Merge pull request from GHSA-4h9c-v5vg-5m6m

2025-08-03 01:44:26 +02:00 · 2022-01-10 10:48:27 +01:00
parent b674cba13d
commit 28519ca00f
4 changed files with 42 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Security
+- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
+
 ## [3.1.42] - 2022-01-10

 ### Security
--- a/lexer/smarty_internal_templateparser.y
+++ b/lexer/smarty_internal_templateparser.y
@@ -758,6 +758,9 @@ value(res)       ::= doublequoted_with_quotes(s). {


 value(res)    ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
+    if ($this->security && $this->security->static_classes !== array()) {
+        $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+    }
    $prefixVar = $this->compiler->getNewPrefixVariable();
    if (vi['var'] === '\'smarty\'') {
        $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');
--- a/libs/sysplugins/smarty_internal_templateparser.php
+++ b/libs/sysplugins/smarty_internal_templateparser.php
@@ -2837,6 +2837,10 @@ class Smarty_Internal_Templateparser
    // line 765 "../smarty/lexer/smarty_internal_templateparser.y"
    public function yy_r95()
    {
+        if ($this->security && $this->security->static_classes !== array()) {
+            $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+        }
+
        $prefixVar = $this->compiler->getNewPrefixVariable();
        if ($this->yystack[ $this->yyidx + -2 ]->minor[ 'var' ] === '\'smarty\'') {
            $this->compiler->appendPrefixCode("<?php {$prefixVar} = " .
--- a/tests/UnitTests/SecurityTests/SecurityTest.php
+++ b/tests/UnitTests/SecurityTests/SecurityTest.php
@@ -298,18 +298,38 @@ class SecurityTest extends PHPUnit_Smarty
        $this->assertEquals('25', $this->smarty->fetch($tpl));
    }

-/**
- * test not trusted PHP function
-  * @expectedException        SmartyException
-  * @expectedExceptionMessage   access to static class 'mysecuritystaticclass' not allowed by security setting
-  * @runInSeparateProcess
-  * @preserveGlobalState disabled
-  */
-    public function testNotTrustedStaticClass()
-    {
-        $this->smarty->security_policy->static_classes = array('null');
-            $this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
-    }
+	/**
+	 * test not trusted PHP function
+	 * @expectedException        SmartyException
+	 * @expectedExceptionMessage   access to static class 'mysecuritystaticclass' not allowed by security setting
+	 */
+	public function testNotTrustedStaticClass()
+	{
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
+	}
+
+	/**
+	 * test not trusted PHP function
+	 * @expectedException        SmartyException
+	 * @expectedExceptionMessage   dynamic static class not allowed by security setting
+	 */
+	public function testNotTrustedStaticClassEval()
+	{
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
+	}
+
+	/**
+	 * test not trusted PHP function
+	 * @expectedException        SmartyException
+	 * @expectedExceptionMessage   dynamic static class not allowed by security setting
+	 */
+	public function testNotTrustedStaticClassSmartyVar()
+	{
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
+	}

    public function testChangedTrustedDirectory()
    {