- bugfix regarding Security Vulnerability did not solve the problem under Linux

2025-08-04 02:14:26 +02:00 · 2018-04-26 13:02:51 +02:00
parent ac9d4b587e
commit f9ca3c63d1
3 changed files with 25 additions and 36 deletions
--- a/change_log.txt
+++ b/change_log.txt
@@ -1,4 +1,8 @@
-===== 3.1.32 ===== (24.04.2018)
+===== 3.1.33-dev-1 =====
+26.04.2018
+ - bugfix  regarding Security Vulnerability did not solve the problem under Linux.
+
+===== 3.1.32 ===== (24.04.2018)
 24.04.2018
 - bugfix  possible Security Vulnerability in Smarty_Security class.

--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -27,7 +27,7 @@
 * @author    Uwe Tews   <uwe dot tews at gmail dot com>
 * @author    Rodney Rehm
 * @package   Smarty
- * @version   3.1.32
+ * @version   3.1.33-dev
 */
 /**
 * set SMARTY_DIR to absolute path to Smarty library files.
@@ -112,7 +112,7 @@ class Smarty extends Smarty_Internal_TemplateBase
    /**
     * smarty version
     */
-    const SMARTY_VERSION = '3.1.32';
+    const SMARTY_VERSION = '3.1.33-dev-1';
    /**
     * define variable scopes
     */
@@ -835,7 +835,7 @@ class Smarty extends Smarty_Internal_TemplateBase
                $this->plugins_dir = (array)$this->plugins_dir;
            }
            foreach ($this->plugins_dir as $k => $v) {
-                $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, "/\\") . DIRECTORY_SEPARATOR, true);
+                $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, '/\\') . DIRECTORY_SEPARATOR, true);
            }
            $this->_cache[ 'plugin_files' ] = array();
            $this->_pluginsDirNormalized = true;
@@ -1043,20 +1043,15 @@ class Smarty extends Smarty_Internal_TemplateBase
    public function _realpath($path, $realpath = null)
    {
        static $nds = null;
-        static $sepDotsep = null;
-        static $sepDot = null;
-        static $sepSep =null;
+        static $sepDotSep = null;
+         static $sepSep =null;
        if (!isset($nds)) {
            $nds = array('/' => '\\', '\\' => '/');
-            $sepDotsep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
-            $sepDot = DIRECTORY_SEPARATOR . '.';
+            $sepDotSep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
            $sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR;
        }
        // normalize DIRECTORY_SEPARATOR
-        $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotsep), DIRECTORY_SEPARATOR, $path);
-        if (strpos($path,$sepDot) === false && (($realpath === false && $path[0] === '.') || $realpath === null) && $path[0] !== '\\') {
-            return $path;
-        }
+        $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotSep), DIRECTORY_SEPARATOR, $path);
        preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(.*))$%u',
                   $path,
                   $parts);
@@ -1069,7 +1064,7 @@ class Smarty extends Smarty_Internal_TemplateBase
            }
        }
       // remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
-        $path = str_replace(array($sepDotsep,$sepSep), DIRECTORY_SEPARATOR, $path);
+        $path = str_replace(array($sepDotSep,$sepSep), DIRECTORY_SEPARATOR, $path);
        // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
        if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false &&
            preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)
--- a/libs/sysplugins/smarty_security.php
+++ b/libs/sysplugins/smarty_security.php
@@ -258,8 +258,6 @@ class Smarty_Security
    public function __construct($smarty)
    {
        $this->smarty = $smarty;
-        $this->smarty->_cache[ 'template_dir_new' ] = true;
-        $this->smarty->_cache[ 'config_dir_new' ] = true;
    }

    /**
@@ -521,24 +519,23 @@ class Smarty_Security
            }
            $this->_include_path_status = $this->smarty->use_include_path;
        }
-        if ($isConfig !== true) {
+
            $_dir = $this->smarty->getTemplateDir();
            if ($this->_template_dir !== $_dir) {
                $this->_updateResourceDir($this->_template_dir, $_dir);
                $this->_template_dir = $_dir;
            }
-        }
-        if ($isConfig !== false) {
+
            $_dir = $this->smarty->getConfigDir();
            if ($this->_config_dir !== $_dir) {
                $this->_updateResourceDir($this->_config_dir, $_dir);
                $this->_config_dir = $_dir;
            }
-        }
+
        if ($this->_secure_dir !== $this->secure_dir) {
            $this->secure_dir = (array)$this->secure_dir;
            foreach($this->secure_dir as $k => $d) {
-                $this->secure_dir[$k] = $this->smarty->_realpath($d.DIRECTORY_SEPARATOR,true);
+                $this->secure_dir[$k] = $this->smarty->_realpath($d. DIRECTORY_SEPARATOR,true);
            }
            $this->_updateResourceDir($this->_secure_dir, $this->secure_dir);
            $this->_secure_dir = $this->secure_dir;
@@ -597,7 +594,7 @@ class Smarty_Security

            $this->_trusted_dir = $this->trusted_dir;
            foreach ((array) $this->trusted_dir as $directory) {
-                $directory = $this->smarty->_realpath($directory . DIRECTORY_SEPARATOR, true);
+                $directory = $this->smarty->_realpath($directory . '/', true);
                $this->_php_resource_dir[ $directory ] = true;
            }
        }
@@ -616,7 +613,7 @@ class Smarty_Security
     */
    private function _updateResourceDir($oldDir, $newDir) {
        foreach ($oldDir as $directory) {
-            $directory = $this->smarty->_realpath($directory, true);
+ //           $directory = $this->smarty->_realpath($directory, true);
            $length = strlen($directory);
            foreach ($this->_resource_dir as $dir) {
                if (substr($dir, 0,$length) === $directory) {
@@ -625,7 +622,7 @@ class Smarty_Security
            }
        }
        foreach ($newDir as $directory) {
-            $directory = $this->smarty->_realpath($directory, true);
+ //           $directory = $this->smarty->_realpath($directory, true);
            $this->_resource_dir[ $directory ] = true;
        }
    }
@@ -640,12 +637,7 @@ class Smarty_Security
     */
    private function _checkDir($filepath, $dirs)
    {
-        $directory = dirname($filepath) . DIRECTORY_SEPARATOR;
-        if (isset($dirs[ $directory ])) {
-            return false;
-        }
-        $filepath = $this->smarty->_realpath($filepath, true);
-        $directory = dirname($filepath) . DIRECTORY_SEPARATOR;
+        $directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR;
        $_directory = array();
        while (true) {
             // test if the directory is trusted
@@ -653,17 +645,15 @@ class Smarty_Security
               return $_directory;
            }
            // abort if we've reached root
-            if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
-                break;
+            if (!preg_match('#[\\\\/][^\\\\/]+[\\\\/]$#', $directory)) {
+                // give up
+                throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath));
            }
            // remember the directory to add it to _resource_dir in case we're successful
            $_directory[ $directory ] = true;
           // bubble up one level
-            $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory);
+            $directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', '/', $directory);
        }
-
-        // give up
-        throw new SmartyException("directory '{$filepath}' not allowed by security setting");
    }

    /**