diff --git a/ChangeLog b/ChangeLog index 6a078fcb..55da923a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2012-09-24 Uwe Tews + + * Fixed escape Smarty error messages to avoid possible script execution + + +2010-04-17 Uwe Tews + + * Fixed security hole in {math} plugin + 2007-09-27 TAKAGI Masahiro * docs/ja/designers/language-custom-functions/language-function-html-checkboxes.xml: diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php index 3c3448db..ab70d210 100644 --- a/libs/Smarty.class.php +++ b/libs/Smarty.class.php @@ -20,7 +20,7 @@ * * For questions, help, comments, discussion, etc., please join the * Smarty mailing list. Send a blank e-mail to - * smarty-discussion-subscribe@googlegroups.com + * smarty-discussion-subscribe@googlegroups.com * * @link http://www.smarty.net/ * @copyright 2001-2005 New Digital Group, Inc. @@ -1058,7 +1058,7 @@ class Smarty } else { // var non-existant, return valid reference $_tmp = null; - return $_tmp; + return $_tmp; } } @@ -1090,7 +1090,8 @@ class Smarty */ function trigger_error($error_msg, $error_type = E_USER_WARNING) { - trigger_error("Smarty error: $error_msg", $error_type); + $msg = htmlentities($error_msg); + trigger_error("Smarty error: $msg", $error_type); } @@ -1117,7 +1118,7 @@ class Smarty function fetch($resource_name, $cache_id = null, $compile_id = null, $display = false) { static $_cache_info = array(); - + $_smarty_old_error_level = $this->debugging ? error_reporting() : error_reporting(isset($this->error_reporting) ? $this->error_reporting : error_reporting() & ~E_NOTICE); @@ -1933,10 +1934,10 @@ class Smarty { return eval($code); } - + /** * Extracts the filter name from the given callback - * + * * @param callback $function * @return string */ @@ -1951,7 +1952,7 @@ class Smarty return $function; } } - + /**#@-*/ } diff --git a/libs/plugins/function.cycle.php b/libs/plugins/function.cycle.php index fe78bb87..80378b7f 100644 --- a/libs/plugins/function.cycle.php +++ b/libs/plugins/function.cycle.php @@ -63,7 +63,11 @@ function smarty_function_cycle($params, &$smarty) $cycle_vars[$name]['values'] = $params['values']; } - $cycle_vars[$name]['delimiter'] = (isset($params['delimiter'])) ? $params['delimiter'] : ','; + if (isset($params['delimiter'])) { + $cycle_vars[$name]['delimiter'] = $params['delimiter']; + } elseif (!isset($cycle_vars[$name]['delimiter'])) { + $cycle_vars[$name]['delimiter'] = ','; + } if(is_array($cycle_vars[$name]['values'])) { $cycle_array = $cycle_vars[$name]['values']; diff --git a/libs/plugins/function.fetch.php b/libs/plugins/function.fetch.php index 81b1bfc6..d72c7b1f 100644 --- a/libs/plugins/function.fetch.php +++ b/libs/plugins/function.fetch.php @@ -181,12 +181,12 @@ function smarty_function_fetch($params, &$smarty) $content .= fgets($fp,4096); } fclose($fp); - $csplit = split("\r\n\r\n",$content,2); + $csplit = preg_split("!\r\n\r\n!",$content,2); $content = $csplit[1]; if(!empty($params['assign_headers'])) { - $smarty->assign($params['assign_headers'],split("\r\n",$csplit[0])); + $smarty->assign($params['assign_headers'],preg_split("!\r\n!",$csplit[0])); } } } else { diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index bb78dac2..6575e060 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -37,7 +37,7 @@ function smarty_function_math($params, &$smarty) } // match all vars in equation, make sure all are passed - preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]+)!",$equation, $match); + preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!",$equation, $match); $allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10', 'max','min','pi','pow','rand','round','sin','sqrt','srand','tan'); @@ -82,4 +82,4 @@ function smarty_function_math($params, &$smarty) /* vim: set expandtab: */ -?> +?> \ No newline at end of file