GHSA-9436-3gmp-4f53

### Summary
The fix for SSTI using `|map`, `|filter` and `|reduce` twigs implemented in the commit [71bbed1](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b) introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`)

### Details
The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`.

```php
...
if (strpos($name, "\\") !== false) {
return false;
}

if (in_array($name, $commandExecutionFunctions)) {
return true;
}
...
```
Based on the code where the function is used, it is expected that any dangerous condition would return `true`
```php
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function mapFunc(Environment $env, $array, $arrow)
{
if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
}
```
when `|map('\system')` is used in the malicious payload, the single backslash is dropped prior to reaching `strpos($name, '\\')` check, thus `$name` variable already has no backslash, and the command is blacklisted because it reaches the `if (in_array($name, $commandExecutionFunctions)) {` validation step.

However if `|map('\\system')` is used (i.e. double backslash), then the `strpos($name, "\\") !== false` takes effect, and `isDangerousFunction()` returns `false` , in which case the `RuntimeError` is not generated, and blacklist is bypassed leading to code execution.

### Exploit Conditions
This vulnerability can be exploited if the attacker has access to:

1. an Administrator account, or
2. a non-administrator, user account that has Admin panel access and Create/Update page permissions

### Steps to reproduce

1. Log in to Grav Admin using an administrator account.
2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:
- Login to Admin - Allowed
- Page Update - Allowed
3. Log out of Grav Admin
4. Login using the account created in step 2.
5. Choose `Pages -> Home`
6. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.
7. Under the `Content` tab, insert the following payload within the editor:
```{{ ['id'] | map('\\system') | join() }}```
8. Click the `Preview` button. Observe that the output of the id shell command is returned in the preview.

### Mitigation

```diff
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 2f121bbe3..7b267cd0f 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -2069,7 +2069,7 @@ abstract class Utils
}

if (strpos($name, "\\") !== false) {
- return false;
+ return true;
}

if (in_array($name, $commandExecutionFunctions)) {

```