Commit Graph

65 Commits

Author SHA1 Message Date
Simon Wisselink 1bca68beec Fix TypeError for non-array static_classes in Security policy 2026-06-29 12:34:58 +02:00
Simon Wisselink 3c9f77a2e0 Security: validate nested stream wrapper in stream: resource (CWE-22) (#1195)
The built-in stream: resource type let a template bypass Security stream
restrictions. BasePlugin::load() matches the 'stream' sysplugin before the
stream_get_wrappers()/isTrustedStream() check, so a resource such as
stream:php://filter/read=convert.base64-encode/resource=/path was opened by
StreamPlugin::getContent() via fopen() on the nested php:// wrapper without
ever validating it. This bypassed Security::$streams (including
Security::$streams = null) and allowed reading arbitrary local files.

Parse the wrapper scheme from the resolved path in StreamPlugin::getContent()
and validate it with Security::isTrustedStream() before fopen(), giving the
stream: resource the same check the direct wrapper path already receives.

Adds regression tests covering the disabled-streams bypass, the
not-on-allowlist case, and a positive test that an explicitly allowed wrapper
still works.
2026-06-29 11:47:32 +02:00
Simon Wisselink 1830aa7a12 version bump 2026-06-29 00:15:07 +02:00
Simon Wisselink ac27e1e5b6 fixed a regression from #1189 where a child template's block override no longer applied to a template {include}d by the parent
Fixes #1192
2026-06-29 00:12:45 +02:00
Simon Wisselink 75a738ad44 version bump 2026-06-24 10:04:39 +02:00
Simon Wisselink 11e69eca68 Security: escape value-context attributes in html_image/html_select_date (CWE-79)
{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).

{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.

The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.

Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:48:01 +02:00
Simon Wisselink 31e06fc087 Security: stop {fetch} from following redirects past trusted_uri (CWE-918)
{fetch} validates the requested URL with Security::isTrustedUri(), but
for non-http schemes (e.g. https) it reads the resource via
file_get_contents(), which follows redirects by default. An open redirect
on an otherwise trusted host could therefore be used to reach a
non-trusted, internal target, bypassing the trusted_uri policy (SSRF).

When a security policy is active, pass a stream context that disables
redirect-following (follow_location => 0, max_redirects => 1) to
file_get_contents() for remote resources. Behavior is unchanged when no
security policy is set, since there is no trusted_uri to bypass.

Adds a regression test using a custom stream wrapper that captures the
context {fetch} passes to file_get_contents, plus a backwards-compat test
for the no-security-policy case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:21:12 +02:00
Simon Wisselink 99c048ce7a Security: prevent symlink path traversal out of secure_dir (CWE-22)
Security::_checkDir() validated file access using Smarty::_realpath(),
which only normalizes paths as strings and never follows symlinks. A
symlink placed inside a trusted secure_dir/template directory therefore
passed the trust check while file_get_contents() followed it to an
arbitrary file (e.g. /etc/passwd), affecting {include} and {fetch} of
local files.

Resolve the requested file with native realpath() and re-validate the
canonical, symlink-free path against the trusted directories. The trusted
directories are canonicalized the same way so legitimate symlinked
deployment paths (e.g. a Capistrano "current" release symlink, or macOS'
/var -> /private/var) keep working. Falls back to string normalization
only when the file does not yet exist on disk.

Adds regression tests covering both the rejected escape and an allowed
in-sandbox symlink, and documents the changelog convention in AGENTS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:15:19 +02:00
Antonio Norman 1c9b2ce1d3 fix for Error: Attempt to assign property "step" on null closes issue #1036 (#1071)
* fix for Error: Attempt to assign property "step" on null in extended templates + added tests closes issue #1036
2026-06-23 23:50:43 +02:00
Simon Wisselink 6d06c5e61f version bump 2026-06-23 23:04:21 +02:00
Simon Wisselink ba745f5b91 Added changelog for the fix for issue #1189 2026-06-23 23:03:58 +02:00
Simon Wisselink 3577fc7091 Re-activate unit tests for user literals. 2026-04-13 22:31:06 +02:00
Simon Wisselink ff2ef3b0cb Redirect test temp dirs to system temp directory
* Redirect test temp dirs to system temp directory. Fixes #1178

Move all test-generated output (compiled templates, cache files, and
temporary template sources) from per-test-directory folders inside the
working tree to a parallel structure under sys_get_temp_dir()/smarty-tests/.

This removes 215 boilerplate .gitignore files from the repo and ensures
running the test suite leaves zero uncommitted files in the working tree.

All 2296 tests continue to pass with identical behavior.

* Isolate each test class in a unique temp directory

getTempDir() now appends a per-class uniqid token to the temp path, so
concurrent or sequential test runs never share compiled/cached output.
The token is generated lazily on first use and reset in
tearDownAfterClass(), giving every test class a fresh isolated directory.

As a result, the Bootstrap.php pre-run cleanup of smarty-tests/ is no
longer needed for correctness (stale paths are unreachable) and was
harmful to concurrent runs, so it has been removed.

* Remove individualFolders dead code and spurious assertTrue from cleanDirs()

- Remove the never-active individualFolders code path from setUpSmarty()
  (the constant was always true, making the branch unreachable)
- Remove define('individualFolders') from Config.php and the constructor
- Remove $this->assertTrue(true) from cleanDirs(): it existed solely to
  make testInit() count as a passing test; now that cleanDirs() is called
  from setUpSmarty() and from test methods directly, the assertion was
  spuriously inflating assertion counts
- Add tests/**/templates_c/, cache/, templates_tmp/ to .gitignore to
  prevent stale test output from appearing as untracked files

* Clean up each test class's unique temp dir in tearDownAfterClass()

Add a private static removeDir() helper and call it from
tearDownAfterClass() to recursively delete the per-class unique temp
directory after each test class finishes. Cleanup failures are silently
ignored (@ suppression) so they never cause test failures.

Set KEEP_SMARTY_TEST_ARTIFACTS=1 in the environment to skip cleanup and
keep the artifacts on disk for debugging.

* cleanup of unused template files, non-shared files stored in __shared folder, no longer required calls to add template folders et cetera

* fixed the unit tests

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* remove useless resetting of static properties in tearDownAfterClass

* changed an incorrect doc and formatted some code.

* add changelog

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-13 21:36:33 +02:00
Simon Wisselink 4ed569c674 version bump 2026-02-15 15:27:13 +01:00
Simon Wisselink a46478d0cb changelogs 2026-02-15 15:26:43 +01:00
Simon Wisselink 139797a165 Support for Laravel Collections style object chaining (#1168)
* Support for Laravel Collections style object chaining for objects return from function calls implemented as modifiers
Fixes #1151

* explain publishing docs
2026-02-11 00:02:52 +01:00
Simon Wisselink aa6edc3c0b Document missing inline implementation. Fixed #1152 (#1156) 2025-12-21 22:58:11 +01:00
Simon Wisselink c0d7a36124 version bump 2025-11-19 22:36:36 +01:00
Simon Wisselink 8cc9a75964 Php8.5 support (#1138)
* PHP 8.5 support (using RC docker image for php 8.5 unit tests)
2025-11-19 22:33:49 +01:00
Simon Wisselink fe325daec0 version bump 2025-10-03 23:22:23 +02:00
Simon Wisselink 3f0f308a7b added changelog 2025-10-03 23:19:22 +02:00
Simon Wisselink 46cd224efb version bump 2025-05-19 11:29:40 +02:00
Simon Wisselink d3b716a0b9 changelog 2025-05-19 11:29:30 +02:00
Simon Wisselink f659193c94 version bump 2025-05-03 23:36:44 +02:00
Simon Wisselink 0b6166482a changelog 2025-05-03 23:36:27 +02:00
Simon Wisselink 6ad6a35824 version bump 2025-04-15 13:20:06 +02:00
Simon Wisselink baa53399f5 changelog 2025-04-15 13:19:54 +02:00
Simon Wisselink 5401418258 version bump 2025-04-13 22:12:08 +02:00
Simon Wisselink a5bbba3f05 Fix syntax error occurring when registering a function plugin that ends with the string 'close' (#1124)
Fixes #1122
2025-04-10 23:47:44 +02:00
Simon Wisselink 5d1ea5806a change SMARTY_VERSION to $smarty.version.
Fixes #1073
2024-12-28 17:40:25 +01:00
Simon Wisselink 07faafe4da version bump 2024-12-23 01:38:41 +01:00
Simon Wisselink f47ac761af replace/qualify call_user_func_array. (#1083)
Fixes #1074
2024-11-20 23:05:14 +01:00
Simon Wisselink 77b91a072b version bump 2024-08-14 22:00:42 +02:00
Simon Wisselink 9ede0e40fa changelog 2024-08-14 22:00:15 +02:00
Amaury Bouchard 2289fa69f1 Improvement of auto-escaping (#1030)
* Evolution of auto-escaping: no double-escaping when using the 'escape' modifier; add the 'force' mode to the 'escape' modifier; add the 'raw' modifier.
* Add 'raw' modifier's documentation
---------

Co-authored-by: Simon Wisselink <s.wisselink@iwink.nl>
2024-06-30 13:25:30 +02:00
Simon Wisselink a2193eb4cf version bump 2024-06-16 21:51:11 +02:00
Simon Wisselink 8ecde47203 fixed error when using section with nocache.
Fixes #1034
2024-06-16 21:48:14 +02:00
Simon Wisselink 20c08ac40d version bump 2024-05-30 13:14:54 +02:00
Simon Wisselink 4aa1273a80 Merge branch 'support/5' 2024-05-30 13:11:33 +02:00
Simon Wisselink 2a87c65994 implemented and documented prependTemplateDir. (#1025) 2024-05-29 15:32:47 +02:00
Simon Wisselink 06d6a5efd9 version bump 2024-05-28 23:45:14 +02:00
Simon Wisselink 0be92bc8a6 Merge pull request from GHSA-4rmg-292m-wg3w 2024-05-28 22:44:30 +02:00
Simon Wisselink 61db287b8f Scottchiefbaker/master (#1019)
* Add a PSR-4 loading script to allow Smarty to be used without Composer
authored-by: Scott Baker <scott@perturb.org>
2024-05-24 00:21:02 +02:00
Simon Wisselink 47c4864dd1 version bump 2024-04-23 00:22:13 +02:00
Simon Wisselink f411247aa1 Prevent notices on null to string conversion in Template::appendCode (#1002)
Fixes #996
2024-04-19 11:14:07 +02:00
Simon Wisselink 9a8702d937 Corrected invalid classnames in Runtime code for foreach (#1001)
Fixes #1000
2024-04-19 10:42:54 +02:00
Simon Wisselink 5ee4363000 Fix change in signature of getTemplateVars (#995) 2024-04-13 16:53:05 +02:00
Simon Wisselink 599bcee13e Fix Smarty::assign() not returning when called with an array as first parameter. (#973)
Fixes #972
2024-04-05 22:38:57 +02:00
Simon Wisselink 0972503aef version bump 2024-04-05 22:38:57 +02:00
Simon Wisselink 3232277bc5 Fix warning when calling hasVariable for an undefined variable (#978)
Fixes #977
2024-03-29 23:32:49 +01:00