diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2024-09-28 14:47:41 +0200 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2024-09-28 15:07:23 +0200 |
| commit | 4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687 (patch) | |
| tree | fad2b149f74383897841db0e8e749fd7ea9c95ba /vendor/composer/installed.json | |
| parent | c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e (diff) | |
| download | volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.tar.gz volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.tar.bz2 volse-hubzilla-4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687.zip | |
deps: Upgrade smarty/smarty to version 4.5.4
This eliminates a potential vulnerability where an template author could
inject arbitrary PHP files to be run via the 'extends' tag.
See:
- https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
- https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a
Impact assessment:
In our case I would consider this a low severity issue as we don't
allow users to dynamically add or edit smarty templates. Templates has
to be updated via merge requests, or by installing a theme. In both
cases a malicious attacker already has easier ways to inject whatever
code they want.
Further, the extend tag is not in use in any of our core templates.
Diffstat (limited to 'vendor/composer/installed.json')
| -rw-r--r-- | vendor/composer/installed.json | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 75e597215..6fef247bf 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1976,17 +1976,17 @@ }, { "name": "smarty/smarty", - "version": "v4.4.1", - "version_normalized": "4.4.1.0", + "version": "v4.5.4", + "version_normalized": "4.5.4.0", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d" + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e", + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e", "shasum": "" }, "require": { @@ -1996,7 +1996,7 @@ "phpunit/phpunit": "^8.5 || ^7.5", "smarty/smarty-lexer": "^3.1" }, - "time": "2024-02-26T13:58:37+00:00", + "time": "2024-08-14T20:04:35+00:00", "type": "library", "extra": { "branch-alias": { @@ -2039,7 +2039,7 @@ "support": { "forum": "https://github.com/smarty-php/smarty/discussions", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v4.4.1" + "source": "https://github.com/smarty-php/smarty/tree/v4.5.4" }, "install-path": "../smarty/smarty" }, |