Fixed use of rand() without a parameter in math function (for v3.1)

Fixes #794
smarty-php · Sep 12, 2022 · 0a84d52 · 0a84d52
1 parent b3ade90
commit 0a84d52
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixes
+- Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794)
+
 ## [3.1.46] - 2022-08-01
 
 ### Fixed

diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php
@@ -70,7 +70,7 @@ function smarty_function_math($params, $template)
     $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
     $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';
     $operators = '[,+\/*\^%-]'; // Allowed math operators
-    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/';
+    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)*\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/';
 
     if (!preg_match($regexp, $equation)) {
         trigger_error("math: illegal characters", E_USER_WARNING);

diff --git a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
@@ -162,4 +162,12 @@ public function testBracketsIllegal()
 		$this->assertEquals($expected, $this->smarty->fetch($tpl));
 	}
 
+	public function testRand()
+	{
+		$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{math equation="x * rand()" x=$x}');
+		// this assertion may seem silly, but it serves to prove that using rand() without a parameter
+		// will not trigger a security error (see https://github.com/smarty-php/smarty/issues/794)
+		$this->assertEquals("0", $this->smarty->fetch($tpl));
+	}
+
 }