smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 02:14:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-29gp-2c3m-3j6m

Browse Source 
* Temporary fix. Waiting for CVE

* Add CVE
This commit is contained in:
Simon Wisselink
2022-01-10 00:01:43 +01:00
committed by Simon Wisselink
parent d8fa8c982f
commit 7ad97ad030
3 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Security
- Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454
## [3.1.41] - 2022-01-09 ## [3.1.41] - 2022-01-09
### Security ### Security

32
libs/plugins/function.math.php
View File

@@ -28,7 +28,12 @@ function smarty_function_math($params, $template)
'int' => true, 'int' => true,
'abs' => true, 'abs' => true,
'ceil' => true, 'ceil' => true,
'acos' => true,
'acosh' => true,
'cos' => true, 'cos' => true,
'cosh' => true,
'deg2rad' => true,
'rad2deg' => true,
'exp' => true, 'exp' => true,
'floor' => true, 'floor' => true,
'log' => true, 'log' => true,
@@ -39,27 +44,51 @@ function smarty_function_math($params, $template)
'pow' => true, 'pow' => true,
'rand' => true, 'rand' => true,
'round' => true, 'round' => true,
'asin' => true,
'asinh' => true,
'sin' => true, 'sin' => true,
'sinh' => true,
'sqrt' => true, 'sqrt' => true,
'srand' => true, 'srand' => true,
'tan' => true 'atan' => true,
'atanh' => true,
'tan' => true,
'tanh' => true
); );
// be sure equation parameter is present // be sure equation parameter is present
if (empty($params[ 'equation' ])) { if (empty($params[ 'equation' ])) {
trigger_error("math: missing equation parameter", E_USER_WARNING); trigger_error("math: missing equation parameter", E_USER_WARNING);
return; return;
} }
$equation = $params[ 'equation' ]; $equation = $params[ 'equation' ];
// Remove whitespaces
$equation = preg_replace('/\s+/', '', $equation);
// Adapted from https://www.php.net/manual/en/function.eval.php#107377
$number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
$functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';
$operators = '[+\/*\^%-]'; // Allowed math operators
$regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/';
if (!preg_match($regexp, $equation)) {
trigger_error("math: illegal characters", E_USER_WARNING);
return;
}
// make sure parenthesis are balanced // make sure parenthesis are balanced
if (substr_count($equation, '(') !== substr_count($equation, ')')) { if (substr_count($equation, '(') !== substr_count($equation, ')')) {
trigger_error("math: unbalanced parenthesis", E_USER_WARNING); trigger_error("math: unbalanced parenthesis", E_USER_WARNING);
return; return;
} }
// disallow backticks // disallow backticks
if (strpos($equation, '`') !== false) { if (strpos($equation, '`') !== false) {
trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
return; return;
} }
// also disallow dollar signs // also disallow dollar signs
if (strpos($equation, '$') !== false) { if (strpos($equation, '$') !== false) {
trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
@@ -96,6 +125,7 @@ function smarty_function_math($params, $template)
} }
$smarty_math_result = null; $smarty_math_result = null;
eval("\$smarty_math_result = " . $equation . ";"); eval("\$smarty_math_result = " . $equation . ";");
if (empty($params[ 'format' ])) { if (empty($params[ 'format' ])) {
if (empty($params[ 'assign' ])) { if (empty($params[ 'assign' ])) {
return $smarty_math_result; return $smarty_math_result;

31
tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
View File

@@ -107,4 +107,35 @@ class MathTest extends PHPUnit_Smarty
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="x * y" x=$x y=$y format="%0.2f"} -- {math equation="20.5 / 5" format="%0.2f"}'); $tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="x * y" x=$x y=$y format="%0.2f"} -- {math equation="20.5 / 5" format="%0.2f"}');
$this->assertEquals($expected, $this->smarty->fetch($tpl)); $this->assertEquals($expected, $this->smarty->fetch($tpl));
} }
/**
* @expectedException PHPUnit_Framework_Error_Warning
*/
public function testBackticksIllegal()
{
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="`ls` x * y" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
/**
* @expectedException PHPUnit_Framework_Error_Warning
*/
public function testDollarSignsIllegal()
{
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="$" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
/**
* @expectedException PHPUnit_Framework_Error_Warning
*/
public function testBracketsIllegal()
{
$expected = "I";
$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{$y = "1"}{math equation="((y/x).(x))[x]" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
} }