Merge pull request from GHSA-4h9c-v5vg-5m6m

* Prevent evasion of the static_classes security policy. * Updated deprecated exception expectations.
2025-08-03 01:44:26 +02:00 · 2022-01-10 10:48:27 +01:00
parent baad3115cd
commit 19ae410bf5
4 changed files with 38 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Security
+- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
+
 ## [4.0.2] - 2022-01-10

 ### Security
--- a/lexer/smarty_internal_templateparser.y
+++ b/lexer/smarty_internal_templateparser.y
@@ -747,6 +747,9 @@ value(res)       ::= doublequoted_with_quotes(s). {


 value(res)    ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
+    if ($this->security && $this->security->static_classes !== array()) {
+        $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+    }
    $prefixVar = $this->compiler->getNewPrefixVariable();
    if (vi['var'] === '\'smarty\'') {
        $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');
--- a/libs/sysplugins/smarty_internal_templateparser.php
+++ b/libs/sysplugins/smarty_internal_templateparser.php
@@ -2397,6 +2397,9 @@ public static $yy_action = array(
    }
 // line 749 "../smarty/lexer/smarty_internal_templateparser.y"
    public function yy_r94(){
+	    if ($this->security && $this->security->static_classes !== array()) {
+		    $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+	    }
    $prefixVar = $this->compiler->getNewPrefixVariable();
    if ($this->yystack[$this->yyidx + -2]->minor['var'] === '\'smarty\'') {
        $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),$this->yystack[$this->yyidx + -2]->minor['smarty_internal_index']).';?>');
--- a/tests/UnitTests/SecurityTests/SecurityTest.php
+++ b/tests/UnitTests/SecurityTests/SecurityTest.php
@@ -257,19 +257,41 @@ class SecurityTest extends PHPUnit_Smarty
        $this->assertEquals('25', $this->smarty->fetch($tpl));
    }

-/**
- * test not trusted PHP function
-  * @runInSeparateProcess
-  * @preserveGlobalState disabled
-  */
-    public function testNotTrustedStaticClass()
-    {
+	/**
+	 * test not trusted PHP function
+	 * @runInSeparateProcess
+	 * @preserveGlobalState disabled
+	 */
+	public function testNotTrustedStaticClass()
+	{
        $this->expectException('SmartyException');
        $this->expectExceptionMessage('access to static class \'mysecuritystaticclass\' not allowed by security setting');
        $this->smarty->security_policy->static_classes = array('null');
        $this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
    }

+	/**
+	 * test not trusted PHP function
+	 */
+	public function testNotTrustedStaticClassEval()
+	{
+		$this->expectException('SmartyException');
+		$this->expectExceptionMessage('dynamic static class not allowed by security setting');
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
+	}
+
+	/**
+	 * test not trusted PHP function
+	 */
+	public function testNotTrustedStaticClassSmartyVar()
+	{
+		$this->expectException('SmartyException');
+		$this->expectExceptionMessage('dynamic static class not allowed by security setting');
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
+	}
+
    public function testChangedTrustedDirectory()
    {
        $this->smarty->security_policy->secure_dir = array(