diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2024-09-28 14:47:41 +0200 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2024-09-28 15:07:23 +0200 |
| commit | 4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687 (patch) | |
| tree | fad2b149f74383897841db0e8e749fd7ea9c95ba | |
| parent | c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e (diff) | |
| download | volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.tar.gz volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.tar.bz2 volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.zip | |
deps: Upgrade smarty/smarty to version 4.5.4
This eliminates a potential vulnerability where an template author could
inject arbitrary PHP files to be run via the 'extends' tag.
See:
- https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
- https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
Impact assessment:
In our case I would consider this a low severity issue as we don't
allow users to dynamically add or edit smarty templates. Templates has
to be updated via merge requests, or by installing a theme. In both
cases a malicious attacker already has easier ways to inject whatever
code they want.
Further, the extend tag is not in use in any of our core templates.
13 files changed, 95 insertions, 106 deletions
diff --git a/composer.lock b/composer.lock index f4c1af599..005cefc88 100644 --- a/composer.lock +++ b/composer.lock @@ -1906,16 +1906,16 @@ }, { "name": "smarty/smarty", - "version": "v4.4.1", + "version": "v4.5.4", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d" + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e", + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e", "shasum": "" }, "require": { @@ -1966,9 +1966,9 @@ "support": { "forum": "https://github.com/smarty-php/smarty/discussions", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v4.4.1" + "source": "https://github.com/smarty-php/smarty/tree/v4.5.4" }, - "time": "2024-02-26T13:58:37+00:00" + "time": "2024-08-14T20:04:35+00:00" }, { "name": "spomky-labs/otphp", diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 75e597215..6fef247bf 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1976,17 +1976,17 @@ }, { "name": "smarty/smarty", - "version": "v4.4.1", - "version_normalized": "4.4.1.0", + "version": "v4.5.4", + "version_normalized": "4.5.4.0", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d" + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e", + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e", "shasum": "" }, "require": { @@ -1996,7 +1996,7 @@ "phpunit/phpunit": "^8.5 || ^7.5", "smarty/smarty-lexer": "^3.1" }, - "time": "2024-02-26T13:58:37+00:00", + "time": "2024-08-14T20:04:35+00:00", "type": "library", "extra": { "branch-alias": { @@ -2039,7 +2039,7 @@ "support": { "forum": "https://github.com/smarty-php/smarty/discussions", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v4.4.1" + "source": "https://github.com/smarty-php/smarty/tree/v4.5.4" }, "install-path": "../smarty/smarty" }, diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php index 595995bde..08afaebaa 100644 --- a/vendor/composer/installed.php +++ b/vendor/composer/installed.php @@ -3,7 +3,7 @@ 'name' => 'zotlabs/hubzilla', 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '39933052a9eb827afee3965509909ba314de5257', + 'reference' => 'c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e', 'type' => 'application', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -269,9 +269,9 @@ 'dev_requirement' => false, ), 'smarty/smarty' => array( - 'pretty_version' => 'v4.4.1', - 'version' => '4.4.1.0', - 'reference' => 'f4152e9b814ae2369b6e4935c05e1e0c3654318d', + 'pretty_version' => 'v4.5.4', + 'version' => '4.5.4.0', + 'reference' => 'c11676e85aa71bc7c3cd9100f1655a9f4d14616e', 'type' => 'library', 'install_path' => __DIR__ . '/../smarty/smarty', 'aliases' => array(), @@ -349,7 +349,7 @@ 'zotlabs/hubzilla' => array( 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '39933052a9eb827afee3965509909ba314de5257', + 'reference' => 'c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e', 'type' => 'application', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), diff --git a/vendor/smarty/smarty/CHANGELOG.md b/vendor/smarty/smarty/CHANGELOG.md index 69d41e7aa..bff690d84 100644 --- a/vendor/smarty/smarty/CHANGELOG.md +++ b/vendor/smarty/smarty/CHANGELOG.md @@ -6,11 +6,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [4.5.4] - 2024-08-14 +- Fixed that using `count()` would trigger a deprecation notice. [#813](https://github.com/smarty-php/smarty/issues/813) + + +## [4.5.3] - 2024-05-28 +- Fixed a code injection vulnerability in extends-tag. This addresses CVE-2024-35226. + + +## [4.5.2] - 2024-04-06 +- Fixed argument must be passed by reference error introduced in v4.5.1 [#964](https://github.com/smarty-php/smarty/issues/964) + +## [4.5.1] - 2024-03-18 +- Using unregistered static class methods in expressions now also triggers a deprecation notice because we will drop support for this in the next major release [#813](https://github.com/smarty-php/smarty/issues/813) + +## [4.5.0] - 2024-03-18 +- (this release accidentally didn't contain any changes, fixed in 4.5.1) + ## [4.4.1] - 2024-02-26 - Fixed internal release-tooling ## [4.4.0] - 2024-02-26 -### Changed - Using the `|implode`, `|json_encode` and `|substr` modifiers does not generate a deprecation warning anymore as they will continue to be supported in v5 [#939](https://github.com/smarty-php/smarty/issues/939) ### Added diff --git a/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md b/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md index ba17224c0..427902512 100644 --- a/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md +++ b/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md @@ -178,14 +178,14 @@ The above example will output: </p> <p> name: Jack Jones<br /> - home phone: 777-555-5555<br /> - cell phone: 888-555-5555<br /> + home: 777-555-5555<br /> + cell: 888-555-5555<br /> e-mail: jack@myexample.com </p> <p> name: Jane Munson<br /> - home phone: 000-555-5555<br /> - cell phone: 123456<br /> + home: 000-555-5555<br /> + cell: 123456<br /> e-mail: jane@myexample.com </p> ``` diff --git a/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y b/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y index 620498765..ffc85bc06 100644 --- a/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y +++ b/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y @@ -785,6 +785,9 @@ value(res) ::= ns1(c)DOUBLECOLON static_class_access(s). { if (isset($this->smarty->registered_classes[c])) { res = $this->smarty->registered_classes[c].'::'.s[0].s[1]; } else { + trigger_error('Using unregistered static method "' . c.'::'.s[0] . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerClass to explicitly register ' . + 'a class for access.', E_USER_DEPRECATED); res = c.'::'.s[0].s[1]; } } else { diff --git a/vendor/smarty/smarty/libs/Smarty.class.php b/vendor/smarty/smarty/libs/Smarty.class.php index 0a47c8350..97706e2aa 100644 --- a/vendor/smarty/smarty/libs/Smarty.class.php +++ b/vendor/smarty/smarty/libs/Smarty.class.php @@ -107,7 +107,7 @@ class Smarty extends Smarty_Internal_TemplateBase /** * smarty version */ - const SMARTY_VERSION = '4.4.1'; + const SMARTY_VERSION = '4.5.4'; /** * define variable scopes */ diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php index d72d2b76f..69a7b5521 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php @@ -30,7 +30,7 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh * * @var array */ - public $optional_attributes = array('extends_resource'); + public $optional_attributes = array(); /** * Attribute definition: Overwrites base class. @@ -62,29 +62,7 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh } // add code to initialize inheritance $this->registerInit($compiler, true); - $file = trim($_attr[ 'file' ], '\'"'); - if (strlen($file) > 8 && substr($file, 0, 8) === 'extends:') { - // generate code for each template - $files = array_reverse(explode('|', substr($file, 8))); - $i = 0; - foreach ($files as $file) { - if ($file[ 0 ] === '"') { - $file = trim($file, '".'); - } else { - $file = "'{$file}'"; - } - $i++; - if ($i === count($files) && isset($_attr[ 'extends_resource' ])) { - $this->compileEndChild($compiler); - } - $this->compileInclude($compiler, $file); - } - if (!isset($_attr[ 'extends_resource' ])) { - $this->compileEndChild($compiler); - } - } else { - $this->compileEndChild($compiler, $_attr[ 'file' ]); - } + $this->compileEndChild($compiler, $_attr[ 'file' ]); $compiler->has_code = false; return ''; } @@ -115,44 +93,4 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh '') . ");\n?>" ); } - - /** - * Add code for including subtemplate to end of template - * - * @param \Smarty_Internal_TemplateCompilerBase $compiler - * @param string $template subtemplate name - * - * @throws \SmartyCompilerException - * @throws \SmartyException - */ - private function compileInclude(Smarty_Internal_TemplateCompilerBase $compiler, $template) - { - $compiler->parser->template_postfix[] = new Smarty_Internal_ParseTree_Tag( - $compiler->parser, - $compiler->compileTag( - 'include', - array( - $template, - array('scope' => 'parent') - ) - ) - ); - } - - /** - * Create source code for {extends} from source components array - * - * @param \Smarty_Internal_Template $template - * - * @return string - */ - public static function extendsSourceArrayCode(Smarty_Internal_Template $template) - { - $resources = array(); - foreach ($template->source->components as $source) { - $resources[] = $source->resource; - } - return $template->smarty->left_delimiter . 'extends file=\'extends:' . join('|', $resources) . - '\' extends_resource=true' . $template->smarty->right_delimiter; - } } diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php index aea082f01..31fd6e1da 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php @@ -109,9 +109,11 @@ class Smarty_Internal_Compile_Private_Modifier extends Smarty_Internal_CompileBa if (!is_object($compiler->smarty->security_policy) || $compiler->smarty->security_policy->isTrustedPhpModifier($modifier, $compiler) ) { - trigger_error('Using php-function "' . $modifier . '" as a modifier is deprecated and will be ' . - 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . - 'a custom modifier.', E_USER_DEPRECATED); + if (!in_array($modifier, ['time', 'join', 'is_array', 'in_array'])) { + trigger_error('Using unregistered function "' . $modifier . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . + 'a custom modifier.', E_USER_DEPRECATED); + } $output = "{$modifier}({$params})"; } $compiler->known_modifier_type[ $modifier ] = $type; diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php index d5c18d31a..03797f7f8 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php @@ -455,15 +455,29 @@ abstract class Smarty_Internal_TemplateCompilerBase $this->smarty->_current_file = $this->template->source->filepath; // get template source if (!empty($this->template->source->components)) { - // we have array of inheritance templates by extends: resource - // generate corresponding source code sequence - $_content = - Smarty_Internal_Compile_Extends::extendsSourceArrayCode($this->template); + $_compiled_code = '<?php $_smarty_tpl->_loadInheritance(); $_smarty_tpl->inheritance->init($_smarty_tpl, true); ?>'; + + $i = 0; + $reversed_components = array_reverse($this->template->getSource()->components); + foreach ($reversed_components as $source) { + $i++; + if ($i === count($reversed_components)) { + $_compiled_code .= '<?php $_smarty_tpl->inheritance->endChild($_smarty_tpl); ?>'; + } + $_compiled_code .= $this->compileTag( + 'include', + [ + var_export($source->resource, true), + ['scope' => 'parent'], + ] + ); + } + $_compiled_code = $this->postFilter($_compiled_code, $this->template); } else { // get template source $_content = $this->template->source->getContent(); + $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true)); } - $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true)); if (!empty($this->required_plugins[ 'compiled' ]) || !empty($this->required_plugins[ 'nocache' ])) { $_compiled_code = '<?php ' . $this->compileRequiredPlugins() . "?>\n" . $_compiled_code; } @@ -640,7 +654,18 @@ abstract class Smarty_Internal_TemplateCompilerBase return $func_name . '(' . $parameter[ 0 ] . ')'; } } else { - return $name . '(' . implode(',', $parameter) . ')'; + + if ( + !$this->smarty->loadPlugin('smarty_modifiercompiler_' . $name) + && !isset($this->smarty->registered_plugins[Smarty::PLUGIN_MODIFIER][$name]) + && !in_array($name, ['time', 'join', 'is_array', 'in_array', 'count']) + ) { + trigger_error('Using unregistered function "' . $name . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . + 'a custom modifier.', E_USER_DEPRECATED); + } + + return $name . '(' . implode(',', $parameter) . ')'; } } else { $this->trigger_template_error("unknown function '{$name}'"); diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php index a2dd0d6fb..c37d3c187 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php @@ -2425,6 +2425,9 @@ public static $yy_action = array( if (isset($this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor])) { $this->_retvalue = $this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor].'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1]; } else { + trigger_error('Using unregistered static method "' . $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0] . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerClass to explicitly register ' . + 'a class for access.', E_USER_DEPRECATED); $this->_retvalue = $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1]; } } else { diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_security.php b/vendor/smarty/smarty/libs/sysplugins/smarty_security.php index 97cd0521d..49ae2a386 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_security.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_security.php @@ -253,7 +253,7 @@ class Smarty_Security * * @param string $function_name * @param object $compiler compiler object - * + * @deprecated * @return boolean true if function is trusted */ public function isTrustedPhpFunction($function_name, $compiler) diff --git a/vendor/smarty/smarty/run-tests-for-all-php-versions.sh b/vendor/smarty/smarty/run-tests-for-all-php-versions.sh index 79bebb8a6..23541b519 100755 --- a/vendor/smarty/smarty/run-tests-for-all-php-versions.sh +++ b/vendor/smarty/smarty/run-tests-for-all-php-versions.sh @@ -5,11 +5,13 @@ # - ./run-tests-for-all-php-versions.sh --group 20221124 # - ./run-tests-for-all-php-versions.sh --exclude-group slow -docker-compose run php71 ./run-tests.sh $@ && \ -docker-compose run php72 ./run-tests.sh $@ && \ -docker-compose run php73 ./run-tests.sh $@ && \ -docker-compose run php74 ./run-tests.sh $@ && \ -docker-compose run php80 ./run-tests.sh $@ && \ -docker-compose run php81 ./run-tests.sh $@ && \ -docker-compose run php82 ./run-tests.sh $@ && \ -docker-compose run php83 ./run-tests.sh $@ +COMPOSE_CMD="mutagen-compose" + +$COMPOSE_CMD run --rm php71 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php72 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php73 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php74 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php80 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php81 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php82 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php83 ./run-tests.sh $@ |