From c5c9d6514ceaf15fe35345886668726829560f93 Mon Sep 17 00:00:00 2001 From: uwetews Date: Tue, 19 Jul 2016 20:31:12 +0200 Subject: [PATCH] {math} shell injection vulnerability patch provided by Tim Weber --- ChangeLog | 3 ++ libs/Smarty.class.php | 4 +- libs/plugins/function.math.php | 99 ++++++++++++++++++++-------------- 3 files changed, 64 insertions(+), 42 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b9dd462..a864d097 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2016-07-19 Uwe Tews + * {math} shell injection vulnerability patch provided by Tim Weber + 2015-12-30 Uwe Tews * fixed plugin filepath cache must not be static, because of possible problem diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php index 411ddfa1..41d53706 100644 --- a/libs/Smarty.class.php +++ b/libs/Smarty.class.php @@ -27,7 +27,7 @@ * @author Monte Ohrt * @author Andrei Zmievski * @package Smarty - * @version 2.6.29 + * @version 2.6.30 */ /* $Id$ */ @@ -465,7 +465,7 @@ class Smarty * * @var string */ - var $_version = '2.6.29'; + var $_version = '2.6.30'; /** * current template inclusion depth diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index 6575e060..655fe728 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -1,85 +1,104 @@ * Name: math
- * Purpose: handle math computations in template
- * @link http://smarty.php.net/manual/en/language.function.math.php {math} - * (Smarty online manual) + * Purpose: handle math computations in template + * + * @link http://www.smarty.net/manual/en/language.function.math.php {math} + * (Smarty online manual) * @author Monte Ohrt - * @param array - * @param Smarty - * @return string + * + * @param array $params parameters + * @param Smarty_Internal_Template $template template object + * + * @return string|null */ -function smarty_function_math($params, &$smarty) +function smarty_function_math($params, $template) { + static $_allowed_funcs = + array('int' => true, 'abs' => true, 'ceil' => true, 'cos' => true, 'exp' => true, 'floor' => true, + 'log' => true, 'log10' => true, 'max' => true, 'min' => true, 'pi' => true, 'pow' => true, 'rand' => true, + 'round' => true, 'sin' => true, 'sqrt' => true, 'srand' => true, 'tan' => true); // be sure equation parameter is present - if (empty($params['equation'])) { - $smarty->trigger_error("math: missing equation parameter"); + if (empty($params[ 'equation' ])) { + trigger_error("math: missing equation parameter", E_USER_WARNING); + return; } - // strip out backticks, not necessary for math - $equation = str_replace('`','',$params['equation']); + $equation = $params[ 'equation' ]; // make sure parenthesis are balanced - if (substr_count($equation,"(") != substr_count($equation,")")) { - $smarty->trigger_error("math: unbalanced parenthesis"); + if (substr_count($equation, "(") != substr_count($equation, ")")) { + trigger_error("math: unbalanced parenthesis", E_USER_WARNING); + + return; + } + + // disallow backticks + if (strpos($equation, '`') !== false) { + trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); + + return; + } + + // also disallow dollar signs + if (strpos($equation, '$') !== false) { + trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); + return; } // match all vars in equation, make sure all are passed - preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!",$equation, $match); - $allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10', - 'max','min','pi','pow','rand','round','sin','sqrt','srand','tan'); - - foreach($match[1] as $curr_var) { - if ($curr_var && !in_array($curr_var, array_keys($params)) && !in_array($curr_var, $allowed_funcs)) { - $smarty->trigger_error("math: function call $curr_var not allowed"); + preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match); + + foreach ($match[ 1 ] as $curr_var) { + if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) { + trigger_error("math: function call $curr_var not allowed", E_USER_WARNING); + return; } } - foreach($params as $key => $val) { + foreach ($params as $key => $val) { if ($key != "equation" && $key != "format" && $key != "assign") { // make sure value is not empty - if (strlen($val)==0) { - $smarty->trigger_error("math: parameter $key is empty"); + if (strlen($val) == 0) { + trigger_error("math: parameter $key is empty", E_USER_WARNING); + return; } if (!is_numeric($val)) { - $smarty->trigger_error("math: parameter $key: is not numeric"); + trigger_error("math: parameter $key: is not numeric", E_USER_WARNING); + return; } $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation); } } + $smarty_math_result = null; + eval("\$smarty_math_result = " . $equation . ";"); - eval("\$smarty_math_result = ".$equation.";"); - - if (empty($params['format'])) { - if (empty($params['assign'])) { + if (empty($params[ 'format' ])) { + if (empty($params[ 'assign' ])) { return $smarty_math_result; } else { - $smarty->assign($params['assign'],$smarty_math_result); + $template->assign($params[ 'assign' ], $smarty_math_result); } } else { - if (empty($params['assign'])){ - printf($params['format'],$smarty_math_result); + if (empty($params[ 'assign' ])) { + printf($params[ 'format' ], $smarty_math_result); } else { - $smarty->assign($params['assign'],sprintf($params['format'],$smarty_math_result)); + $template->assign($params[ 'assign' ], sprintf($params[ 'format' ], $smarty_math_result)); } } } - -/* vim: set expandtab: */ - -?> \ No newline at end of file