smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-11-02 21:31:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

- bugfix {match} shell injection vulnerability patch provided by Tim Weber

Browse Source
This commit is contained in:
uwetews
2016-07-19 20:17:47 +02:00
parent f39e61762c
commit 50068ca52a
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libs/Smarty.class.php
View File

@@ -121,7 +121,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/**
* smarty version
*/
const SMARTY_VERSION = '3.1.30-dev/85';
const SMARTY_VERSION = '3.1.30-dev/86';
/**
* define variable scopes

16
libs/plugins/function.math.php
View File

@@ -44,8 +44,22 @@ function smarty_function_math($params, $template)
return;
}
// disallow backticks
if (strpos($equation, '`') !== false) {
trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
return;
}
// also disallow dollar signs
if (strpos($equation, '$') !== false) {
trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
return;
}
// match all vars in equation, make sure all are passed
preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!", $equation, $match);
preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match);
foreach ($match[ 1 ] as $curr_var) {
if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) {