From 4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sat, 28 Sep 2024 14:47:41 +0200 Subject: deps: Upgrade smarty/smarty to version 4.5.4 This eliminates a potential vulnerability where an template author could inject arbitrary PHP files to be run via the 'extends' tag. See: - https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w - https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a Impact assessment: In our case I would consider this a low severity issue as we don't allow users to dynamically add or edit smarty templates. Templates has to be updated via merge requests, or by installing a theme. In both cases a malicious attacker already has easier ways to inject whatever code they want. Further, the extend tag is not in use in any of our core templates. --- composer.lock | 12 ++-- vendor/composer/installed.json | 14 ++--- vendor/composer/installed.php | 10 ++-- vendor/smarty/smarty/CHANGELOG.md | 18 +++++- .../language-function-section.md | 8 +-- .../smarty/lexer/smarty_internal_templateparser.y | 3 + vendor/smarty/smarty/libs/Smarty.class.php | 2 +- .../sysplugins/smarty_internal_compile_extends.php | 66 +--------------------- .../smarty_internal_compile_private_modifier.php | 8 ++- .../smarty_internal_templatecompilerbase.php | 37 ++++++++++-- .../sysplugins/smarty_internal_templateparser.php | 3 + .../smarty/libs/sysplugins/smarty_security.php | 2 +- .../smarty/run-tests-for-all-php-versions.sh | 18 +++--- 13 files changed, 95 insertions(+), 106 deletions(-) diff --git a/composer.lock b/composer.lock index f4c1af599..005cefc88 100644 --- a/composer.lock +++ b/composer.lock @@ -1906,16 +1906,16 @@ }, { "name": "smarty/smarty", - "version": "v4.4.1", + "version": "v4.5.4", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d" + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e", + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e", "shasum": "" }, "require": { @@ -1966,9 +1966,9 @@ "support": { "forum": "https://github.com/smarty-php/smarty/discussions", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v4.4.1" + "source": "https://github.com/smarty-php/smarty/tree/v4.5.4" }, - "time": "2024-02-26T13:58:37+00:00" + "time": "2024-08-14T20:04:35+00:00" }, { "name": "spomky-labs/otphp", diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 75e597215..6fef247bf 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1976,17 +1976,17 @@ }, { "name": "smarty/smarty", - "version": "v4.4.1", - "version_normalized": "4.4.1.0", + "version": "v4.5.4", + "version_normalized": "4.5.4.0", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d" + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d", - "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e", + "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e", "shasum": "" }, "require": { @@ -1996,7 +1996,7 @@ "phpunit/phpunit": "^8.5 || ^7.5", "smarty/smarty-lexer": "^3.1" }, - "time": "2024-02-26T13:58:37+00:00", + "time": "2024-08-14T20:04:35+00:00", "type": "library", "extra": { "branch-alias": { @@ -2039,7 +2039,7 @@ "support": { "forum": "https://github.com/smarty-php/smarty/discussions", "issues": "https://github.com/smarty-php/smarty/issues", - "source": "https://github.com/smarty-php/smarty/tree/v4.4.1" + "source": "https://github.com/smarty-php/smarty/tree/v4.5.4" }, "install-path": "../smarty/smarty" }, diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php index 595995bde..08afaebaa 100644 --- a/vendor/composer/installed.php +++ b/vendor/composer/installed.php @@ -3,7 +3,7 @@ 'name' => 'zotlabs/hubzilla', 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '39933052a9eb827afee3965509909ba314de5257', + 'reference' => 'c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e', 'type' => 'application', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -269,9 +269,9 @@ 'dev_requirement' => false, ), 'smarty/smarty' => array( - 'pretty_version' => 'v4.4.1', - 'version' => '4.4.1.0', - 'reference' => 'f4152e9b814ae2369b6e4935c05e1e0c3654318d', + 'pretty_version' => 'v4.5.4', + 'version' => '4.5.4.0', + 'reference' => 'c11676e85aa71bc7c3cd9100f1655a9f4d14616e', 'type' => 'library', 'install_path' => __DIR__ . '/../smarty/smarty', 'aliases' => array(), @@ -349,7 +349,7 @@ 'zotlabs/hubzilla' => array( 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '39933052a9eb827afee3965509909ba314de5257', + 'reference' => 'c12ef4fbf4b2046e0af68b11e8fe5af2d335f32e', 'type' => 'application', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), diff --git a/vendor/smarty/smarty/CHANGELOG.md b/vendor/smarty/smarty/CHANGELOG.md index 69d41e7aa..bff690d84 100644 --- a/vendor/smarty/smarty/CHANGELOG.md +++ b/vendor/smarty/smarty/CHANGELOG.md @@ -6,11 +6,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [4.5.4] - 2024-08-14 +- Fixed that using `count()` would trigger a deprecation notice. [#813](https://github.com/smarty-php/smarty/issues/813) + + +## [4.5.3] - 2024-05-28 +- Fixed a code injection vulnerability in extends-tag. This addresses CVE-2024-35226. + + +## [4.5.2] - 2024-04-06 +- Fixed argument must be passed by reference error introduced in v4.5.1 [#964](https://github.com/smarty-php/smarty/issues/964) + +## [4.5.1] - 2024-03-18 +- Using unregistered static class methods in expressions now also triggers a deprecation notice because we will drop support for this in the next major release [#813](https://github.com/smarty-php/smarty/issues/813) + +## [4.5.0] - 2024-03-18 +- (this release accidentally didn't contain any changes, fixed in 4.5.1) + ## [4.4.1] - 2024-02-26 - Fixed internal release-tooling ## [4.4.0] - 2024-02-26 -### Changed - Using the `|implode`, `|json_encode` and `|substr` modifiers does not generate a deprecation warning anymore as they will continue to be supported in v5 [#939](https://github.com/smarty-php/smarty/issues/939) ### Added diff --git a/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md b/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md index ba17224c0..427902512 100644 --- a/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md +++ b/vendor/smarty/smarty/docs/designers/language-builtin-functions/language-function-section.md @@ -178,14 +178,14 @@ The above example will output:

name: Jack Jones
- home phone: 777-555-5555
- cell phone: 888-555-5555
+ home: 777-555-5555
+ cell: 888-555-5555
e-mail: jack@myexample.com

name: Jane Munson
- home phone: 000-555-5555
- cell phone: 123456
+ home: 000-555-5555
+ cell: 123456
e-mail: jane@myexample.com

``` diff --git a/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y b/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y index 620498765..ffc85bc06 100644 --- a/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y +++ b/vendor/smarty/smarty/lexer/smarty_internal_templateparser.y @@ -785,6 +785,9 @@ value(res) ::= ns1(c)DOUBLECOLON static_class_access(s). { if (isset($this->smarty->registered_classes[c])) { res = $this->smarty->registered_classes[c].'::'.s[0].s[1]; } else { + trigger_error('Using unregistered static method "' . c.'::'.s[0] . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerClass to explicitly register ' . + 'a class for access.', E_USER_DEPRECATED); res = c.'::'.s[0].s[1]; } } else { diff --git a/vendor/smarty/smarty/libs/Smarty.class.php b/vendor/smarty/smarty/libs/Smarty.class.php index 0a47c8350..97706e2aa 100644 --- a/vendor/smarty/smarty/libs/Smarty.class.php +++ b/vendor/smarty/smarty/libs/Smarty.class.php @@ -107,7 +107,7 @@ class Smarty extends Smarty_Internal_TemplateBase /** * smarty version */ - const SMARTY_VERSION = '4.4.1'; + const SMARTY_VERSION = '4.5.4'; /** * define variable scopes */ diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php index d72d2b76f..69a7b5521 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_extends.php @@ -30,7 +30,7 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh * * @var array */ - public $optional_attributes = array('extends_resource'); + public $optional_attributes = array(); /** * Attribute definition: Overwrites base class. @@ -62,29 +62,7 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh } // add code to initialize inheritance $this->registerInit($compiler, true); - $file = trim($_attr[ 'file' ], '\'"'); - if (strlen($file) > 8 && substr($file, 0, 8) === 'extends:') { - // generate code for each template - $files = array_reverse(explode('|', substr($file, 8))); - $i = 0; - foreach ($files as $file) { - if ($file[ 0 ] === '"') { - $file = trim($file, '".'); - } else { - $file = "'{$file}'"; - } - $i++; - if ($i === count($files) && isset($_attr[ 'extends_resource' ])) { - $this->compileEndChild($compiler); - } - $this->compileInclude($compiler, $file); - } - if (!isset($_attr[ 'extends_resource' ])) { - $this->compileEndChild($compiler); - } - } else { - $this->compileEndChild($compiler, $_attr[ 'file' ]); - } + $this->compileEndChild($compiler, $_attr[ 'file' ]); $compiler->has_code = false; return ''; } @@ -115,44 +93,4 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh '') . ");\n?>" ); } - - /** - * Add code for including subtemplate to end of template - * - * @param \Smarty_Internal_TemplateCompilerBase $compiler - * @param string $template subtemplate name - * - * @throws \SmartyCompilerException - * @throws \SmartyException - */ - private function compileInclude(Smarty_Internal_TemplateCompilerBase $compiler, $template) - { - $compiler->parser->template_postfix[] = new Smarty_Internal_ParseTree_Tag( - $compiler->parser, - $compiler->compileTag( - 'include', - array( - $template, - array('scope' => 'parent') - ) - ) - ); - } - - /** - * Create source code for {extends} from source components array - * - * @param \Smarty_Internal_Template $template - * - * @return string - */ - public static function extendsSourceArrayCode(Smarty_Internal_Template $template) - { - $resources = array(); - foreach ($template->source->components as $source) { - $resources[] = $source->resource; - } - return $template->smarty->left_delimiter . 'extends file=\'extends:' . join('|', $resources) . - '\' extends_resource=true' . $template->smarty->right_delimiter; - } } diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php index aea082f01..31fd6e1da 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php @@ -109,9 +109,11 @@ class Smarty_Internal_Compile_Private_Modifier extends Smarty_Internal_CompileBa if (!is_object($compiler->smarty->security_policy) || $compiler->smarty->security_policy->isTrustedPhpModifier($modifier, $compiler) ) { - trigger_error('Using php-function "' . $modifier . '" as a modifier is deprecated and will be ' . - 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . - 'a custom modifier.', E_USER_DEPRECATED); + if (!in_array($modifier, ['time', 'join', 'is_array', 'in_array'])) { + trigger_error('Using unregistered function "' . $modifier . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . + 'a custom modifier.', E_USER_DEPRECATED); + } $output = "{$modifier}({$params})"; } $compiler->known_modifier_type[ $modifier ] = $type; diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php index d5c18d31a..03797f7f8 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php @@ -455,15 +455,29 @@ abstract class Smarty_Internal_TemplateCompilerBase $this->smarty->_current_file = $this->template->source->filepath; // get template source if (!empty($this->template->source->components)) { - // we have array of inheritance templates by extends: resource - // generate corresponding source code sequence - $_content = - Smarty_Internal_Compile_Extends::extendsSourceArrayCode($this->template); + $_compiled_code = '_loadInheritance(); $_smarty_tpl->inheritance->init($_smarty_tpl, true); ?>'; + + $i = 0; + $reversed_components = array_reverse($this->template->getSource()->components); + foreach ($reversed_components as $source) { + $i++; + if ($i === count($reversed_components)) { + $_compiled_code .= 'inheritance->endChild($_smarty_tpl); ?>'; + } + $_compiled_code .= $this->compileTag( + 'include', + [ + var_export($source->resource, true), + ['scope' => 'parent'], + ] + ); + } + $_compiled_code = $this->postFilter($_compiled_code, $this->template); } else { // get template source $_content = $this->template->source->getContent(); + $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true)); } - $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true)); if (!empty($this->required_plugins[ 'compiled' ]) || !empty($this->required_plugins[ 'nocache' ])) { $_compiled_code = 'compileRequiredPlugins() . "?>\n" . $_compiled_code; } @@ -640,7 +654,18 @@ abstract class Smarty_Internal_TemplateCompilerBase return $func_name . '(' . $parameter[ 0 ] . ')'; } } else { - return $name . '(' . implode(',', $parameter) . ')'; + + if ( + !$this->smarty->loadPlugin('smarty_modifiercompiler_' . $name) + && !isset($this->smarty->registered_plugins[Smarty::PLUGIN_MODIFIER][$name]) + && !in_array($name, ['time', 'join', 'is_array', 'in_array', 'count']) + ) { + trigger_error('Using unregistered function "' . $name . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerPlugin to explicitly register ' . + 'a custom modifier.', E_USER_DEPRECATED); + } + + return $name . '(' . implode(',', $parameter) . ')'; } } else { $this->trigger_template_error("unknown function '{$name}'"); diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php index a2dd0d6fb..c37d3c187 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php @@ -2425,6 +2425,9 @@ public static $yy_action = array( if (isset($this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor])) { $this->_retvalue = $this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor].'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1]; } else { + trigger_error('Using unregistered static method "' . $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0] . '" in a template is deprecated and will be ' . + 'removed in a future release. Use Smarty::registerClass to explicitly register ' . + 'a class for access.', E_USER_DEPRECATED); $this->_retvalue = $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1]; } } else { diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_security.php b/vendor/smarty/smarty/libs/sysplugins/smarty_security.php index 97cd0521d..49ae2a386 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_security.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_security.php @@ -253,7 +253,7 @@ class Smarty_Security * * @param string $function_name * @param object $compiler compiler object - * + * @deprecated * @return boolean true if function is trusted */ public function isTrustedPhpFunction($function_name, $compiler) diff --git a/vendor/smarty/smarty/run-tests-for-all-php-versions.sh b/vendor/smarty/smarty/run-tests-for-all-php-versions.sh index 79bebb8a6..23541b519 100755 --- a/vendor/smarty/smarty/run-tests-for-all-php-versions.sh +++ b/vendor/smarty/smarty/run-tests-for-all-php-versions.sh @@ -5,11 +5,13 @@ # - ./run-tests-for-all-php-versions.sh --group 20221124 # - ./run-tests-for-all-php-versions.sh --exclude-group slow -docker-compose run php71 ./run-tests.sh $@ && \ -docker-compose run php72 ./run-tests.sh $@ && \ -docker-compose run php73 ./run-tests.sh $@ && \ -docker-compose run php74 ./run-tests.sh $@ && \ -docker-compose run php80 ./run-tests.sh $@ && \ -docker-compose run php81 ./run-tests.sh $@ && \ -docker-compose run php82 ./run-tests.sh $@ && \ -docker-compose run php83 ./run-tests.sh $@ +COMPOSE_CMD="mutagen-compose" + +$COMPOSE_CMD run --rm php71 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php72 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php73 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php74 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php80 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php81 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php82 ./run-tests.sh $@ && \ +$COMPOSE_CMD run --rm php83 ./run-tests.sh $@ -- cgit v1.2.3