mirror of
https://github.com/smarty-php/smarty.git
synced 2025-07-31 00:17:15 +02:00
Merge branch 'master' into feature/php8-support
This commit is contained in:
Simon Wisselink
18
CHANGELOG.md
18
CHANGELOG.md
@ -24,6 +24,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Dropped deprecated $smarty->getVariable() method. Use $smarty->getTemplateVars() instead.
|
||||
- $smarty->registerResource() no longer accepts an array of callback functions
|
||||
|
||||
## [3.1.40] - 2021-10-13
|
||||
|
||||
### Changed
|
||||
- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649
|
||||
|
||||
### Security
|
||||
- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov
|
||||
|
||||
## [3.1.39] - 2021-02-17
|
||||
|
||||
### Security
|
||||
- Prevent access to `$smarty.template_object` in sandbox mode. This addresses CVE-2021-26119.
|
||||
- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120.
|
||||
|
||||
## [3.1.38] - 2021-01-08
|
||||
|
||||
### Fixed
|
||||
@ -336,7 +350,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
20.09.2016
|
||||
- bugfix some $smarty special template variables are no longer accessed as real variable.
|
||||
using them on calls like {if isset($smarty.foo)} or {if empty($smarty.foo)} will fail
|
||||
https://www.smarty.net/forums/viewtopic.php?t=26222
|
||||
http://www.smarty.net/forums/viewtopic.php?t=26222
|
||||
- temporary fix for https://github.com/smarty-php/smarty/issues/293 main reason still under investigation
|
||||
- improvement new tags {block_parent} {block_child} in template inheritance
|
||||
|
||||
@ -348,7 +362,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- bugfix assigning a variable in if condition by function like {if $value = array_shift($array)} the function got called twice https://github.com/smarty-php/smarty/issues/291
|
||||
- bugfix function plugins called with assign attribute like {foo assign='bar'} did not output returned content because
|
||||
because assumption was made that it was assigned to a variable https://github.com/smarty-php/smarty/issues/292
|
||||
- bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay https://www.smarty.net/forums/viewtopic.php?t=26282
|
||||
- bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay http://www.smarty.net/forums/viewtopic.php?t=26282
|
||||
- improvement make Smarty::clearCompiledTemplate() on custom resource independent from changes of templateId computation
|
||||
|
||||
11.09.2016
|
||||
|
||||
@ -17,7 +17,7 @@ Smarty can be run with PHP 7.1 to PHP 8.0.
|
||||
|
||||
> Read the NEW_FEATURES and INHERITANCE_RELEASE_NOTES file for recent extensions to Smarty 3.1 functionality
|
||||
|
||||
Smarty versions 3.1.11 or later are now on github and can be installed with Composer.
|
||||
Smarty versions 3.1.11 or later are now on GitHub and can be installed with Composer.
|
||||
|
||||
|
||||
The "smarty/smarty" package will start at libs/.... subfolder.
|
||||
|
||||
19
SECURITY.md
Normal file
19
SECURITY.md
Normal file
@ -0,0 +1,19 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Smarty currently supports the latest minor version of Smarty 3 and Smarty 4. (Smarty 4 has not been released yet.)
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 4.0.x | :white_check_mark: |
|
||||
| 3.1.x | :white_check_mark: |
|
||||
| < 3.1 | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you have discovered a security issue with Smarty, please contact us at mail [at] simonwisselink.nl. Do not
|
||||
disclose your findings publicly and PLEASE PLEASE do not file an Issue.
|
||||
|
||||
We will try to confirm the vulnerability and develop a fix if appropriate. When we release the fix, we will publish
|
||||
a security release. Please let us know if you want to be credited.
|
||||
@ -98,7 +98,7 @@ class Smarty extends Smarty_Internal_TemplateBase
|
||||
/**
|
||||
* smarty version
|
||||
*/
|
||||
const SMARTY_VERSION = '3.1.38';
|
||||
const SMARTY_VERSION = '3.1.40';
|
||||
/**
|
||||
* define variable scopes
|
||||
*/
|
||||
|
||||
@ -181,7 +181,11 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
|
||||
'"' => '\\"',
|
||||
"\r" => '\\r',
|
||||
"\n" => '\\n',
|
||||
'</' => '<\/'
|
||||
'</' => '<\/',
|
||||
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
|
||||
'<!--' => '<\!--',
|
||||
'<s' => '<\s',
|
||||
'<S' => '<\S'
|
||||
)
|
||||
);
|
||||
case 'mail':
|
||||
@ -247,6 +251,7 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
|
||||
}
|
||||
return $return;
|
||||
default:
|
||||
trigger_error("escape: unsupported type: $esc_type - returning unmodified string", E_USER_NOTICE);
|
||||
return $string;
|
||||
}
|
||||
}
|
||||
|
||||
@ -86,9 +86,10 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
|
||||
return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
|
||||
case 'javascript':
|
||||
// escape quotes and backslashes, newlines, etc.
|
||||
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
|
||||
return 'strtr(' .
|
||||
$params[ 0 ] .
|
||||
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/" ))';
|
||||
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
|
||||
}
|
||||
} catch (SmartyException $e) {
|
||||
// pass through to regular plugin fallback
|
||||
|
||||
@ -58,6 +58,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase
|
||||
}
|
||||
unset($_attr[ 'nocache' ]);
|
||||
$_name = trim($_attr[ 'name' ], '\'"');
|
||||
|
||||
if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) {
|
||||
$compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true);
|
||||
}
|
||||
|
||||
$compiler->parent_compiler->tpl_function[ $_name ] = array();
|
||||
$save = array(
|
||||
$_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code,
|
||||
|
||||
@ -81,6 +81,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
|
||||
case 'template':
|
||||
return 'basename($_smarty_tpl->source->filepath)';
|
||||
case 'template_object':
|
||||
if (isset($compiler->smarty->security_policy)) {
|
||||
$compiler->trigger_template_error("(secure mode) template_object not permitted");
|
||||
break;
|
||||
}
|
||||
return '$_smarty_tpl';
|
||||
case 'current_dir':
|
||||
return 'dirname($_smarty_tpl->source->filepath)';
|
||||
|
||||
@ -14,6 +14,6 @@ git pull
|
||||
git merge --no-ff "release/$1"
|
||||
git branch -d "release/$1"
|
||||
git tag -a "v$1" -m "Release $1"
|
||||
git push --follow-tags
|
||||
|
||||
printf 'Done creating release %s\n' "$1"
|
||||
printf 'Run `git push --follow-tags origin` to publish it.\n'
|
||||
|
||||
@ -339,6 +339,10 @@ class CacheResourceTestCommon extends PHPUnit_Smarty
|
||||
$this->assertNull($tpl->cached->handler->getCachedContent($tpl3));
|
||||
$this->assertEquals('hello world', $tpl->cached->handler->getCachedContent($tpl4));
|
||||
}
|
||||
|
||||
/**
|
||||
* @group slow
|
||||
*/
|
||||
public function testClearCacheExpired()
|
||||
{
|
||||
$this->smarty->caching = true;
|
||||
@ -399,7 +403,7 @@ class CacheResourceTestCommon extends PHPUnit_Smarty
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
* @dataProvider data
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCache($lockTime, $lockTimeout, $compile_id, $cache_id, $isCached, $tmin, $tmax, $forceCompile, $forceCache, $update, $testNumber, $compileTestNumber, $renderTestNumber, $testName)
|
||||
{
|
||||
|
||||
@ -125,7 +125,7 @@ class ExtendsResourceTest extends PHPUnit_Smarty
|
||||
* test grandchild/child/parent dependency test2
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_2()
|
||||
{
|
||||
@ -193,7 +193,7 @@ class ExtendsResourceTest extends PHPUnit_Smarty
|
||||
* test grandchild/child/parent dependency test4
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_4()
|
||||
{
|
||||
|
||||
@ -341,6 +341,15 @@ class SecurityTest extends PHPUnit_Smarty
|
||||
$this->smarty->security_policy->trusted_uri = array();
|
||||
$this->assertStringContainsString('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
|
||||
}
|
||||
|
||||
/**
|
||||
* In security mode, accessing $smarty.template_object should be illegal.
|
||||
* @expectedException SmartyCompilerException
|
||||
*/
|
||||
public function testSmartyTemplateObject() {
|
||||
$this->smarty->display('string:{$smarty.template_object}');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
class mysecuritystaticclass
|
||||
|
||||
@ -610,7 +610,7 @@ class CompileBlockExtendsTest extends PHPUnit_Smarty
|
||||
*
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_2()
|
||||
{
|
||||
@ -645,7 +645,7 @@ class CompileBlockExtendsTest extends PHPUnit_Smarty
|
||||
*
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_3()
|
||||
{
|
||||
@ -670,7 +670,7 @@ class CompileBlockExtendsTest extends PHPUnit_Smarty
|
||||
*
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_32()
|
||||
{
|
||||
@ -692,6 +692,7 @@ class CompileBlockExtendsTest extends PHPUnit_Smarty
|
||||
*
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_4()
|
||||
{
|
||||
@ -716,6 +717,7 @@ class CompileBlockExtendsTest extends PHPUnit_Smarty
|
||||
*
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
* @group slow
|
||||
*/
|
||||
public function testCompileBlockGrandChildMustCompile_021_42()
|
||||
{
|
||||
|
||||
@ -210,6 +210,7 @@ class CompileInsertTest extends PHPUnit_Smarty
|
||||
* test insert plugin caching 2
|
||||
* @runInSeparateProcess
|
||||
* @preserveGlobalState disabled
|
||||
* @group slow
|
||||
*/
|
||||
public function testInsertPluginCaching3_2()
|
||||
{
|
||||
|
||||
@ -431,5 +431,14 @@ class CompileFunctionTest extends PHPUnit_Smarty
|
||||
array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++),
|
||||
array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Test handling of function names that are a security risk
|
||||
* @expectedException SmartyCompilerException
|
||||
*/
|
||||
public function testIllegalFunctionName() {
|
||||
$this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -35,7 +35,7 @@ class SmartyNowTest extends PHPUnit_Smarty
|
||||
}
|
||||
/**
|
||||
* test {$smarty.now nocache}
|
||||
*
|
||||
* @group slow
|
||||
*/
|
||||
public function testSmartyNowNocache() {
|
||||
$this->smarty->setCaching(true);
|
||||
|
||||
Reference in New Issue
Block a user