From b4c62101a43051fc7f5349c7d0a5b6085375c1d7 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Tue, 18 Jul 2023 10:49:47 -0600
Subject: [PATCH] SSTI attack mitigation - GHSA-9436-3gmp-4f53

---
 CHANGELOG.md                               | 7 +++++++
 system/src/Grav/Common/Data/Validation.php | 4 ++++
 system/src/Grav/Common/Utils.php           | 2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3054f0b810..a8a5dc1a7c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v1.7.42.2
+## mm/dd/2023
+
+2. [](#improved)
+   * In `Utils::isDangerousFunction`, handle double `\\` in `|map` twig filter to mitigate SSTI attack
+   * Better handle empty email in `Validatoin::typeEmail()`
+
 # v1.7.42.1
 ## 06/15/2023
 
diff --git a/system/src/Grav/Common/Data/Validation.php b/system/src/Grav/Common/Data/Validation.php
index 6deb93190c..daca7352f9 100644
--- a/system/src/Grav/Common/Data/Validation.php
+++ b/system/src/Grav/Common/Data/Validation.php
@@ -631,6 +631,10 @@ public static function typeColor($value, array $params, array $field)
      */
     public static function typeEmail($value, array $params, array $field)
     {
+        if (empty($value)) {
+            return false;
+        }
+
         if (!isset($params['max'])) {
             $params['max'] = 320;
         }
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe39..7b267cd0f3 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ public static function isDangerousFunction($name): bool
         }
 
         if (strpos($name, "\\") !== false) {
-            return false;
+            return true;
         }
 
         if (in_array($name, $commandExecutionFunctions)) {