Headline
CVE-2022-2073: Fixed Twig `|filter()` allowing code execution · getgrav/grav@9d6a2db
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
@@ -9,6 +9,7 @@
namespace Grav\Common\Twig\Extension;
use CallbackFilterIterator;
use Cron\CronExpression;
use Grav\Common\Config\Config;
use Grav\Common\Data\Data;
@@ -41,6 +42,7 @@
use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
use Traversable;
use Twig\Environment;
use Twig\Error\RuntimeError;
use Twig\Extension\AbstractExtension;
use Twig\Extension\GlobalsInterface;
use Twig\Loader\FilesystemLoader;
@@ -167,6 +169,9 @@ public function getFilters(): array
// PHP methods
new TwigFilter('count’, ‘count’),
new TwigFilter('array_diff’, ‘array_diff’),
// Security fix
new TwigFilter('filter’, [$this, ‘filterFilter’], [‘needs_environment’ => true]),
];
}
@@ -1676,4 +1681,20 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
return is_string($var);
}
}
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function filterFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
throw new RuntimeError(‘Twig |filter("’ . $arrow . ‘") is not allowed.’);
}
return \twig_array_filter($env, $array, $arrow);
}
}
Related news
Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.