Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-4h9c-v5vg-5m6m
* Prevent evasion of the static_classes security policy.

* Updated deprecated exception expectations.
  • Loading branch information
wisskid committed Jan 10, 2022
1 parent baad311 commit 19ae410
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 7 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Expand Up @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Security
- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408

## [4.0.2] - 2022-01-10

### Security
Expand Down
3 changes: 3 additions & 0 deletions lexer/smarty_internal_templateparser.y
Expand Up @@ -747,6 +747,9 @@ value(res) ::= doublequoted_with_quotes(s). {


value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
if ($this->security && $this->security->static_classes !== array()) {
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
}
$prefixVar = $this->compiler->getNewPrefixVariable();
if (vi['var'] === '\'smarty\'') {
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');
Expand Down
3 changes: 3 additions & 0 deletions libs/sysplugins/smarty_internal_templateparser.php
Expand Up @@ -2397,6 +2397,9 @@ public function yy_r90(){
}
// line 749 "../smarty/lexer/smarty_internal_templateparser.y"
public function yy_r94(){
if ($this->security && $this->security->static_classes !== array()) {
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
}
$prefixVar = $this->compiler->getNewPrefixVariable();
if ($this->yystack[$this->yyidx + -2]->minor['var'] === '\'smarty\'') {
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),$this->yystack[$this->yyidx + -2]->minor['smarty_internal_index']).';?>');
Expand Down
36 changes: 29 additions & 7 deletions tests/UnitTests/SecurityTests/SecurityTest.php
Expand Up @@ -257,19 +257,41 @@ public function testTrustedStaticClass()
$this->assertEquals('25', $this->smarty->fetch($tpl));
}

/**
* test not trusted PHP function
* @runInSeparateProcess
* @preserveGlobalState disabled
*/
public function testNotTrustedStaticClass()
{
/**
* test not trusted PHP function
* @runInSeparateProcess
* @preserveGlobalState disabled
*/
public function testNotTrustedStaticClass()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('access to static class \'mysecuritystaticclass\' not allowed by security setting');
$this->smarty->security_policy->static_classes = array('null');
$this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
}

/**
* test not trusted PHP function
*/
public function testNotTrustedStaticClassEval()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
$this->smarty->security_policy->static_classes = array('null');
$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
}

/**
* test not trusted PHP function
*/
public function testNotTrustedStaticClassSmartyVar()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
$this->smarty->security_policy->static_classes = array('null');
$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
}

public function testChangedTrustedDirectory()
{
$this->smarty->security_policy->secure_dir = array(
Expand Down

0 comments on commit 19ae410

Please sign in to comment.