From 4dff1a1e5b6d1117cf3a8ad9924d38fb7d01b687 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sat, 28 Sep 2024 14:47:41 +0200
Subject: deps: Upgrade smarty/smarty to version 4.5.4

This eliminates a potential vulnerability where an template author could
inject arbitrary PHP files to be run via the 'extends' tag.

See:
  - https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
  - https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a

Impact assessment:

In our case I would consider this a low severity issue as we don't
allow users to dynamically add or edit smarty templates. Templates has
to be updated via merge requests, or by installing a theme. In both
cases a malicious attacker already has easier ways to inject whatever
code they want.

Further, the extend tag is not in use in any of our core templates.
---
 vendor/composer/installed.json | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'vendor/composer/installed.json')

diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 75e597215..6fef247bf 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -1976,17 +1976,17 @@
         },
         {
             "name": "smarty/smarty",
-            "version": "v4.4.1",
-            "version_normalized": "4.4.1.0",
+            "version": "v4.5.4",
+            "version_normalized": "4.5.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/smarty-php/smarty.git",
-                "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d"
+                "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/smarty-php/smarty/zipball/f4152e9b814ae2369b6e4935c05e1e0c3654318d",
-                "reference": "f4152e9b814ae2369b6e4935c05e1e0c3654318d",
+                "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c11676e85aa71bc7c3cd9100f1655a9f4d14616e",
+                "reference": "c11676e85aa71bc7c3cd9100f1655a9f4d14616e",
                 "shasum": ""
             },
             "require": {
@@ -1996,7 +1996,7 @@
                 "phpunit/phpunit": "^8.5 || ^7.5",
                 "smarty/smarty-lexer": "^3.1"
             },
-            "time": "2024-02-26T13:58:37+00:00",
+            "time": "2024-08-14T20:04:35+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -2039,7 +2039,7 @@
             "support": {
                 "forum": "https://github.com/smarty-php/smarty/discussions",
                 "issues": "https://github.com/smarty-php/smarty/issues",
-                "source": "https://github.com/smarty-php/smarty/tree/v4.4.1"
+                "source": "https://github.com/smarty-php/smarty/tree/v4.5.4"
             },
             "install-path": "../smarty/smarty"
         },
-- 
cgit v1.2.3