mirror of
https://github.com/smarty-php/smarty.git
synced 2025-08-04 02:14:26 +02:00
- bugfix regarding Security Vulnerability did not solve the problem under Linux
This commit is contained in:
Uwe Tews
@@ -1,4 +1,8 @@
|
|||||||
===== 3.1.32 ===== (24.04.2018)
|
===== 3.1.33-dev-1 =====
|
||||||
|
26.04.2018
|
||||||
|
- bugfix regarding Security Vulnerability did not solve the problem under Linux.
|
||||||
|
|
||||||
|
===== 3.1.32 ===== (24.04.2018)
|
||||||
24.04.2018
|
24.04.2018
|
||||||
- bugfix possible Security Vulnerability in Smarty_Security class.
|
- bugfix possible Security Vulnerability in Smarty_Security class.
|
||||||
|
|
||||||
|
|||||||
@@ -27,7 +27,7 @@
|
|||||||
* @author Uwe Tews <uwe dot tews at gmail dot com>
|
* @author Uwe Tews <uwe dot tews at gmail dot com>
|
||||||
* @author Rodney Rehm
|
* @author Rodney Rehm
|
||||||
* @package Smarty
|
* @package Smarty
|
||||||
* @version 3.1.32
|
* @version 3.1.33-dev
|
||||||
*/
|
*/
|
||||||
/**
|
/**
|
||||||
* set SMARTY_DIR to absolute path to Smarty library files.
|
* set SMARTY_DIR to absolute path to Smarty library files.
|
||||||
@@ -112,7 +112,7 @@ class Smarty extends Smarty_Internal_TemplateBase
|
|||||||
/**
|
/**
|
||||||
* smarty version
|
* smarty version
|
||||||
*/
|
*/
|
||||||
const SMARTY_VERSION = '3.1.32';
|
const SMARTY_VERSION = '3.1.33-dev-1';
|
||||||
/**
|
/**
|
||||||
* define variable scopes
|
* define variable scopes
|
||||||
*/
|
*/
|
||||||
@@ -835,7 +835,7 @@ class Smarty extends Smarty_Internal_TemplateBase
|
|||||||
$this->plugins_dir = (array)$this->plugins_dir;
|
$this->plugins_dir = (array)$this->plugins_dir;
|
||||||
}
|
}
|
||||||
foreach ($this->plugins_dir as $k => $v) {
|
foreach ($this->plugins_dir as $k => $v) {
|
||||||
$this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, "/\\") . DIRECTORY_SEPARATOR, true);
|
$this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, '/\\') . DIRECTORY_SEPARATOR, true);
|
||||||
}
|
}
|
||||||
$this->_cache[ 'plugin_files' ] = array();
|
$this->_cache[ 'plugin_files' ] = array();
|
||||||
$this->_pluginsDirNormalized = true;
|
$this->_pluginsDirNormalized = true;
|
||||||
@@ -1043,20 +1043,15 @@ class Smarty extends Smarty_Internal_TemplateBase
|
|||||||
public function _realpath($path, $realpath = null)
|
public function _realpath($path, $realpath = null)
|
||||||
{
|
{
|
||||||
static $nds = null;
|
static $nds = null;
|
||||||
static $sepDotsep = null;
|
static $sepDotSep = null;
|
||||||
static $sepDot = null;
|
|
||||||
static $sepSep =null;
|
static $sepSep =null;
|
||||||
if (!isset($nds)) {
|
if (!isset($nds)) {
|
||||||
$nds = array('/' => '\\', '\\' => '/');
|
$nds = array('/' => '\\', '\\' => '/');
|
||||||
$sepDotsep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
|
$sepDotSep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
|
||||||
$sepDot = DIRECTORY_SEPARATOR . '.';
|
|
||||||
$sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR;
|
$sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR;
|
||||||
}
|
}
|
||||||
// normalize DIRECTORY_SEPARATOR
|
// normalize DIRECTORY_SEPARATOR
|
||||||
$path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotsep), DIRECTORY_SEPARATOR, $path);
|
$path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotSep), DIRECTORY_SEPARATOR, $path);
|
||||||
if (strpos($path,$sepDot) === false && (($realpath === false && $path[0] === '.') || $realpath === null) && $path[0] !== '\\') {
|
|
||||||
return $path;
|
|
||||||
}
|
|
||||||
preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(.*))$%u',
|
preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(.*))$%u',
|
||||||
$path,
|
$path,
|
||||||
$parts);
|
$parts);
|
||||||
@@ -1069,7 +1064,7 @@ class Smarty extends Smarty_Internal_TemplateBase
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
|
// remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
|
||||||
$path = str_replace(array($sepDotsep,$sepSep), DIRECTORY_SEPARATOR, $path);
|
$path = str_replace(array($sepDotSep,$sepSep), DIRECTORY_SEPARATOR, $path);
|
||||||
// resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
|
// resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
|
||||||
if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false &&
|
if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false &&
|
||||||
preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)
|
preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)
|
||||||
|
|||||||
@@ -258,8 +258,6 @@ class Smarty_Security
|
|||||||
public function __construct($smarty)
|
public function __construct($smarty)
|
||||||
{
|
{
|
||||||
$this->smarty = $smarty;
|
$this->smarty = $smarty;
|
||||||
$this->smarty->_cache[ 'template_dir_new' ] = true;
|
|
||||||
$this->smarty->_cache[ 'config_dir_new' ] = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -521,20 +519,19 @@ class Smarty_Security
|
|||||||
}
|
}
|
||||||
$this->_include_path_status = $this->smarty->use_include_path;
|
$this->_include_path_status = $this->smarty->use_include_path;
|
||||||
}
|
}
|
||||||
if ($isConfig !== true) {
|
|
||||||
$_dir = $this->smarty->getTemplateDir();
|
$_dir = $this->smarty->getTemplateDir();
|
||||||
if ($this->_template_dir !== $_dir) {
|
if ($this->_template_dir !== $_dir) {
|
||||||
$this->_updateResourceDir($this->_template_dir, $_dir);
|
$this->_updateResourceDir($this->_template_dir, $_dir);
|
||||||
$this->_template_dir = $_dir;
|
$this->_template_dir = $_dir;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
if ($isConfig !== false) {
|
|
||||||
$_dir = $this->smarty->getConfigDir();
|
$_dir = $this->smarty->getConfigDir();
|
||||||
if ($this->_config_dir !== $_dir) {
|
if ($this->_config_dir !== $_dir) {
|
||||||
$this->_updateResourceDir($this->_config_dir, $_dir);
|
$this->_updateResourceDir($this->_config_dir, $_dir);
|
||||||
$this->_config_dir = $_dir;
|
$this->_config_dir = $_dir;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
if ($this->_secure_dir !== $this->secure_dir) {
|
if ($this->_secure_dir !== $this->secure_dir) {
|
||||||
$this->secure_dir = (array)$this->secure_dir;
|
$this->secure_dir = (array)$this->secure_dir;
|
||||||
foreach($this->secure_dir as $k => $d) {
|
foreach($this->secure_dir as $k => $d) {
|
||||||
@@ -597,7 +594,7 @@ class Smarty_Security
|
|||||||
|
|
||||||
$this->_trusted_dir = $this->trusted_dir;
|
$this->_trusted_dir = $this->trusted_dir;
|
||||||
foreach ((array) $this->trusted_dir as $directory) {
|
foreach ((array) $this->trusted_dir as $directory) {
|
||||||
$directory = $this->smarty->_realpath($directory . DIRECTORY_SEPARATOR, true);
|
$directory = $this->smarty->_realpath($directory . '/', true);
|
||||||
$this->_php_resource_dir[ $directory ] = true;
|
$this->_php_resource_dir[ $directory ] = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -616,7 +613,7 @@ class Smarty_Security
|
|||||||
*/
|
*/
|
||||||
private function _updateResourceDir($oldDir, $newDir) {
|
private function _updateResourceDir($oldDir, $newDir) {
|
||||||
foreach ($oldDir as $directory) {
|
foreach ($oldDir as $directory) {
|
||||||
$directory = $this->smarty->_realpath($directory, true);
|
// $directory = $this->smarty->_realpath($directory, true);
|
||||||
$length = strlen($directory);
|
$length = strlen($directory);
|
||||||
foreach ($this->_resource_dir as $dir) {
|
foreach ($this->_resource_dir as $dir) {
|
||||||
if (substr($dir, 0,$length) === $directory) {
|
if (substr($dir, 0,$length) === $directory) {
|
||||||
@@ -625,7 +622,7 @@ class Smarty_Security
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
foreach ($newDir as $directory) {
|
foreach ($newDir as $directory) {
|
||||||
$directory = $this->smarty->_realpath($directory, true);
|
// $directory = $this->smarty->_realpath($directory, true);
|
||||||
$this->_resource_dir[ $directory ] = true;
|
$this->_resource_dir[ $directory ] = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -640,12 +637,7 @@ class Smarty_Security
|
|||||||
*/
|
*/
|
||||||
private function _checkDir($filepath, $dirs)
|
private function _checkDir($filepath, $dirs)
|
||||||
{
|
{
|
||||||
$directory = dirname($filepath) . DIRECTORY_SEPARATOR;
|
$directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR;
|
||||||
if (isset($dirs[ $directory ])) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
$filepath = $this->smarty->_realpath($filepath, true);
|
|
||||||
$directory = dirname($filepath) . DIRECTORY_SEPARATOR;
|
|
||||||
$_directory = array();
|
$_directory = array();
|
||||||
while (true) {
|
while (true) {
|
||||||
// test if the directory is trusted
|
// test if the directory is trusted
|
||||||
@@ -653,17 +645,15 @@ class Smarty_Security
|
|||||||
return $_directory;
|
return $_directory;
|
||||||
}
|
}
|
||||||
// abort if we've reached root
|
// abort if we've reached root
|
||||||
if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
|
if (!preg_match('#[\\\\/][^\\\\/]+[\\\\/]$#', $directory)) {
|
||||||
break;
|
// give up
|
||||||
|
throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath));
|
||||||
}
|
}
|
||||||
// remember the directory to add it to _resource_dir in case we're successful
|
// remember the directory to add it to _resource_dir in case we're successful
|
||||||
$_directory[ $directory ] = true;
|
$_directory[ $directory ] = true;
|
||||||
// bubble up one level
|
// bubble up one level
|
||||||
$directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory);
|
$directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', '/', $directory);
|
||||||
}
|
}
|
||||||
|
|
||||||
// give up
|
|
||||||
throw new SmartyException("directory '{$filepath}' not allowed by security setting");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Reference in New Issue
Block a user