Merge pull request from GHSA-4h9c-v5vg-5m6m

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
+
 ## [3.1.42] - 2022-01-10
 
 ### Security

lexer/smarty_internal_templateparser.y

@@ -758,6 +758,9 @@ value(res)       ::= doublequoted_with_quotes(s). {
 
 
 value(res)    ::= varindexed(vi) DOUBLECOLON static_class_access(r). {
+    if ($this->security && $this->security->static_classes !== array()) {
+        $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+    }
     $prefixVar = $this->compiler->getNewPrefixVariable();
     if (vi['var'] === '\'smarty\'') {
         $this->compiler->appendPrefixCode("<?php {$prefixVar} = ". $this->compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>');

libs/sysplugins/smarty_internal_templateparser.php

@@ -2837,6 +2837,10 @@ class Smarty_Internal_Templateparser
     // line 765 "../smarty/lexer/smarty_internal_templateparser.y"
     public function yy_r95()
     {
+        if ($this->security && $this->security->static_classes !== array()) {
+            $this->compiler->trigger_template_error('dynamic static class not allowed by security setting');
+        }
+
         $prefixVar = $this->compiler->getNewPrefixVariable();
         if ($this->yystack[ $this->yyidx + -2 ]->minor[ 'var' ] === '\'smarty\'') {
             $this->compiler->appendPrefixCode("<?php {$prefixVar} = " .

tests/UnitTests/SecurityTests/SecurityTest.php

@@ -298,18 +298,38 @@ class SecurityTest extends PHPUnit_Smarty
         $this->assertEquals('25', $this->smarty->fetch($tpl));
     }
 
-/**
+	/**
- * test not trusted PHP function
+	 * test not trusted PHP function
-  * @expectedException        SmartyException
+	 * @expectedException        SmartyException
-  * @expectedExceptionMessage   access to static class 'mysecuritystaticclass' not allowed by security setting
+	 * @expectedExceptionMessage   access to static class 'mysecuritystaticclass' not allowed by security setting
-  * @runInSeparateProcess
+	 */
-  * @preserveGlobalState disabled
+	public function testNotTrustedStaticClass()
-  */
+	{
-    public function testNotTrustedStaticClass()
+		$this->smarty->security_policy->static_classes = array('null');
-    {
+		$this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
-        $this->smarty->security_policy->static_classes = array('null');
+	}
-            $this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
+
-    }
+	/**
+	 * test not trusted PHP function
+	 * @expectedException        SmartyException
+	 * @expectedExceptionMessage   dynamic static class not allowed by security setting
+	 */
+	public function testNotTrustedStaticClassEval()
+	{
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$test = "mysecuritystaticclass"}{$test::square(5)}');
+	}
+
+	/**
+	 * test not trusted PHP function
+	 * @expectedException        SmartyException
+	 * @expectedExceptionMessage   dynamic static class not allowed by security setting
+	 */
+	public function testNotTrustedStaticClassSmartyVar()
+	{
+		$this->smarty->security_policy->static_classes = array('null');
+		$this->smarty->fetch('string:{$smarty.template_object::square(5)}');
+	}
 
     public function testChangedTrustedDirectory()
     {