{math} shell injection vulnerability patch provided by Tim Weber

ChangeLog

@@ -1,3 +1,6 @@
+2016-07-19  Uwe Tews
+    * {math} shell injection vulnerability patch provided by Tim Weber
+    
 2015-12-30  Uwe Tews
 
     * fixed plugin filepath cache must not be static, because of possible problem

libs/Smarty.class.php

@@ -27,7 +27,7 @@
  * @author Monte Ohrt <monte at ohrt dot com>
  * @author Andrei Zmievski <andrei@php.net>
  * @package Smarty
- * @version 2.6.29
+ * @version 2.6.30
  */
 
 /* $Id$ */
@@ -465,7 +465,7 @@ class Smarty
      *
      * @var string
      */
-    var $_version              = '2.6.29';
+    var $_version              = '2.6.30';
 
     /**
      * current template inclusion depth

libs/plugins/function.math.php

@@ -1,85 +1,104 @@
 <?php
 /**
  * Smarty plugin
- * @package Smarty
+ * This plugin is only for Smarty2 BC
- * @subpackage plugins
+ *
+ * @package    Smarty
+ * @subpackage PluginsFunction
  */
 
-
 /**
  * Smarty {math} function plugin
- *
  * Type:     function<br>
  * Name:     math<br>
- * Purpose:  handle math computations in template<br>
+ * Purpose:  handle math computations in template
- * @link http://smarty.php.net/manual/en/language.function.math.php {math}
+ *
- *          (Smarty online manual)
+ * @link     http://www.smarty.net/manual/en/language.function.math.php {math}
+ *           (Smarty online manual)
  * @author   Monte Ohrt <monte at ohrt dot com>
- * @param array
+ *
- * @param Smarty
+ * @param array                    $params   parameters
- * @return string
+ * @param Smarty_Internal_Template $template template object
+ *
+ * @return string|null
  */
-function smarty_function_math($params, &$smarty)
+function smarty_function_math($params, $template)
 {
+    static $_allowed_funcs =
+        array('int' => true, 'abs' => true, 'ceil' => true, 'cos' => true, 'exp' => true, 'floor' => true,
+              'log' => true, 'log10' => true, 'max' => true, 'min' => true, 'pi' => true, 'pow' => true, 'rand' => true,
+              'round' => true, 'sin' => true, 'sqrt' => true, 'srand' => true, 'tan' => true);
     // be sure equation parameter is present
-    if (empty($params['equation'])) {
+    if (empty($params[ 'equation' ])) {
-        $smarty->trigger_error("math: missing equation parameter");
+        trigger_error("math: missing equation parameter", E_USER_WARNING);
+
         return;
     }
 
-    // strip out backticks, not necessary for math
+    $equation = $params[ 'equation' ];
-    $equation = str_replace('`','',$params['equation']);
 
     // make sure parenthesis are balanced
-    if (substr_count($equation,"(") != substr_count($equation,")")) {
+    if (substr_count($equation, "(") != substr_count($equation, ")")) {
-        $smarty->trigger_error("math: unbalanced parenthesis");
+        trigger_error("math: unbalanced parenthesis", E_USER_WARNING);
+
+        return;
+    }
+
+    // disallow backticks
+    if (strpos($equation, '`') !== false) {
+        trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
+
+        return;
+    }
+
+    // also disallow dollar signs
+    if (strpos($equation, '$') !== false) {
+        trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
+
         return;
     }
 
     // match all vars in equation, make sure all are passed
-    preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!",$equation, $match);
+    preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match);
-    $allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10',
+
-                           'max','min','pi','pow','rand','round','sin','sqrt','srand','tan');
+    foreach ($match[ 1 ] as $curr_var) {
-    
+        if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) {
-    foreach($match[1] as $curr_var) {
+            trigger_error("math: function call $curr_var not allowed", E_USER_WARNING);
-        if ($curr_var && !in_array($curr_var, array_keys($params)) && !in_array($curr_var, $allowed_funcs)) {
+
-            $smarty->trigger_error("math: function call $curr_var not allowed");
             return;
         }
     }
 
-    foreach($params as $key => $val) {
+    foreach ($params as $key => $val) {
         if ($key != "equation" && $key != "format" && $key != "assign") {
             // make sure value is not empty
-            if (strlen($val)==0) {
+            if (strlen($val) == 0) {
-                $smarty->trigger_error("math: parameter $key is empty");
+                trigger_error("math: parameter $key is empty", E_USER_WARNING);
+
                 return;
             }
             if (!is_numeric($val)) {
-                $smarty->trigger_error("math: parameter $key: is not numeric");
+                trigger_error("math: parameter $key: is not numeric", E_USER_WARNING);
+
                 return;
             }
             $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation);
         }
     }
+    $smarty_math_result = null;
+    eval("\$smarty_math_result = " . $equation . ";");
 
-    eval("\$smarty_math_result = ".$equation.";");
+    if (empty($params[ 'format' ])) {
-
+        if (empty($params[ 'assign' ])) {
-    if (empty($params['format'])) {
-        if (empty($params['assign'])) {
             return $smarty_math_result;
         } else {
-            $smarty->assign($params['assign'],$smarty_math_result);
+            $template->assign($params[ 'assign' ], $smarty_math_result);
         }
     } else {
-        if (empty($params['assign'])){
+        if (empty($params[ 'assign' ])) {
-            printf($params['format'],$smarty_math_result);
+            printf($params[ 'format' ], $smarty_math_result);
         } else {
-            $smarty->assign($params['assign'],sprintf($params['format'],$smarty_math_result));
+            $template->assign($params[ 'assign' ], sprintf($params[ 'format' ], $smarty_math_result));
         }
     }
 }
-
-/* vim: set expandtab: */
-
-?>