smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 02:14:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

- bugfix regarding Security Vulnerability did not solve the problem under Linux

Browse Source
This commit is contained in:
Uwe Tews
2018-04-26 13:02:51 +02:00
parent ac9d4b587e
commit f9ca3c63d1
3 changed files with 25 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
change_log.txt
View File

@@ -1,4 +1,8 @@
===== 3.1.32 ===== (24.04.2018)
===== 3.1.33-dev-1 =====
26.04.2018
- bugfix regarding Security Vulnerability did not solve the problem under Linux.
===== 3.1.32 ===== (24.04.2018)
24.04.2018
- bugfix possible Security Vulnerability in Smarty_Security class.

19
libs/Smarty.class.php
View File

@@ -27,7 +27,7 @@
* @author Uwe Tews <uwe dot tews at gmail dot com>
* @author Rodney Rehm
* @package Smarty
* @version 3.1.32
* @version 3.1.33-dev
*/
/**
* set SMARTY_DIR to absolute path to Smarty library files.
@@ -112,7 +112,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/**
* smarty version
*/
const SMARTY_VERSION = '3.1.32';
const SMARTY_VERSION = '3.1.33-dev-1';
/**
* define variable scopes
*/
@@ -835,7 +835,7 @@ class Smarty extends Smarty_Internal_TemplateBase
$this->plugins_dir = (array)$this->plugins_dir;
}
foreach ($this->plugins_dir as $k => $v) {
$this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, "/\\") . DIRECTORY_SEPARATOR, true);
$this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, '/\\') . DIRECTORY_SEPARATOR, true);
}
$this->_cache[ 'plugin_files' ] = array();
$this->_pluginsDirNormalized = true;
@@ -1043,20 +1043,15 @@ class Smarty extends Smarty_Internal_TemplateBase
public function _realpath($path, $realpath = null)
{
static $nds = null;
static $sepDotsep = null;
static $sepDot = null;
static $sepDotSep = null;
static $sepSep =null;
if (!isset($nds)) {
$nds = array('/' => '\\', '\\' => '/');
$sepDotsep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
$sepDot = DIRECTORY_SEPARATOR . '.';
$sepDotSep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
$sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR;
}
// normalize DIRECTORY_SEPARATOR
$path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotsep), DIRECTORY_SEPARATOR, $path);
if (strpos($path,$sepDot) === false && (($realpath === false && $path[0] === '.') || $realpath === null) && $path[0] !== '\\') {
return $path;
}
$path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotSep), DIRECTORY_SEPARATOR, $path);
preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(.*))$%u',
$path,
$parts);
@@ -1069,7 +1064,7 @@ class Smarty extends Smarty_Internal_TemplateBase
}
}
// remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
$path = str_replace(array($sepDotsep,$sepSep), DIRECTORY_SEPARATOR, $path);
$path = str_replace(array($sepDotSep,$sepSep), DIRECTORY_SEPARATOR, $path);
// resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false &&
preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)

32
libs/sysplugins/smarty_security.php
View File

@@ -258,8 +258,6 @@ class Smarty_Security
public function __construct($smarty)
{
$this->smarty = $smarty;
$this->smarty->_cache[ 'template_dir_new' ] = true;
$this->smarty->_cache[ 'config_dir_new' ] = true;
}
/**
@@ -521,20 +519,19 @@ class Smarty_Security
}
$this->_include_path_status = $this->smarty->use_include_path;
}
if ($isConfig !== true) {
$_dir = $this->smarty->getTemplateDir();
if ($this->_template_dir !== $_dir) {
$this->_updateResourceDir($this->_template_dir, $_dir);
$this->_template_dir = $_dir;
}
}
if ($isConfig !== false) {
$_dir = $this->smarty->getConfigDir();
if ($this->_config_dir !== $_dir) {
$this->_updateResourceDir($this->_config_dir, $_dir);
$this->_config_dir = $_dir;
}
}
if ($this->_secure_dir !== $this->secure_dir) {
$this->secure_dir = (array)$this->secure_dir;
foreach($this->secure_dir as $k => $d) {
@@ -597,7 +594,7 @@ class Smarty_Security
$this->_trusted_dir = $this->trusted_dir;
foreach ((array) $this->trusted_dir as $directory) {
$directory = $this->smarty->_realpath($directory . DIRECTORY_SEPARATOR, true);
$directory = $this->smarty->_realpath($directory . '/', true);
$this->_php_resource_dir[ $directory ] = true;
}
}
@@ -616,7 +613,7 @@ class Smarty_Security
*/
private function _updateResourceDir($oldDir, $newDir) {
foreach ($oldDir as $directory) {
$directory = $this->smarty->_realpath($directory, true);
// $directory = $this->smarty->_realpath($directory, true);
$length = strlen($directory);
foreach ($this->_resource_dir as $dir) {
if (substr($dir, 0,$length) === $directory) {
@@ -625,7 +622,7 @@ class Smarty_Security
}
}
foreach ($newDir as $directory) {
$directory = $this->smarty->_realpath($directory, true);
// $directory = $this->smarty->_realpath($directory, true);
$this->_resource_dir[ $directory ] = true;
}
}
@@ -640,12 +637,7 @@ class Smarty_Security
*/
private function _checkDir($filepath, $dirs)
{
$directory = dirname($filepath) . DIRECTORY_SEPARATOR;
if (isset($dirs[ $directory ])) {
return false;
}
$filepath = $this->smarty->_realpath($filepath, true);
$directory = dirname($filepath) . DIRECTORY_SEPARATOR;
$directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR;
$_directory = array();
while (true) {
// test if the directory is trusted
@@ -653,17 +645,15 @@ class Smarty_Security
return $_directory;
}
// abort if we've reached root
if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
break;
if (!preg_match('#[\\\\/][^\\\\/]+[\\\\/]$#', $directory)) {
// give up
throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath));
}
// remember the directory to add it to _resource_dir in case we're successful
$_directory[ $directory ] = true;
// bubble up one level
$directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory);
$directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', '/', $directory);
}
// give up
throw new SmartyException("directory '{$filepath}' not allowed by security setting");
}
/**