From 6463519a6c05e614158d00d59df906433e869da3 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Sun, 24 Jan 2021 23:13:26 +0100
Subject: [PATCH 1/4] Prevent access to .template_object when in security mode
 to prevent PHP code injection vulnerability

---
 CHANGELOG.md                                                  | 3 +++
 .../smarty_internal_compile_private_special_variable.php      | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 06b89822..c26136bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- Prevent access to `$smarty.template_object` in Security mode
+
 ## [3.1.38] - 2021-01-08
 
 ### Fixed
diff --git a/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/libs/sysplugins/smarty_internal_compile_private_special_variable.php
index de7d4a22..d53ef51f 100644
--- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php
+++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php
@@ -81,6 +81,10 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
                 case 'template':
                     return 'basename($_smarty_tpl->source->filepath)';
                 case 'template_object':
+                    if (isset($compiler->smarty->security_policy)) {
+                        $compiler->trigger_template_error("(secure mode) template_object not permitted");
+                        break;
+                    }
                     return '$_smarty_tpl';
                 case 'current_dir':
                     return 'dirname($_smarty_tpl->source->filepath)';

From 288a54f6b0194121efa49f0aa9d70eb3ff439370 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Sun, 24 Jan 2021 23:52:45 +0100
Subject: [PATCH 2/4] Add unit test

---
 tests/UnitTests/SecurityTests/SecurityTest.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/UnitTests/SecurityTests/SecurityTest.php b/tests/UnitTests/SecurityTests/SecurityTest.php
index 2a4d3e59..4af37e16 100644
--- a/tests/UnitTests/SecurityTests/SecurityTest.php
+++ b/tests/UnitTests/SecurityTests/SecurityTest.php
@@ -382,6 +382,15 @@ class SecurityTest extends PHPUnit_Smarty
         $this->smarty->security_policy->trusted_uri = array();
         $this->assertContains('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
     }
+
+    /**
+     * In security mode, accessing $smarty.template_object should be illegal.
+     */
+    public function testSmartyTemplateObject() {
+    	$this->expectException(SmartyCompilerException::class);
+	    $this->smarty->display('string:{$smarty.template_object}');
+    }
+
 }
 
 class mysecuritystaticclass

From 8fc66e27a7566e0ecba77ee2412406dc2154ce4b Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Mon, 1 Feb 2021 10:33:00 +0100
Subject: [PATCH 3/4] Cannot use  in Smarty3 yet, revert to @expectedException

---
 expectException                                | 0
 tests/UnitTests/SecurityTests/SecurityTest.php | 4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 expectException

diff --git a/expectException b/expectException
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/UnitTests/SecurityTests/SecurityTest.php b/tests/UnitTests/SecurityTests/SecurityTest.php
index 4af37e16..bbb8b4e8 100644
--- a/tests/UnitTests/SecurityTests/SecurityTest.php
+++ b/tests/UnitTests/SecurityTests/SecurityTest.php
@@ -385,10 +385,10 @@ class SecurityTest extends PHPUnit_Smarty
 
     /**
      * In security mode, accessing $smarty.template_object should be illegal.
+     * @expectedException SmartyCompilerException
      */
     public function testSmartyTemplateObject() {
-    	$this->expectException(SmartyCompilerException::class);
-	    $this->smarty->display('string:{$smarty.template_object}');
+        $this->smarty->display('string:{$smarty.template_object}');
     }
 
 }

From 74cab5a56b3ced14c282fc6b5fc1ce248d3a7dda Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Wed, 17 Feb 2021 22:30:35 +0100
Subject: [PATCH 4/4] updated changelog header to security

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c26136bc..3e607e35 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Fixed
+### Security
 - Prevent access to `$smarty.template_object` in Security mode
 
 ## [3.1.38] - 2021-01-08