diff --git a/CHANGELOG.md b/CHANGELOG.md index 06b89822..3e607e35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Security +- Prevent access to `$smarty.template_object` in Security mode + ## [3.1.38] - 2021-01-08 ### Fixed diff --git a/expectException b/expectException new file mode 100644 index 00000000..e69de29b diff --git a/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/libs/sysplugins/smarty_internal_compile_private_special_variable.php index de7d4a22..d53ef51f 100644 --- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php +++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php @@ -81,6 +81,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C case 'template': return 'basename($_smarty_tpl->source->filepath)'; case 'template_object': + if (isset($compiler->smarty->security_policy)) { + $compiler->trigger_template_error("(secure mode) template_object not permitted"); + break; + } return '$_smarty_tpl'; case 'current_dir': return 'dirname($_smarty_tpl->source->filepath)'; diff --git a/tests/UnitTests/SecurityTests/SecurityTest.php b/tests/UnitTests/SecurityTests/SecurityTest.php index 2a4d3e59..bbb8b4e8 100644 --- a/tests/UnitTests/SecurityTests/SecurityTest.php +++ b/tests/UnitTests/SecurityTests/SecurityTest.php @@ -382,6 +382,15 @@ class SecurityTest extends PHPUnit_Smarty $this->smarty->security_policy->trusted_uri = array(); $this->assertContains('Preface | Smarty', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}')); } + + /** + * In security mode, accessing $smarty.template_object should be illegal. + * @expectedException SmartyCompilerException + */ + public function testSmartyTemplateObject() { + $this->smarty->display('string:{$smarty.template_object}'); + } + } class mysecuritystaticclass