Merge branch '4.2'

CHANGELOG.md

@@ -1,6 +1,42 @@
 Changelog
 =========
 
+## 4.1.13
+
+Released: 2021-02-14
+
+This release includes two security-related fixes. Our thanks go out to 
+[Silvia Väli, Clarified Security](https://clarifiedsecurity.com/silvia-vali/) 
+and [Romain Richard](https://github.com/bigz) for identifying these issues and 
+disclosing them to us responsibly! 👏🙏 
+
+### 🐛 Bug fixes
+
+- Selects with `multiple: true` always have an array value (I-Valchev, [#2385](https://github.com/bolt/core/pull/2385))
+- Make sure the magic `get` uses the configured `date_format` (I-Valchev, [#2383](https://github.com/bolt/core/pull/2383))
+- Fix `|order` filter by date (I-Valchev, [#2382](https://github.com/bolt/core/pull/2382))
+- Keep cache timestamps for all `.env` files (I-Valchev, [#2378](https://github.com/bolt/core/pull/2378))
+- Fix date field with `required: true` (I-Valchev, [#2377](https://github.com/bolt/core/pull/2377))
+- Make multiselect fields iterable in Twig (I-Valchev, [#2373](https://github.com/bolt/core/pull/2373))
+- Fix slow tests (bobdenotter, [#2370](https://github.com/bolt/core/pull/2370))
+- Use TemplateSelect `filter` option with directories (I-Valchev, [#2361](https://github.com/bolt/core/pull/2361))
+- Fix new checkbox value on existing records (I-Valchev, [#2350](https://github.com/bolt/core/pull/2350))
+- Fix `record|thumbnail` getting different image than `record|image` (I-Valchev, [#2347](https://github.com/bolt/core/pull/2347))
+- Fix `|svg` filter for images outside of set (I-Valchev, [#2345](https://github.com/bolt/core/pull/2345))
+
+### 🛠️ Miscellaneous
+
+- [security] Don't allow Path Traversal (bobdenotter, [#2371](https://github.com/bolt/core/pull/2371))
+- Fix e-mail address in github issue template (bobdenotter, [#2367](https://github.com/bolt/core/pull/2367))
+- [security] Forbid certain theme files from public exposure (I-Valchev, [#2348](https://github.com/bolt/core/pull/2348))
+
+### ⚙️ Code Quality / Developer Experience
+
+- Remove incorrect `PHPDoc @var` tag in RelationRepository (I-Valchev, [#2374](https://github.com/bolt/core/pull/2374))
+- Remove (abandoned) `sensiolabs/security-checker` (bobdenotter, [#2356](https://github.com/bolt/core/pull/2356))
+- Prepare Release 4.1.12 (bobdenotter, [#2339](https://github.com/bolt/core/pull/2339))
+
+
 ## 4.1.12
 
 Released: 2021-01-25

composer.json

@@ -37,6 +37,7 @@
         "psr/simple-cache": "^1.0",
         "scienta/doctrine-json-functions": "^4.1",
         "sensio/framework-extra-bundle": "^5.6",
+        "sensiolabs/security-checker": "^6.0",
         "siriusphp/upload": "^3.0.1",
         "squirrelphp/twig-php-syntax": "^1.5",
         "symfony/asset": "^5.1",

src/Twig/ArrayExtension.php

@@ -6,6 +6,7 @@ namespace Bolt\Twig;
 
 use Bolt\Entity\Content;
 use Bolt\Utils\ContentHelper;
+use Carbon\Carbon;
 use Pagerfanta\Pagerfanta;
 use Twig\Environment;
 use Twig\Extension\AbstractExtension;
@@ -136,8 +137,14 @@ final class ArrayExtension extends AbstractExtension
      */
     private function orderHelper(Content $a, Content $b, string $orderOn, bool $orderAscending, string $locale): int
     {
-        $aVal = $this->contentHelper->get($a, sprintf('{%s}', $orderOn));
-        $bVal = $this->contentHelper->get($b, sprintf('{%s}', $orderOn));
+        $aVal = $this->contentHelper->get($a, sprintf('{%s}', $orderOn), $locale);
+        $bVal = $this->contentHelper->get($b, sprintf('{%s}', $orderOn), $locale);
+
+        // If the values look like dates, convert them to proper date objects.
+        if (strtotime($aVal) && strtotime($bVal)) {
+            $aVal = Carbon::createFromTimestamp(strtotime($aVal));
+            $bVal = Carbon::createFromTimestamp(strtotime($bVal));
+        }
 
         // Check the primary sorting criterion.
         if ($orderAscending) {