diff --git a/CHANGELOG.md b/CHANGELOG.md index 52e80bf0..845cbb93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,42 @@ Changelog ========= +## 4.1.13 + +Released: 2021-02-14 + +This release includes two security-related fixes. Our thanks go out to +[Silvia VΓ€li, Clarified Security](https://clarifiedsecurity.com/silvia-vali/) +and [Romain Richard](https://github.com/bigz) for identifying these issues and +disclosing them to us responsibly! πŸ‘πŸ™ + +### πŸ› Bug fixes + +- Selects with `multiple: true` always have an array value (I-Valchev, [#2385](https://github.com/bolt/core/pull/2385)) +- Make sure the magic `get` uses the configured `date_format` (I-Valchev, [#2383](https://github.com/bolt/core/pull/2383)) +- Fix `|order` filter by date (I-Valchev, [#2382](https://github.com/bolt/core/pull/2382)) +- Keep cache timestamps for all `.env` files (I-Valchev, [#2378](https://github.com/bolt/core/pull/2378)) +- Fix date field with `required: true` (I-Valchev, [#2377](https://github.com/bolt/core/pull/2377)) +- Make multiselect fields iterable in Twig (I-Valchev, [#2373](https://github.com/bolt/core/pull/2373)) +- Fix slow tests (bobdenotter, [#2370](https://github.com/bolt/core/pull/2370)) +- Use TemplateSelect `filter` option with directories (I-Valchev, [#2361](https://github.com/bolt/core/pull/2361)) +- Fix new checkbox value on existing records (I-Valchev, [#2350](https://github.com/bolt/core/pull/2350)) +- Fix `record|thumbnail` getting different image than `record|image` (I-Valchev, [#2347](https://github.com/bolt/core/pull/2347)) +- Fix `|svg` filter for images outside of set (I-Valchev, [#2345](https://github.com/bolt/core/pull/2345)) + +### πŸ› οΈ Miscellaneous + +- [security] Don't allow Path Traversal (bobdenotter, [#2371](https://github.com/bolt/core/pull/2371)) +- Fix e-mail address in github issue template (bobdenotter, [#2367](https://github.com/bolt/core/pull/2367)) +- [security] Forbid certain theme files from public exposure (I-Valchev, [#2348](https://github.com/bolt/core/pull/2348)) + +### βš™οΈ Code Quality / Developer Experience + +- Remove incorrect `PHPDoc @var` tag in RelationRepository (I-Valchev, [#2374](https://github.com/bolt/core/pull/2374)) +- Remove (abandoned) `sensiolabs/security-checker` (bobdenotter, [#2356](https://github.com/bolt/core/pull/2356)) +- Prepare Release 4.1.12 (bobdenotter, [#2339](https://github.com/bolt/core/pull/2339)) + + ## 4.1.12 Released: 2021-01-25 diff --git a/composer.json b/composer.json index d16ca780..48595f32 100644 --- a/composer.json +++ b/composer.json @@ -37,6 +37,7 @@ "psr/simple-cache": "^1.0", "scienta/doctrine-json-functions": "^4.1", "sensio/framework-extra-bundle": "^5.6", + "sensiolabs/security-checker": "^6.0", "siriusphp/upload": "^3.0.1", "squirrelphp/twig-php-syntax": "^1.5", "symfony/asset": "^5.1", diff --git a/src/Twig/ArrayExtension.php b/src/Twig/ArrayExtension.php index a660c424..d2f15065 100644 --- a/src/Twig/ArrayExtension.php +++ b/src/Twig/ArrayExtension.php @@ -6,6 +6,7 @@ namespace Bolt\Twig; use Bolt\Entity\Content; use Bolt\Utils\ContentHelper; +use Carbon\Carbon; use Pagerfanta\Pagerfanta; use Twig\Environment; use Twig\Extension\AbstractExtension; @@ -136,8 +137,14 @@ final class ArrayExtension extends AbstractExtension */ private function orderHelper(Content $a, Content $b, string $orderOn, bool $orderAscending, string $locale): int { - $aVal = $this->contentHelper->get($a, sprintf('{%s}', $orderOn)); - $bVal = $this->contentHelper->get($b, sprintf('{%s}', $orderOn)); + $aVal = $this->contentHelper->get($a, sprintf('{%s}', $orderOn), $locale); + $bVal = $this->contentHelper->get($b, sprintf('{%s}', $orderOn), $locale); + + // If the values look like dates, convert them to proper date objects. + if (strtotime($aVal) && strtotime($bVal)) { + $aVal = Carbon::createFromTimestamp(strtotime($aVal)); + $bVal = Carbon::createFromTimestamp(strtotime($bVal)); + } // Check the primary sorting criterion. if ($orderAscending) {