smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-02 17:34:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Support multiple operators in math equations (#708)

Browse Source 
* fix(math): fix equation regexp

Fixes #702.
This commit is contained in:
Claas Augner
2022-01-18 00:10:17 +01:00
committed by GitHub
parent f707dadecb
commit 059bea274c
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Fixed
- Fixed illegal characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702)
## [4.0.3] - 2022-01-10 ## [4.0.3] - 2022-01-10
### Security ### Security

2
libs/plugins/function.math.php
View File

@@ -70,7 +70,7 @@ function smarty_function_math($params, $template)
$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
$functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';
$operators = '[+\/*\^%-]'; // Allowed math operators $operators = '[+\/*\^%-]'; // Allowed math operators
$regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/';
if (!preg_match($regexp, $equation)) { if (!preg_match($regexp, $equation)) {
trigger_error("math: illegal characters", E_USER_WARNING); trigger_error("math: illegal characters", E_USER_WARNING);

8
tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
View File

@@ -44,6 +44,14 @@ class MathTest extends PHPUnit_Smarty
$this->assertEquals($expected, $this->smarty->fetch($tpl)); $this->assertEquals($expected, $this->smarty->fetch($tpl));
} }
public function testMultipleOperators()
{
$this->smarty->disableSecurity();
$expected = "2 -- 2";
$tpl = $this->smarty->createTemplate('eval:{$x = 5}{$y = 4}{math equation="x - y + 1" x=$x y=$y} -- {math equation="5 - 4 + 1"}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testSyntaxSin() public function testSyntaxSin()
{ {
$this->smarty->disableSecurity(); $this->smarty->disableSecurity();