From 165f1bd4d2eec328cfeaca517a725b46001de838 Mon Sep 17 00:00:00 2001 From: Simon Wisselink Date: Sun, 24 Jan 2021 23:44:07 +0100 Subject: [PATCH 1/2] Fixed Code injection vulnerability by using illegal function names --- CHANGELOG.md | 3 +++ libs/sysplugins/smarty_internal_compile_function.php | 5 +++++ .../TagTests/TemplateFunction/CompileFunctionTest.php | 11 ++++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06b89822..ecbd404b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Security +- Code injection vulnerability by using illegal function names in `{function name='blah'}{/function}` + ## [3.1.38] - 2021-01-08 ### Fixed diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php index 6e408ca7..d0f2b0f4 100644 --- a/libs/sysplugins/smarty_internal_compile_function.php +++ b/libs/sysplugins/smarty_internal_compile_function.php @@ -58,6 +58,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase } unset($_attr[ 'nocache' ]); $_name = trim($_attr[ 'name' ], '\'"'); + + if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) { + $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true); + } + $compiler->parent_compiler->tpl_function[ $_name ] = array(); $save = array( $_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code, diff --git a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php index d2be82ca..6c902a68 100644 --- a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php +++ b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php @@ -431,5 +431,14 @@ class CompileFunctionTest extends PHPUnit_Smarty array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++), array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++), ); - } + } + + /** + * Test handling of function names that are a security risk + */ + public function testIllegalFunctionName() { + $this->expectException(SmartyCompilerException::class); + $this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}'); + } + } From 2543174460adc34d51150b9e9b076a622e72dfeb Mon Sep 17 00:00:00 2001 From: Simon Wisselink Date: Mon, 1 Feb 2021 10:31:20 +0100 Subject: [PATCH 2/2] Cannot use in Smarty3 yet, revert to @expectedException --- .../TagTests/TemplateFunction/CompileFunctionTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php index 6c902a68..65d3b2de 100644 --- a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php +++ b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php @@ -435,9 +435,9 @@ class CompileFunctionTest extends PHPUnit_Smarty /** * Test handling of function names that are a security risk + * @expectedException SmartyCompilerException */ public function testIllegalFunctionName() { - $this->expectException(SmartyCompilerException::class); $this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}'); }