Skip to content

Commit 19ae410

Browse files
authored
Merge pull request from GHSA-4h9c-v5vg-5m6m
* Prevent evasion of the static_classes security policy. * Updated deprecated exception expectations.
1 parent baad311 commit 19ae410

File tree

4 files changed

+38
-7
lines changed

4 files changed

+38
-7
lines changed

Diff for: CHANGELOG.md

+3
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
66

77
## [Unreleased]
88

9+
### Security
10+
- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
11+
912
## [4.0.2] - 2022-01-10
1013

1114
### Security

Diff for: lexer/smarty_internal_templateparser.y

+3
Original file line numberDiff line numberDiff line change
@@ -747,6 +747,9 @@ value(res) ::= doublequoted_with_quotes(s). {
747747

748748

749749
value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
750+
if ($this->security && $this->security->static_classes !== array()) {
751+
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
752+
}
750753
$prefixVar = $this->compiler->getNewPrefixVariable();
751754
if (vi['var'] === '\'smarty\'') {
752755
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');

Diff for: libs/sysplugins/smarty_internal_templateparser.php

+3
Original file line numberDiff line numberDiff line change
@@ -2397,6 +2397,9 @@ public function yy_r90(){
23972397
}
23982398
// line 749 "../smarty/lexer/smarty_internal_templateparser.y"
23992399
public function yy_r94(){
2400+
if ($this->security && $this->security->static_classes !== array()) {
2401+
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
2402+
}
24002403
$prefixVar = $this->compiler->getNewPrefixVariable();
24012404
if ($this->yystack[$this->yyidx + -2]->minor['var'] === '\'smarty\'') {
24022405
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),$this->yystack[$this->yyidx + -2]->minor['smarty_internal_index']).';?>');

Diff for: tests/UnitTests/SecurityTests/SecurityTest.php

+29-7
Original file line numberDiff line numberDiff line change
@@ -257,19 +257,41 @@ public function testTrustedStaticClass()
257257
$this->assertEquals('25', $this->smarty->fetch($tpl));
258258
}
259259

260-
/**
261-
* test not trusted PHP function
262-
* @runInSeparateProcess
263-
* @preserveGlobalState disabled
264-
*/
265-
public function testNotTrustedStaticClass()
266-
{
260+
/**
261+
* test not trusted PHP function
262+
* @runInSeparateProcess
263+
* @preserveGlobalState disabled
264+
*/
265+
public function testNotTrustedStaticClass()
266+
{
267267
$this->expectException('SmartyException');
268268
$this->expectExceptionMessage('access to static class \'mysecuritystaticclass\' not allowed by security setting');
269269
$this->smarty->security_policy->static_classes = array('null');
270270
$this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
271271
}
272272

273+
/**
274+
* test not trusted PHP function
275+
*/
276+
public function testNotTrustedStaticClassEval()
277+
{
278+
$this->expectException('SmartyException');
279+
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
280+
$this->smarty->security_policy->static_classes = array('null');
281+
$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
282+
}
283+
284+
/**
285+
* test not trusted PHP function
286+
*/
287+
public function testNotTrustedStaticClassSmartyVar()
288+
{
289+
$this->expectException('SmartyException');
290+
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
291+
$this->smarty->security_policy->static_classes = array('null');
292+
$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
293+
}
294+
273295
public function testChangedTrustedDirectory()
274296
{
275297
$this->smarty->security_policy->secure_dir = array(

0 commit comments

Comments
 (0)