"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "system/src/Grav/Common/Security.php" between
grav-v1.7.17.zip and grav-v1.7.18.zip

About: Grav is a fast, simple, and flexible flat-file based CMS platform (using YAML and PHP). Contents are just simple markdown files in folders with optional extensions via API and hooks.

Security.php  (grav-v1.7.17):Security.php  (grav-v1.7.18)
skipping to change at line 15 skipping to change at line 15
* *
* @copyright Copyright (c) 2015 - 2021 Trilby Media, LLC. All rights reserved. * @copyright Copyright (c) 2015 - 2021 Trilby Media, LLC. All rights reserved.
* @license MIT License; see LICENSE file for details. * @license MIT License; see LICENSE file for details.
*/ */
namespace Grav\Common; namespace Grav\Common;
use enshrined\svgSanitize\Sanitizer; use enshrined\svgSanitize\Sanitizer;
use Exception; use Exception;
use Grav\Common\Config\Config; use Grav\Common\Config\Config;
use Grav\Common\Filesystem\Folder;
use Grav\Common\Page\Pages; use Grav\Common\Page\Pages;
use function chr; use function chr;
use function count; use function count;
use function is_array; use function is_array;
use function is_string; use function is_string;
/** /**
* Class Security * Class Security
* @package Grav\Common * @package Grav\Common
*/ */
skipping to change at line 59 skipping to change at line 60
* @param string $file * @param string $file
* @return void * @return void
*/ */
public static function sanitizeSVG(string $file): void public static function sanitizeSVG(string $file): void
{ {
if (file_exists($file) && Grav::instance()['config']->get('security.sani tize_svg')) { if (file_exists($file) && Grav::instance()['config']->get('security.sani tize_svg')) {
$sanitizer = new Sanitizer(); $sanitizer = new Sanitizer();
$original_svg = file_get_contents($file); $original_svg = file_get_contents($file);
$clean_svg = $sanitizer->sanitize($original_svg); $clean_svg = $sanitizer->sanitize($original_svg);
// TODO: what to do with bad SVG files which return false? // Quarantine bad SVG files and throw exception
if ($clean_svg !== false && $clean_svg !== $original_svg) { if ($clean_svg !== false ) {
file_put_contents($file, $clean_svg); file_put_contents($file, $clean_svg);
} else {
$quarantine_file = basename($file);
$quarantine_dir = 'log://quarantine';
Folder::mkdir($quarantine_dir);
file_put_contents("$quarantine_dir/$quarantine_file", $original_
svg);
unlink($file);
throw new Exception('SVG could not be sanitized, it has been mov
ed to the logs/quarantine folder');
} }
} }
} }
/** /**
* Detect XSS code in Grav pages * Detect XSS code in Grav pages
* *
* @param Pages $pages * @param Pages $pages
* @param bool $route * @param bool $route
* @param callable|null $status * @param callable|null $status
 End of changes. 3 change blocks. 
2 lines changed or deleted 12 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)