Edit PHP version constraint and update Composer dependencies

kirby/src/Cms/App.php

@@ -3,6 +3,7 @@
 namespace Kirby\Cms;
 
 use Closure;
+use Exception as GlobalException;
 use Generator;
 use Kirby\Data\Data;
 use Kirby\Email\Email as BaseEmail;
@@ -318,9 +319,18 @@ class App
 			}
 		}
 
-		foreach (glob($this->root('blueprints') . '/' . $type . '/*.yml') as $blueprint) {
-			$name = F::name($blueprint);
-			$blueprints[$name] = $name;
+		try {
+			// protect against path traversal attacks
+			$root     = $this->root('blueprints') . '/' . $type;
+			$realpath = Dir::realpath($root, $this->root('blueprints'));
+
+			foreach (glob($realpath . '/*.yml') as $blueprint) {
+				$name = F::name($blueprint);
+				$blueprints[$name] = $name;
+			}
+		} catch (GlobalException) {
+			// if the realpath operation failed, the following glob was skipped,
+			// keeping just the blueprints from extensions
 		}
 
 		ksort($blueprints);
@@ -478,7 +488,7 @@ class App
 		}
 
 		// controller from site root
-		$controller   = Controller::load($this->root('controllers') . '/' . $name . '.php');
+		$controller   = Controller::load($this->root('controllers') . '/' . $name . '.php', $this->root('controllers'));
 		// controller from extension
 		$controller ??= $this->extension('controllers', $name);
 
@@ -1184,7 +1194,7 @@ class App
 		string|null $path = null,
 		string|null $method = null
 	): Response|null {
-		if (($_ENV['KIRBY_RENDER'] ?? true) === false) {
+		if ((filter_var($_ENV['KIRBY_RENDER'] ?? true, FILTER_VALIDATE_BOOLEAN)) === false) {
 			return null;
 		}
 
@@ -1292,11 +1302,36 @@ class App
 
 		// try to resolve image urls for pages and drafts
 		if ($page = $site->findPageOrDraft($id)) {
-			return $page->file($filename);
+			return $this->resolveFile($page->file($filename));
 		}
 
 		// try to resolve site files at least
-		return $site->file($filename);
+		return $this->resolveFile($site->file($filename));
+	}
+
+	/**
+	 * Filters a resolved file object using the configuration
+	 * @internal
+	 */
+	public function resolveFile(File|null $file): File|null
+	{
+		// shortcut for files that don't exist
+		if ($file === null) {
+			return null;
+		}
+
+		$option = $this->option('content.fileRedirects', true);
+
+		if ($option === true) {
+			return $file;
+		}
+
+		if ($option instanceof Closure) {
+			return $option($file) === true ? $file : null;
+		}
+
+		// option was set to `false` or an invalid value
+		return null;
 	}
 
 	/**

kirby/src/Cms/AppCaches.php

@@ -79,7 +79,7 @@ trait AppCaches
 		$prefix =
 			str_replace(['/', ':'], '_', $this->system()->indexUrl()) .
 			'/' .
-			str_replace('.', '/', $key);
+			str_replace(['/', '.'], ['_', '/'], $key);
 
 		$defaults = [
 			'active'    => true,

kirby/src/Cms/Collections.php

@@ -105,10 +105,11 @@ class Collections
 	{
 		$kirby = App::instance();
 
-		// first check for collection file
-		$file = $kirby->root('collections') . '/' . $name . '.php';
+		// first check for collection file in the `collections` root
+		$root = $kirby->root('collections');
+		$file = $root . '/' . $name . '.php';
 
-		if (is_file($file) === true) {
+		if (F::exists($file, $root) === true) {
 			$collection = F::load($file, allowOutput: false);
 
 			if ($collection instanceof Closure) {

kirby/src/Cms/File.php

@@ -617,12 +617,20 @@ class File extends ModelWithContent
 	}
 
 	/**
-	 * Simplified File URL that uses the parent
-	 * Page URL and the filename as a more stable
-	 * alternative for the media URLs.
+	 * Clean file URL that uses the parent page URL
+	 * and the filename as a more stable alternative
+	 * for the media URLs if available. The `content.fileRedirects`
+	 * option is used to disable this behavior or enable it
+	 * on a per-file basis.
 	 */
 	public function previewUrl(): string|null
 	{
+		// check if the clean file URL is accessible,
+		// otherwise we need to fall back to the media URL
+		if ($this->kirby()->resolveFile($this) === null) {
+			return $this->url();
+		}
+
 		$parent = $this->parent();
 		$url    = Url::to($this->id());
 
@@ -651,6 +659,7 @@ class File extends ModelWithContent
 
 				return $url;
 			case 'user':
+				// there are no clean URL routes for user files
 				return $this->url();
 			default:
 				return $url;

kirby/src/Cms/Language.php

@@ -57,7 +57,7 @@ class Language
 		}
 
 		static::$kirby      = $props['kirby'] ?? null;
-		$this->code         = trim($props['code']);
+		$this->code         = basename(trim($props['code'])); // prevent path traversal
 		$this->default      = ($props['default'] ?? false) === true;
 		$this->direction    = ($props['direction'] ?? null) === 'rtl' ? 'rtl' : 'ltr';
 		$this->name         = trim($props['name'] ?? $this->code);
@@ -325,6 +325,7 @@ class Language
 	public static function loadRules(string $code): array
 	{
 		$kirby = App::instance();
+		$code  = basename($code); // prevent path traversal
 		$code  = Str::contains($code, '.') ? Str::before($code, '.') : $code;
 		$file  = $kirby->root('i18n:rules') . '/' . $code . '.json';
 

kirby/src/Cms/Media.php

@@ -95,11 +95,13 @@ class Media
 		string $filename
 	): Response|false {
 		$kirby = App::instance();
+		$index = $kirby->root('index');
+		$media = $kirby->root('media');
 
 		$root = match (true) {
 			// assets
 			is_string($model)
-				=> $kirby->root('media') . '/assets/' . $model . '/' . $hash,
+				=> $media . '/assets/' . $model . '/' . $hash,
 			// parent files for file model that already included hash
 			$model instanceof File
 				=> dirname($model->mediaRoot()),
@@ -108,10 +110,13 @@ class Media
 			=> $model->mediaRoot() . '/' . $hash
 		};
 
-		$thumb = $root . '/' . $filename;
-		$job   = $root . '/.jobs/' . $filename . '.json';
-
 		try {
+			// prevent path traversal
+			$root = Dir::realpath($root, $media);
+
+			$thumb = $root . '/' . $filename;
+			$job   = $root . '/.jobs/' . $filename . '.json';
+
 			$options = Data::read($job);
 		} catch (Throwable) {
 			// send a customized error message to make clearer what happened here
@@ -127,7 +132,12 @@ class Media
 			// this adds support for custom assets
 			$source = match (true) {
 				is_string($model) === true
-					=> $kirby->root('index') . '/' . $model . '/' . $options['filename'],
+					=> F::realpath(
+						$index . '/' . $model . '/' . $options['filename'],
+						$index
+					),
+				$model instanceof File
+					=> $model->root(),
 				default
 				=> $model->file($options['filename'])->root()
 			};

kirby/src/Cms/Page.php

@@ -361,7 +361,7 @@ class Page extends ModelWithContent
 	}
 
 	/**
-	 * Sorting number + Slug
+	 * Returns the directory name (UID with optional sorting number)
 	 */
 	public function dirname(): string
 	{
@@ -377,7 +377,8 @@ class Page extends ModelWithContent
 	}
 
 	/**
-	 * Sorting number + Slug
+	 * Returns the directory path relative to the `content` root
+	 * (including optional sorting numbers and draft directories)
 	 */
 	public function diruri(): string
 	{

kirby/src/Cms/Url.php

@@ -2,6 +2,7 @@
 
 namespace Kirby\Cms;
 
+use Kirby\Filesystem\F;
 use Kirby\Http\Url as BaseUrl;
 use Kirby\Toolkit\Str;
 
@@ -63,10 +64,11 @@ class Url extends BaseUrl
 		$kirby = App::instance();
 		$page  = $kirby->site()->page();
 		$path  = $assetPath . '/' . $page->template() . '.' . $extension;
-		$file  = $kirby->root('assets') . '/' . $path;
+		$root  = $kirby->root('assets');
+		$file  = $root . '/' . $path;
 		$url   = $kirby->url('assets') . '/' . $path;
 
-		return file_exists($file) === true ? $url : null;
+		return F::exists($file, $root) === true ? $url : null;
 	}
 
 	/**