@@ -28,7 +28,12 @@ function smarty_function_math($params, $template)
2828 'int ' => true ,
2929 'abs ' => true ,
3030 'ceil ' => true ,
31+ 'acos ' => true ,
32+ 'acosh ' => true ,
3133 'cos ' => true ,
34+ 'cosh ' => true ,
35+ 'deg2rad ' => true ,
36+ 'rad2deg ' => true ,
3237 'exp ' => true ,
3338 'floor ' => true ,
3439 'log ' => true ,
@@ -39,27 +44,51 @@ function smarty_function_math($params, $template)
3944 'pow ' => true ,
4045 'rand ' => true ,
4146 'round ' => true ,
47+ 'asin ' => true ,
48+ 'asinh ' => true ,
4249 'sin ' => true ,
50+ 'sinh ' => true ,
4351 'sqrt ' => true ,
4452 'srand ' => true ,
45- 'tan ' => true
53+ 'atan ' => true ,
54+ 'atanh ' => true ,
55+ 'tan ' => true ,
56+ 'tanh ' => true
4657 );
58+
4759 // be sure equation parameter is present
4860 if (empty ($ params [ 'equation ' ])) {
4961 trigger_error ("math: missing equation parameter " , E_USER_WARNING );
5062 return ;
5163 }
5264 $ equation = $ params [ 'equation ' ];
65+
66+ // Remove whitespaces
67+ $ equation = preg_replace ('/\s+/ ' , '' , $ equation );
68+
69+ // Adapted from https://www.php.net/manual/en/function.eval.php#107377
70+ $ number = '(?:\d+(?:[,.]\d+)?|pi|π) ' ; // What is a number
71+ $ functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)) ' ;
72+ $ operators = '[+\/*\^%-] ' ; // Allowed math operators
73+ $ regexp = '/^(( ' .$ number .'| ' .$ functionsOrVars .'|( ' .$ functionsOrVars .'\s*\((?1)+\)|\((?1)+\)))(?: ' .$ operators .'(?2))?)+$/ ' ;
74+
75+ if (!preg_match ($ regexp , $ equation )) {
76+ trigger_error ("math: illegal characters " , E_USER_WARNING );
77+ return ;
78+ }
79+
5380 // make sure parenthesis are balanced
5481 if (substr_count ($ equation , '( ' ) !== substr_count ($ equation , ') ' )) {
5582 trigger_error ("math: unbalanced parenthesis " , E_USER_WARNING );
5683 return ;
5784 }
85+
5886 // disallow backticks
5987 if (strpos ($ equation , '` ' ) !== false ) {
6088 trigger_error ("math: backtick character not allowed in equation " , E_USER_WARNING );
6189 return ;
6290 }
91+
6392 // also disallow dollar signs
6493 if (strpos ($ equation , '$ ' ) !== false ) {
6594 trigger_error ("math: dollar signs not allowed in equation " , E_USER_WARNING );
@@ -96,6 +125,7 @@ function smarty_function_math($params, $template)
96125 }
97126 $ smarty_math_result = null ;
98127 eval ("\$smarty_math_result = " . $ equation . "; " );
128+
99129 if (empty ($ params [ 'format ' ])) {
100130 if (empty ($ params [ 'assign ' ])) {
101131 return $ smarty_math_result ;
0 commit comments