From 4db384da34595adef68be6226e8b331b4d7b7f31 Mon Sep 17 00:00:00 2001 From: Mario Date: Sat, 5 Jun 2021 08:32:34 +0000 Subject: composer update smarty --- composer.lock | 12 +- vendor/composer/InstalledVersions.php | 140 ++++++++++++++++----- vendor/composer/autoload_classmap.php | 1 - vendor/composer/autoload_real.php | 2 - vendor/composer/autoload_static.php | 1 - vendor/composer/installed.json | 14 +-- vendor/composer/installed.php | 10 +- vendor/composer/platform_check.php | 26 ---- vendor/smarty/smarty/CHANGELOG.md | 6 + vendor/smarty/smarty/expectException | 0 vendor/smarty/smarty/libs/Smarty.class.php | 2 +- .../smarty_internal_compile_function.php | 5 + ...y_internal_compile_private_special_variable.php | 4 + 13 files changed, 144 insertions(+), 79 deletions(-) delete mode 100644 vendor/composer/platform_check.php create mode 100644 vendor/smarty/smarty/expectException diff --git a/composer.lock b/composer.lock index 8275ea0d5..445ff335f 100644 --- a/composer.lock +++ b/composer.lock @@ -1411,16 +1411,16 @@ }, { "name": "smarty/smarty", - "version": "v3.1.38", + "version": "v3.1.39", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "63b3c0aed0f614880cda21a5c08c606e97b489bb" + "reference": "e27da524f7bcd7361e3ea5cdfa99c4378a7b5419" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/63b3c0aed0f614880cda21a5c08c606e97b489bb", - "reference": "63b3c0aed0f614880cda21a5c08c606e97b489bb", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/e27da524f7bcd7361e3ea5cdfa99c4378a7b5419", + "reference": "e27da524f7bcd7361e3ea5cdfa99c4378a7b5419", "shasum": "" }, "require": { @@ -1468,9 +1468,9 @@ "forum": "http://www.smarty.net/forums/", "irc": "irc://irc.freenode.org/smarty", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v3.1.38" + "source": "https://github.com/smarty-php/smarty/tree/v3.1.39" }, - "time": "2021-01-08T14:05:42+00:00" + "time": "2021-02-17T21:57:51+00:00" }, { "name": "symfony/polyfill-ctype", diff --git a/vendor/composer/InstalledVersions.php b/vendor/composer/InstalledVersions.php index 0e6b84d2a..5a1f2016d 100644 --- a/vendor/composer/InstalledVersions.php +++ b/vendor/composer/InstalledVersions.php @@ -12,6 +12,7 @@ namespace Composer; +use Composer\Autoload\ClassLoader; use Composer\Semver\VersionParser; @@ -19,6 +20,8 @@ use Composer\Semver\VersionParser; + + class InstalledVersions { private static $installed = array ( @@ -29,7 +32,7 @@ private static $installed = array ( 'aliases' => array ( ), - 'reference' => '6fae291cc8ec69a74d0c1673186b3d8f319378d4', + 'reference' => '0784d2ea4e4f492d9f03d025b56d603d15b5ee89', 'name' => 'zotlabs/hubzilla', ), 'versions' => @@ -232,12 +235,12 @@ private static $installed = array ( ), 'smarty/smarty' => array ( - 'pretty_version' => 'v3.1.38', - 'version' => '3.1.38.0', + 'pretty_version' => 'v3.1.39', + 'version' => '3.1.39.0', 'aliases' => array ( ), - 'reference' => '63b3c0aed0f614880cda21a5c08c606e97b489bb', + 'reference' => 'e27da524f7bcd7361e3ea5cdfa99c4378a7b5419', ), 'symfony/polyfill-ctype' => array ( @@ -271,10 +274,12 @@ private static $installed = array ( 'aliases' => array ( ), - 'reference' => '6fae291cc8ec69a74d0c1673186b3d8f319378d4', + 'reference' => '0784d2ea4e4f492d9f03d025b56d603d15b5ee89', ), ), ); +private static $canGetVendors; +private static $installedByVendor = array(); @@ -284,7 +289,16 @@ private static $installed = array ( public static function getInstalledPackages() { -return array_keys(self::$installed['versions']); +$packages = array(); +foreach (self::getInstalled() as $installed) { +$packages[] = array_keys($installed['versions']); +} + +if (1 === \count($packages)) { +return $packages[0]; +} + +return array_keys(array_flip(\call_user_func_array('array_merge', $packages))); } @@ -297,7 +311,13 @@ return array_keys(self::$installed['versions']); public static function isInstalled($packageName) { -return isset(self::$installed['versions'][$packageName]); +foreach (self::getInstalled() as $installed) { +if (isset($installed['versions'][$packageName])) { +return true; +} +} + +return false; } @@ -332,42 +352,50 @@ return $provided->matches($constraint); public static function getVersionRanges($packageName) { -if (!isset(self::$installed['versions'][$packageName])) { -throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); +foreach (self::getInstalled() as $installed) { +if (!isset($installed['versions'][$packageName])) { +continue; } $ranges = array(); -if (isset(self::$installed['versions'][$packageName]['pretty_version'])) { -$ranges[] = self::$installed['versions'][$packageName]['pretty_version']; +if (isset($installed['versions'][$packageName]['pretty_version'])) { +$ranges[] = $installed['versions'][$packageName]['pretty_version']; } -if (array_key_exists('aliases', self::$installed['versions'][$packageName])) { -$ranges = array_merge($ranges, self::$installed['versions'][$packageName]['aliases']); +if (array_key_exists('aliases', $installed['versions'][$packageName])) { +$ranges = array_merge($ranges, $installed['versions'][$packageName]['aliases']); } -if (array_key_exists('replaced', self::$installed['versions'][$packageName])) { -$ranges = array_merge($ranges, self::$installed['versions'][$packageName]['replaced']); +if (array_key_exists('replaced', $installed['versions'][$packageName])) { +$ranges = array_merge($ranges, $installed['versions'][$packageName]['replaced']); } -if (array_key_exists('provided', self::$installed['versions'][$packageName])) { -$ranges = array_merge($ranges, self::$installed['versions'][$packageName]['provided']); +if (array_key_exists('provided', $installed['versions'][$packageName])) { +$ranges = array_merge($ranges, $installed['versions'][$packageName]['provided']); } return implode(' || ', $ranges); } +throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); +} + public static function getVersion($packageName) { -if (!isset(self::$installed['versions'][$packageName])) { -throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); +foreach (self::getInstalled() as $installed) { +if (!isset($installed['versions'][$packageName])) { +continue; } -if (!isset(self::$installed['versions'][$packageName]['version'])) { +if (!isset($installed['versions'][$packageName]['version'])) { return null; } -return self::$installed['versions'][$packageName]['version']; +return $installed['versions'][$packageName]['version']; +} + +throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); } @@ -376,15 +404,19 @@ return self::$installed['versions'][$packageName]['version']; public static function getPrettyVersion($packageName) { -if (!isset(self::$installed['versions'][$packageName])) { -throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); +foreach (self::getInstalled() as $installed) { +if (!isset($installed['versions'][$packageName])) { +continue; } -if (!isset(self::$installed['versions'][$packageName]['pretty_version'])) { +if (!isset($installed['versions'][$packageName]['pretty_version'])) { return null; } -return self::$installed['versions'][$packageName]['pretty_version']; +return $installed['versions'][$packageName]['pretty_version']; +} + +throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); } @@ -393,15 +425,19 @@ return self::$installed['versions'][$packageName]['pretty_version']; public static function getReference($packageName) { -if (!isset(self::$installed['versions'][$packageName])) { -throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); +foreach (self::getInstalled() as $installed) { +if (!isset($installed['versions'][$packageName])) { +continue; } -if (!isset(self::$installed['versions'][$packageName]['reference'])) { +if (!isset($installed['versions'][$packageName]['reference'])) { return null; } -return self::$installed['versions'][$packageName]['reference']; +return $installed['versions'][$packageName]['reference']; +} + +throw new \OutOfBoundsException('Package "' . $packageName . '" is not installed'); } @@ -410,7 +446,9 @@ return self::$installed['versions'][$packageName]['reference']; public static function getRootPackage() { -return self::$installed['root']; +$installed = self::getInstalled(); + +return $installed[0]['root']; } @@ -419,8 +457,11 @@ return self::$installed['root']; + public static function getRawData() { +@trigger_error('getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.', E_USER_DEPRECATED); + return self::$installed; } @@ -430,6 +471,17 @@ return self::$installed; +public static function getAllRawData() +{ +return self::getInstalled(); +} + + + + + + + @@ -445,5 +497,33 @@ return self::$installed; public static function reload($data) { self::$installed = $data; +self::$installedByVendor = array(); +} + + + + + +private static function getInstalled() +{ +if (null === self::$canGetVendors) { +self::$canGetVendors = method_exists('Composer\Autoload\ClassLoader', 'getRegisteredLoaders'); +} + +$installed = array(); + +if (self::$canGetVendors) { +foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) { +if (isset(self::$installedByVendor[$vendorDir])) { +$installed[] = self::$installedByVendor[$vendorDir]; +} elseif (is_file($vendorDir.'/composer/installed.php')) { +$installed[] = self::$installedByVendor[$vendorDir] = require $vendorDir.'/composer/installed.php'; +} +} +} + +$installed[] = self::$installed; + +return $installed; } } diff --git a/vendor/composer/autoload_classmap.php b/vendor/composer/autoload_classmap.php index cccf3a7bc..c19984103 100644 --- a/vendor/composer/autoload_classmap.php +++ b/vendor/composer/autoload_classmap.php @@ -1291,7 +1291,6 @@ return array( 'Zotlabs\\Module\\Photo' => $baseDir . '/Zotlabs/Module/Photo.php', 'Zotlabs\\Module\\Photos' => $baseDir . '/Zotlabs/Module/Photos.php', 'Zotlabs\\Module\\Pin' => $baseDir . '/Zotlabs/Module/Pin.php', - 'Zotlabs\\Module\\Ping' => $baseDir . '/Zotlabs/Module/Ping.php', 'Zotlabs\\Module\\Poco' => $baseDir . '/Zotlabs/Module/Poco.php', 'Zotlabs\\Module\\Poke' => $baseDir . '/Zotlabs/Module/Poke.php', 'Zotlabs\\Module\\Poster' => $baseDir . '/Zotlabs/Module/Poster.php', diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php index fbfac821c..01be3a52c 100644 --- a/vendor/composer/autoload_real.php +++ b/vendor/composer/autoload_real.php @@ -22,8 +22,6 @@ class ComposerAutoloaderInit7b34d7e50a62201ec5d5e526a5b8b35d return self::$loader; } - require __DIR__ . '/platform_check.php'; - spl_autoload_register(array('ComposerAutoloaderInit7b34d7e50a62201ec5d5e526a5b8b35d', 'loadClassLoader'), true, true); self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(\dirname(__FILE__))); spl_autoload_unregister(array('ComposerAutoloaderInit7b34d7e50a62201ec5d5e526a5b8b35d', 'loadClassLoader')); diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index eb89becdf..bd6fb0600 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -1481,7 +1481,6 @@ class ComposerStaticInit7b34d7e50a62201ec5d5e526a5b8b35d 'Zotlabs\\Module\\Photo' => __DIR__ . '/../..' . '/Zotlabs/Module/Photo.php', 'Zotlabs\\Module\\Photos' => __DIR__ . '/../..' . '/Zotlabs/Module/Photos.php', 'Zotlabs\\Module\\Pin' => __DIR__ . '/../..' . '/Zotlabs/Module/Pin.php', - 'Zotlabs\\Module\\Ping' => __DIR__ . '/../..' . '/Zotlabs/Module/Ping.php', 'Zotlabs\\Module\\Poco' => __DIR__ . '/../..' . '/Zotlabs/Module/Poco.php', 'Zotlabs\\Module\\Poke' => __DIR__ . '/../..' . '/Zotlabs/Module/Poke.php', 'Zotlabs\\Module\\Poster' => __DIR__ . '/../..' . '/Zotlabs/Module/Poster.php', diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index ce3eae708..518683c5c 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1437,17 +1437,17 @@ }, { "name": "smarty/smarty", - "version": "v3.1.38", - "version_normalized": "3.1.38.0", + "version": "v3.1.39", + "version_normalized": "3.1.39.0", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "63b3c0aed0f614880cda21a5c08c606e97b489bb" + "reference": "e27da524f7bcd7361e3ea5cdfa99c4378a7b5419" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/63b3c0aed0f614880cda21a5c08c606e97b489bb", - "reference": "63b3c0aed0f614880cda21a5c08c606e97b489bb", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/e27da524f7bcd7361e3ea5cdfa99c4378a7b5419", + "reference": "e27da524f7bcd7361e3ea5cdfa99c4378a7b5419", "shasum": "" }, "require": { @@ -1457,7 +1457,7 @@ "phpunit/phpunit": "^7.5 || ^6.5 || ^5.7 || ^4.8", "smarty/smarty-lexer": "^3.1" }, - "time": "2021-01-08T14:05:42+00:00", + "time": "2021-02-17T21:57:51+00:00", "type": "library", "extra": { "branch-alias": { @@ -1497,7 +1497,7 @@ "forum": "http://www.smarty.net/forums/", "irc": "irc://irc.freenode.org/smarty", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v3.1.38" + "source": "https://github.com/smarty-php/smarty/tree/v3.1.39" }, "install-path": "../smarty/smarty" }, diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php index 151f3da50..9d660ee03 100644 --- a/vendor/composer/installed.php +++ b/vendor/composer/installed.php @@ -6,7 +6,7 @@ 'aliases' => array ( ), - 'reference' => '6fae291cc8ec69a74d0c1673186b3d8f319378d4', + 'reference' => '0784d2ea4e4f492d9f03d025b56d603d15b5ee89', 'name' => 'zotlabs/hubzilla', ), 'versions' => @@ -209,12 +209,12 @@ ), 'smarty/smarty' => array ( - 'pretty_version' => 'v3.1.38', - 'version' => '3.1.38.0', + 'pretty_version' => 'v3.1.39', + 'version' => '3.1.39.0', 'aliases' => array ( ), - 'reference' => '63b3c0aed0f614880cda21a5c08c606e97b489bb', + 'reference' => 'e27da524f7bcd7361e3ea5cdfa99c4378a7b5419', ), 'symfony/polyfill-ctype' => array ( @@ -248,7 +248,7 @@ 'aliases' => array ( ), - 'reference' => '6fae291cc8ec69a74d0c1673186b3d8f319378d4', + 'reference' => '0784d2ea4e4f492d9f03d025b56d603d15b5ee89', ), ), ); diff --git a/vendor/composer/platform_check.php b/vendor/composer/platform_check.php deleted file mode 100644 index 92370c5a0..000000000 --- a/vendor/composer/platform_check.php +++ /dev/null @@ -1,26 +0,0 @@ -= 70300)) { - $issues[] = 'Your Composer dependencies require a PHP version ">= 7.3.0". You are running ' . PHP_VERSION . '.'; -} - -if ($issues) { - if (!headers_sent()) { - header('HTTP/1.1 500 Internal Server Error'); - } - if (!ini_get('display_errors')) { - if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') { - fwrite(STDERR, 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . implode(PHP_EOL, $issues) . PHP_EOL.PHP_EOL); - } elseif (!headers_sent()) { - echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL; - } - } - trigger_error( - 'Composer detected issues in your platform: ' . implode(' ', $issues), - E_USER_ERROR - ); -} diff --git a/vendor/smarty/smarty/CHANGELOG.md b/vendor/smarty/smarty/CHANGELOG.md index 06b898223..e3bb93a4f 100644 --- a/vendor/smarty/smarty/CHANGELOG.md +++ b/vendor/smarty/smarty/CHANGELOG.md @@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [3.1.39] - 2021-02-17 + +### Security +- Prevent access to `$smarty.template_object` in sandbox mode +- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}` + ## [3.1.38] - 2021-01-08 ### Fixed diff --git a/vendor/smarty/smarty/expectException b/vendor/smarty/smarty/expectException new file mode 100644 index 000000000..e69de29bb diff --git a/vendor/smarty/smarty/libs/Smarty.class.php b/vendor/smarty/smarty/libs/Smarty.class.php index 6564be6d2..375bab133 100644 --- a/vendor/smarty/smarty/libs/Smarty.class.php +++ b/vendor/smarty/smarty/libs/Smarty.class.php @@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase /** * smarty version */ - const SMARTY_VERSION = '3.1.38'; + const SMARTY_VERSION = '3.1.39'; /** * define variable scopes */ diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php index 6e408ca72..d0f2b0f4a 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php @@ -58,6 +58,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase } unset($_attr[ 'nocache' ]); $_name = trim($_attr[ 'name' ], '\'"'); + + if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) { + $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true); + } + $compiler->parent_compiler->tpl_function[ $_name ] = array(); $save = array( $_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code, diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php index de7d4a224..d53ef51ff 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php @@ -81,6 +81,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C case 'template': return 'basename($_smarty_tpl->source->filepath)'; case 'template_object': + if (isset($compiler->smarty->security_policy)) { + $compiler->trigger_template_error("(secure mode) template_object not permitted"); + break; + } return '$_smarty_tpl'; case 'current_dir': return 'dirname($_smarty_tpl->source->filepath)'; -- cgit v1.2.3