Skip to content

Commit

Permalink
Merge branch 'master' into feature/php8-support
Browse files Browse the repository at this point in the history
  • Loading branch information
wisskid committed Oct 13, 2021
2 parents 492c05b + 9d4f830 commit 0cb91c2
Show file tree
Hide file tree
Showing 16 changed files with 88 additions and 15 deletions.
18 changes: 16 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Dropped deprecated $smarty->getVariable() method. Use $smarty->getTemplateVars() instead.
- $smarty->registerResource() no longer accepts an array of callback functions

## [3.1.40] - 2021-10-13

### Changed
- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

### Security
- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

## [3.1.39] - 2021-02-17

### Security
- Prevent access to `$smarty.template_object` in sandbox mode. This addresses CVE-2021-26119.
- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120.

## [3.1.38] - 2021-01-08

### Fixed
Expand Down Expand Up @@ -336,7 +350,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
20.09.2016
- bugfix some $smarty special template variables are no longer accessed as real variable.
using them on calls like {if isset($smarty.foo)} or {if empty($smarty.foo)} will fail
https://www.smarty.net/forums/viewtopic.php?t=26222
http://www.smarty.net/forums/viewtopic.php?t=26222
- temporary fix for https://github.com/smarty-php/smarty/issues/293 main reason still under investigation
- improvement new tags {block_parent} {block_child} in template inheritance

Expand All @@ -348,7 +362,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- bugfix assigning a variable in if condition by function like {if $value = array_shift($array)} the function got called twice https://github.com/smarty-php/smarty/issues/291
- bugfix function plugins called with assign attribute like {foo assign='bar'} did not output returned content because
because assumption was made that it was assigned to a variable https://github.com/smarty-php/smarty/issues/292
- bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay https://www.smarty.net/forums/viewtopic.php?t=26282
- bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay http://www.smarty.net/forums/viewtopic.php?t=26282
- improvement make Smarty::clearCompiledTemplate() on custom resource independent from changes of templateId computation

11.09.2016
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Smarty can be run with PHP 7.1 to PHP 8.0.
> Read the NEW_FEATURES and INHERITANCE_RELEASE_NOTES file for recent extensions to Smarty 3.1 functionality
Smarty versions 3.1.11 or later are now on github and can be installed with Composer.
Smarty versions 3.1.11 or later are now on GitHub and can be installed with Composer.


The "smarty/smarty" package will start at libs/.... subfolder.
Expand Down
19 changes: 19 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Security Policy

## Supported Versions

Smarty currently supports the latest minor version of Smarty 3 and Smarty 4. (Smarty 4 has not been released yet.)

| Version | Supported |
| ------- | ------------------ |
| 4.0.x | :white_check_mark: |
| 3.1.x | :white_check_mark: |
| < 3.1 | :x: |

## Reporting a Vulnerability

If you have discovered a security issue with Smarty, please contact us at mail [at] simonwisselink.nl. Do not
disclose your findings publicly and PLEASE PLEASE do not file an Issue.

We will try to confirm the vulnerability and develop a fix if appropriate. When we release the fix, we will publish
a security release. Please let us know if you want to be credited.
2 changes: 1 addition & 1 deletion libs/Smarty.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/**
* smarty version
*/
const SMARTY_VERSION = '3.1.38';
const SMARTY_VERSION = '3.1.40';
/**
* define variable scopes
*/
Expand Down
7 changes: 6 additions & 1 deletion libs/plugins/modifier.escape.php
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,11 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
'"' => '\\"',
"\r" => '\\r',
"\n" => '\\n',
'</' => '<\/'
'</' => '<\/',
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
'<!--' => '<\!--',
'<s' => '<\s',
'<S' => '<\S'
)
);
case 'mail':
Expand Down Expand Up @@ -247,6 +251,7 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
}
return $return;
default:
trigger_error("escape: unsupported type: $esc_type - returning unmodified string", E_USER_NOTICE);
return $string;
}
}
3 changes: 2 additions & 1 deletion libs/plugins/modifiercompiler.escape.php
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,10 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
case 'javascript':
// escape quotes and backslashes, newlines, etc.
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
return 'strtr(' .
$params[ 0 ] .
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/" ))';
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
}
} catch (SmartyException $e) {
// pass through to regular plugin fallback
Expand Down
5 changes: 5 additions & 0 deletions libs/sysplugins/smarty_internal_compile_function.php
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,11 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
}
unset($_attr[ 'nocache' ]);
$_name = trim($_attr[ 'name' ], '\'"');

if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) {
$compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true);
}

$compiler->parent_compiler->tpl_function[ $_name ] = array();
$save = array(
$_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler, $
case 'template':
return 'basename($_smarty_tpl->source->filepath)';
case 'template_object':
if (isset($compiler->smarty->security_policy)) {
$compiler->trigger_template_error("(secure mode) template_object not permitted");
break;
}
return '$_smarty_tpl';
case 'current_dir':
return 'dirname($_smarty_tpl->source->filepath)';
Expand Down
2 changes: 1 addition & 1 deletion make-release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@ git pull
git merge --no-ff "release/$1"
git branch -d "release/$1"
git tag -a "v$1" -m "Release $1"
git push --follow-tags

printf 'Done creating release %s\n' "$1"
printf 'Run `git push --follow-tags origin` to publish it.\n'
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,10 @@ public function testClearCacheCacheFile()
$this->assertNull($tpl->cached->handler->getCachedContent($tpl3));
$this->assertEquals('hello world', $tpl->cached->handler->getCachedContent($tpl4));
}

/**
* @group slow
*/
public function testClearCacheExpired()
{
$this->smarty->caching = true;
Expand Down Expand Up @@ -399,7 +403,7 @@ public function testClearCacheCacheFileSub()
* @runInSeparateProcess
* @preserveGlobalState disabled
* @dataProvider data
*
* @group slow
*/
public function testCache($lockTime, $lockTimeout, $compile_id, $cache_id, $isCached, $tmin, $tmax, $forceCompile, $forceCache, $update, $testNumber, $compileTestNumber, $renderTestNumber, $testName)
{
Expand Down
4 changes: 2 additions & 2 deletions tests/UnitTests/ResourceTests/Extends/ExtendsResourceTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ public function testCompileBlockGrandChildMustCompile_021_12()
* test grandchild/child/parent dependency test2
* @runInSeparateProcess
* @preserveGlobalState disabled
*
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_2()
{
Expand Down Expand Up @@ -193,7 +193,7 @@ public function testCompileBlockGrandChildMustCompile_021_32()
* test grandchild/child/parent dependency test4
* @runInSeparateProcess
* @preserveGlobalState disabled
*
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_4()
{
Expand Down
9 changes: 9 additions & 0 deletions tests/UnitTests/SecurityTests/SecurityTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,15 @@ public function testNotTrustedUri()
$this->smarty->security_policy->trusted_uri = array();
$this->assertStringContainsString('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
}

/**
* In security mode, accessing $smarty.template_object should be illegal.
* @expectedException SmartyCompilerException
*/
public function testSmartyTemplateObject() {
$this->smarty->display('string:{$smarty.template_object}');
}

}

class mysecuritystaticclass
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -610,7 +610,7 @@ public function testCompileBlockGrandChildMustCompile_021_12()
*
* @runInSeparateProcess
* @preserveGlobalState disabled
*
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_2()
{
Expand Down Expand Up @@ -645,7 +645,7 @@ public function testCompileBlockGrandChildMustCompile_021_2()
*
* @runInSeparateProcess
* @preserveGlobalState disabled
*
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_3()
{
Expand All @@ -670,7 +670,7 @@ public function testCompileBlockGrandChildMustCompile_021_3()
*
* @runInSeparateProcess
* @preserveGlobalState disabled
*
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_32()
{
Expand All @@ -692,6 +692,7 @@ public function testCompileBlockGrandChildMustCompile_021_32()
*
* @runInSeparateProcess
* @preserveGlobalState disabled
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_4()
{
Expand All @@ -716,6 +717,7 @@ public function testCompileBlockGrandChildMustCompile_021_4()
*
* @runInSeparateProcess
* @preserveGlobalState disabled
* @group slow
*/
public function testCompileBlockGrandChildMustCompile_021_42()
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ public function testInsertPluginCaching3_1()
* test insert plugin caching 2
* @runInSeparateProcess
* @preserveGlobalState disabled
* @group slow
*/
public function testInsertPluginCaching3_2()
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -431,5 +431,14 @@ public function dataTestSpacing()
array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++),
array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++),
);
}
}

/**
* Test handling of function names that are a security risk
* @expectedException SmartyCompilerException
*/
public function testIllegalFunctionName() {
$this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}');
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public function testSmartyNow() {
}
/**
* test {$smarty.now nocache}
*
* @group slow
*/
public function testSmartyNowNocache() {
$this->smarty->setCaching(true);
Expand Down

0 comments on commit 0cb91c2

Please sign in to comment.