aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/psr
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2024-10-02 20:06:10 +0000
committerMario <mario@mariovavti.com>2024-10-02 20:06:10 +0000
commit13345d3cbe9e40be6040e57d157d713d99ed0c6b (patch)
treea85ddbc28fd706c7ad7ec72cd5a2b36341fdfede /vendor/psr
parent888ee16d52e7ce48d257b0ae1dbec605ac34ae98 (diff)
downloadvolse-hubzilla-13345d3cbe9e40be6040e57d157d713d99ed0c6b.tar.gz
volse-hubzilla-13345d3cbe9e40be6040e57d157d713d99ed0c6b.tar.bz2
volse-hubzilla-13345d3cbe9e40be6040e57d157d713d99ed0c6b.zip
deps: Upgrade smarty/smarty to version 4.5.4
This eliminates a potential vulnerability where an template author could inject arbitrary PHP files to be run via the 'extends' tag. See: - https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w - https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a Impact assessment: In our case I would consider this a low severity issue as we don't allow users to dynamically add or edit smarty templates. Templates has to be updated via merge requests, or by installing a theme. In both cases a malicious attacker already has easier ways to inject whatever code they want. Further, the extend tag is not in use in any of our core templates. (cherry picked from commit 4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687) Co-authored-by: Harald Eilertsen <haraldei@anduin.net>
Diffstat (limited to 'vendor/psr')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-09 22:01:09 +0000