smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 02:14:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-4h9c-v5vg-5m6m

Browse Source 
* Prevent evasion of the static_classes security policy.

* Updated deprecated exception expectations.
This commit is contained in:
Simon Wisselink
2022-01-10 10:48:27 +01:00
committed by GitHub
parent baad3115cd
commit 19ae410bf5
4 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Security
- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
## [4.0.2] - 2022-01-10 ## [4.0.2] - 2022-01-10
### Security ### Security

3
lexer/smarty_internal_templateparser.y
View File

@@ -747,6 +747,9 @@ value(res) ::= doublequoted_with_quotes(s). {
value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). { value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
if ($this->security && $this->security->static_classes !== array()) {
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
}
$prefixVar = $this->compiler->getNewPrefixVariable(); $prefixVar = $this->compiler->getNewPrefixVariable();
if (vi['var'] === '\'smarty\'') { if (vi['var'] === '\'smarty\'') {
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>'); $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');

3
libs/sysplugins/smarty_internal_templateparser.php
View File

@@ -2397,6 +2397,9 @@ public static $yy_action = array(
} }
// line 749 "../smarty/lexer/smarty_internal_templateparser.y" // line 749 "../smarty/lexer/smarty_internal_templateparser.y"
public function yy_r94(){ public function yy_r94(){
if ($this->security && $this->security->static_classes !== array()) {
$this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
}
$prefixVar = $this->compiler->getNewPrefixVariable(); $prefixVar = $this->compiler->getNewPrefixVariable();
if ($this->yystack[$this->yyidx + -2]->minor['var'] === '\'smarty\'') { if ($this->yystack[$this->yyidx + -2]->minor['var'] === '\'smarty\'') {
$this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),$this->yystack[$this->yyidx + -2]->minor['smarty_internal_index']).';?>'); $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),$this->yystack[$this->yyidx + -2]->minor['smarty_internal_index']).';?>');

22
tests/UnitTests/SecurityTests/SecurityTest.php
View File

@@ -270,6 +270,28 @@ class SecurityTest extends PHPUnit_Smarty
$this->smarty->fetch('string:{mysecuritystaticclass::square(5)}'); $this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
} }
/**
* test not trusted PHP function
*/
public function testNotTrustedStaticClassEval()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
$this->smarty->security_policy->static_classes = array('null');
$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
}
/**
* test not trusted PHP function
*/
public function testNotTrustedStaticClassSmartyVar()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('dynamic static class not allowed by security setting');
$this->smarty->security_policy->static_classes = array('null');
$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
}
public function testChangedTrustedDirectory() public function testChangedTrustedDirectory()
{ {
$this->smarty->security_policy->secure_dir = array( $this->smarty->security_policy->secure_dir = array(