- bugfix {match} shell injection vulnerability patch provided by Tim Weber

change_log.txt

@@ -1,6 +1,7 @@
  ===== 3.1.30-dev ===== (xx.xx.xx)
  19.07.2016
   - bugfix multiple {include} with relative filepath within {block}{/block} could fail https://github.com/smarty-php/smarty/issues/246
+  - bugfix {match} shell injection vulnerability patch provided by Tim Weber
  
  18.07.2016
   - bugfix {foreach} if key variable and item@key attribute have been used both the key variable was not updated https://github.com/smarty-php/smarty/issues/254

libs/Smarty.class.php

@@ -121,7 +121,7 @@ class Smarty extends Smarty_Internal_TemplateBase
     /**
      * smarty version
      */
-    const SMARTY_VERSION = '3.1.30-dev/85';
+    const SMARTY_VERSION = '3.1.30-dev/86';
 
     /**
      * define variable scopes

libs/plugins/function.math.php

@@ -44,8 +44,22 @@ function smarty_function_math($params, $template)
         return;
     }
 
+    // disallow backticks
+    if (strpos($equation, '`') !== false) {
+        trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
+
+        return;
+    }
+
+    // also disallow dollar signs
+    if (strpos($equation, '$') !== false) {
+        trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
+
+        return;
+    }
+
     // match all vars in equation, make sure all are passed
-    preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!", $equation, $match);
+    preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match);
 
     foreach ($match[ 1 ] as $curr_var) {
         if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) {