From 4db384da34595adef68be6226e8b331b4d7b7f31 Mon Sep 17 00:00:00 2001 From: Mario Date: Sat, 5 Jun 2021 08:32:34 +0000 Subject: composer update smarty --- vendor/smarty/smarty/CHANGELOG.md | 6 ++++++ vendor/smarty/smarty/expectException | 0 vendor/smarty/smarty/libs/Smarty.class.php | 2 +- .../smarty/libs/sysplugins/smarty_internal_compile_function.php | 5 +++++ .../sysplugins/smarty_internal_compile_private_special_variable.php | 4 ++++ 5 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 vendor/smarty/smarty/expectException (limited to 'vendor/smarty') diff --git a/vendor/smarty/smarty/CHANGELOG.md b/vendor/smarty/smarty/CHANGELOG.md index 06b898223..e3bb93a4f 100644 --- a/vendor/smarty/smarty/CHANGELOG.md +++ b/vendor/smarty/smarty/CHANGELOG.md @@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [3.1.39] - 2021-02-17 + +### Security +- Prevent access to `$smarty.template_object` in sandbox mode +- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}` + ## [3.1.38] - 2021-01-08 ### Fixed diff --git a/vendor/smarty/smarty/expectException b/vendor/smarty/smarty/expectException new file mode 100644 index 000000000..e69de29bb diff --git a/vendor/smarty/smarty/libs/Smarty.class.php b/vendor/smarty/smarty/libs/Smarty.class.php index 6564be6d2..375bab133 100644 --- a/vendor/smarty/smarty/libs/Smarty.class.php +++ b/vendor/smarty/smarty/libs/Smarty.class.php @@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase /** * smarty version */ - const SMARTY_VERSION = '3.1.38'; + const SMARTY_VERSION = '3.1.39'; /** * define variable scopes */ diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php index 6e408ca72..d0f2b0f4a 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_function.php @@ -58,6 +58,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase } unset($_attr[ 'nocache' ]); $_name = trim($_attr[ 'name' ], '\'"'); + + if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) { + $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true); + } + $compiler->parent_compiler->tpl_function[ $_name ] = array(); $save = array( $_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code, diff --git a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php index de7d4a224..d53ef51ff 100644 --- a/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php +++ b/vendor/smarty/smarty/libs/sysplugins/smarty_internal_compile_private_special_variable.php @@ -81,6 +81,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C case 'template': return 'basename($_smarty_tpl->source->filepath)'; case 'template_object': + if (isset($compiler->smarty->security_policy)) { + $compiler->trigger_template_error("(secure mode) template_object not permitted"); + break; + } return '$_smarty_tpl'; case 'current_dir': return 'dirname($_smarty_tpl->source->filepath)'; -- cgit v1.2.3