smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-03 18:04:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/tplfunction_sandbox_escape'

Browse Source
This commit is contained in:
Simon Wisselink
2021-02-17 22:52:34 +01:00
parent c9272058d9 2543174460
commit 4f634c0097
3 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Security ### Security
- Prevent access to `$smarty.template_object` in Security mode - Prevent access to `$smarty.template_object` in Security mode
- Code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`
## [3.1.38] - 2021-01-08 ## [3.1.38] - 2021-01-08

5
libs/sysplugins/smarty_internal_compile_function.php
View File

@@ -58,6 +58,11 @@ class Smarty_Internal_Compile_Function extends Smarty_Internal_CompileBase
} }
unset($_attr[ 'nocache' ]); unset($_attr[ 'nocache' ]);
$_name = trim($_attr[ 'name' ], '\'"'); $_name = trim($_attr[ 'name' ], '\'"');
if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) {
$compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true);
}
$compiler->parent_compiler->tpl_function[ $_name ] = array(); $compiler->parent_compiler->tpl_function[ $_name ] = array();
$save = array( $save = array(
$_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code, $_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code,

11
tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php
View File

@@ -431,5 +431,14 @@ class CompileFunctionTest extends PHPUnit_Smarty
array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++), array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++),
array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++), array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++),
); );
} }
/**
* Test handling of function names that are a security risk
* @expectedException SmartyCompilerException
*/
public function testIllegalFunctionName() {
$this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}');
}
} }