.16
- miljar/php-exif: ^0.6
- monolog/monolog: ~1.25
- multiavatar/multiavatar-php: ^1.0
- nyholm/psr7: ^1.3
- nyholm/psr7-server: ^1.0
- pimple/pimple: ~3.5.0
- psr/container: ~1.1.0
- psr/http-message: ^1.0
- psr/http-server-middleware: ^1.0
- psr/simple-cache: ^1.0
- rhukster/dom-sanitizer: ^1.0
- rockettheme/toolbox: ~1.5
- symfony/console: ~4.4
- symfony/contracts: ~1.1
- symfony/event-dispatcher: ~4.4
- symfony/http-client: ^4.4
- symfony/polyfill-iconv: ^1.23
- symfony/polyfill-mbstring: ~1.23
- symfony/polyfill-php74: ^1.23
- symfony/polyfill-php80: ^1.23
- symfony/polyfill-php81: ^1.23
- symfony/process: ~4.4
- symfony/var-dumper: ~4.4
- symfony/yaml: ~4.4
- twig/twig: ~v1.44
- willdurand/negotiation: ^3.0
Requires (Dev)
- codeception/codeception: ^4.1
- codeception/module-asserts: ^1.3
- codeception/module-phpbrowser: ^1.0
- getgrav/markdowndocs: ^2.0
- phpstan/phpstan: ^1.8
- phpstan/phpstan-deprecation-rules: ^1.0
- phpunit/php-code-coverage: ~9.2
- symfony/service-contracts: *
Suggests
ext-exif: Needed to use exif data from images.
ext-iconv: Recommended for better performance
ext-intl: Recommended for multi-language sites
ext-mbstring: Recommended for better performance
ext-memcache: Needed to support Memcache servers
ext-memcached: Needed to support Memcached servers
ext-redis: Needed to support Redis servers
ext-zend-opcache: Recommended for better performance
dev-develop / 1.x-dev
1.7.37.1
1.7.37
1.7.36
1.7.35
1.7.34
1.7.33
1.7.32
1.7.31
1.7.30
1.7.29.1
1.7.29
1.7.28
1.7.27.1
1.7.27
1.7.26.1
1.7.26
1.7.25
1.7.24
1.7.23
1.7.22
1.7.21
1.7.20
1.7.19
1.7.18
1.7.17
1.7.16
1.7.15
1.7.14
1.7.13
1.7.12
1.7.10
1.7.9
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.1
1.7.0
1.7.0-rc.20
1.7.0-rc.19
1.7.0-rc.18
1.7.0-rc.17
1.7.0-rc.16
1.7.0-rc.15
1.7.0-rc.14
1.7.0-rc.13
1.7.0-rc.12
1.7.0-rc.11
1.7.0-rc.10
1.7.0-rc.9
1.7.0-rc.8
1.7.0-rc.7
1.7.0-rc.6
1.7.0-rc.5
1.7.0-rc.4
1.7.0-rc.3
1.7.0-rc.2
1.7.0-rc.1
1.7.0-beta.10
1.7.0-beta.9
1.7.0-beta.8
1.7.0-beta.7
1.7.0-beta.6
1.7.0-beta.5
1.7.0-beta.4
1.7.0-beta.3
1.7.0-beta.2
1.7.0-beta.1
1.6.x-dev
1.6.31
1.6.30
1.6.29
1.6.28
1.6.27
1.6.26
1.6.25
1.6.24
1.6.23
1.6.22
1.6.21
1.6.20
1.6.19
1.6.18
1.6.17
1.6.16
1.6.15
1.6.14
1.6.13
1.6.12
1.6.11
1.6.10
1.6.9
1.6.8
1.6.7
1.6.6
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.6.0-rc.4
1.6.0-rc.3
1.6.0-rc.2
1.6.0-rc.1
1.6.0-beta.8
1.6.0-beta.7
1.6.0-beta.6
1.6.0-beta.5
1.6.0-beta.4
1.6.0-beta.3
1.6.0-beta.2
1.6.0-beta.1
1.5.10
1.5.9
1.5.8
1.5.7
1.5.6
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.5.0-rc.1
1.5.0-beta.2
1.5.0-beta.1
1.4.8
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.4.0-rc.2
1.4.0-rc.1
1.4.0-beta.3
1.4.0-beta.2
1.4.0-beta.1
1.3.10
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
1.3.0-rc.5
1.3.0-rc.4
1.3.0-rc.3
1.3.0-rc.2
1.3.0-rc.1
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.2.0-rc.3
1.2.0-rc.2
1.2.0-rc.1
1.1.17
1.1.16
1.1.15
1.1.14
1.1.13
1.1.12
1.1.11
1.1.10
1.1.9
1.1.9-rc.3
1.1.9-rc.2
1.1.9-rc.1
1.1.8
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.1.0-rc.3
1.1.0-rc.2
1.1.0-rc.1
1.1.0-beta.5
1.1.0-beta.4
1.1.0-beta.3
1.1.0-beta.2
1.1.0-beta.1
1.0.10
1.0.9
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
1.0.0-rc.6
1.0.0-rc.5
1.0.0-rc.4
1.0.0-rc.3
1.0.0-rc.2
1.0.0-rc.1
0.9.45
0.9.44
0.9.43
0.9.42
0.9.41
0.9.40
0.9.39
0.9.38
0.9.37
0.9.36
0.9.35
0.9.34
0.9.33
0.9.32
0.9.31
0.9.30
0.9.29
0.9.28
0.9.27
0.9.26
0.9.25
0.9.24
0.9.23
0.9.22
0.9.21
0.9.20
0.9.19
0.9.18
0.9.17
0.9.16
0.9.15
0.9.14
0.9.13
0.9.12
0.9.11
0.9.10
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
dev-master
dev-feature/multiple-page-paths
dev-feature/media
dev-feature/v1.8
dev-feature/multiavatar
dev-feature/js-module-assets
dev-feature/php-81
dev-feature/watermark
dev-build_test
dev-feature/clockwork-5.0
dev-ricardo-patch-noprocess
dev-feature/httpclient
dev-ricardo-patch-menu
dev-feature/clockwork-4.0
dev-feature/parsedown-1.8-compatibility
This package is auto-updated.
Last update: 2022-10-26 00:20:21 UTC
README
Grav is a Fast, Simple, and Flexible, file-based Web-platform. There is Zero installation required. Just extract the ZIP archive, and you are already up and running. It follows similar principles to other flat-file CMS platforms, but has a different design philosophy than most. Grav comes with a powerful Package Management System to allow for simple installation and upgrading of plugins and themes, as well as simple updating of Grav itself.
The underlying architecture of Grav is designed to use well-established and best-in-class technologies to ensure that Grav is simple to use and easy to extend. Some of these key technologies include:
- Twig Templating: for powerful control of the user interface
- Markdown: for easy content creation
- YAML: for simple configuration
- Parsedown: for fast Markdown and Markdown Extra support
- Doctrine Cache: layer for performance
- Pimple Dependency Injection Container: for extensibility and maintainability
- Symfony Event Dispatcher: for plugin event handling
- Symfony Console: for CLI interface
- Gregwar Image Library: for dynamic image manipulation
Requirements
- PHP 7.3.6 or higher. Check the required modules list
- Check the Apache or IIS requirements
Documentation
The full documentation can be found from learn.getgrav.org.
QuickStart
These are the options to get Grav:
Downloading a Grav Package
You can download a ready-built package from the Downloads page on https://getgrav.org
With Composer
You can create a new project with the latest stable Grav release with the following command:
$ composer create-project getgrav/grav ~/webroot/grav
From GitHub
Clone the Grav repository from https://github.com/getgrav/grav to a folder in the webroot of your server, e.g. ~/webroot/grav. Launch a terminal or console and navigate to the webroot folder:
$ cd ~/webroot $ git clone https://github.com/getgrav/grav.git
Install the plugin and theme dependencies by using the Grav CLI application bin/grav:
$ cd ~/webroot/grav $ bin/grav install
Check out the install procedures for more information.
Adding Functionality
You can download plugins or themes manually from the appropriate tab on the Downloads page on https://getgrav.org, but the preferred solution is to use the Grav Package Manager or GPM:
$ bin/gpm index
This will display all the available plugins and then you can install one or more with:
$ bin/gpm install <plugin/theme>
Updating
To update Grav you should use the Grav Package Manager or GPM:
$ bin/gpm selfupgrade
To update plugins and themes:
$ bin/gpm update
Upgrading from older version
- Upgrading to Grav 1.7
- Upgrading to Grav 1.6
- Upgrading from Grav <1.6
Contributing
We appreciate any contribution to Grav, whether it is related to bugs, grammar, or simply a suggestion or improvement! Please refer to the Contributing guide for more guidance on this topic.
Security issues
If you discover a possible security issue related to Grav or one of its plugins, please email the core team at [email protected] and we’ll address it as soon as possible.
Getting Started
- What is Grav?
- Install Grav in few seconds
- Understand the Configuration
- Take a peek at our available free Skeletons
- If you have questions, jump on our Discord Chat Server!
- Have fun!
Exploring More
- Have a look at our Basic Tutorial
- Dive into more advanced functions
- Learn about the Grav CLI
- Review examples in the Grav Cookbook
- More Awesome Grav Stuff
Backers
Support Grav with a monthly donation to help us continue development. [Become a backer]
Supporters
Support Grav with a monthly donation to help us continue development. [Become a supporter]
Sponsors
Support Grav with a yearly donation to help us continue development. [Become a sponsor]
License
See LICENSE
Running Tests
First install the dev dependencies by running composer install from the Grav root.
Then composer test will run the Unit Tests, which should be always executed successfully on any site. Windows users should use the composer test-windows command. You can also run a single unit test file, e.g. composer test tests/unit/Grav/Common/AssetsTest.php
To run phpstan tests, you should run:
- composer phpstan for global tests
- composer phpstan-framework for more strict tests
- composer phpstan-plugins to test all installed plugins