Commit Graph

88 Commits

Author SHA1 Message Date
Simon Wisselink 1bca68beec Fix TypeError for non-array static_classes in Security policy 2026-06-29 12:34:58 +02:00
Simon Wisselink 3c9f77a2e0 Security: validate nested stream wrapper in stream: resource (CWE-22) (#1195)
The built-in stream: resource type let a template bypass Security stream
restrictions. BasePlugin::load() matches the 'stream' sysplugin before the
stream_get_wrappers()/isTrustedStream() check, so a resource such as
stream:php://filter/read=convert.base64-encode/resource=/path was opened by
StreamPlugin::getContent() via fopen() on the nested php:// wrapper without
ever validating it. This bypassed Security::$streams (including
Security::$streams = null) and allowed reading arbitrary local files.

Parse the wrapper scheme from the resolved path in StreamPlugin::getContent()
and validate it with Security::isTrustedStream() before fopen(), giving the
stream: resource the same check the direct wrapper path already receives.

Adds regression tests covering the disabled-streams bypass, the
not-on-allowlist case, and a positive test that an explicitly allowed wrapper
still works.
2026-06-29 11:47:32 +02:00
Simon Wisselink 17fae11a38 update documentation for building and previewing with mkdocs, fix unit tests for windows 2026-06-24 10:33:14 +02:00
Simon Wisselink 11e69eca68 Security: escape value-context attributes in html_image/html_select_date (CWE-79)
{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).

{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.

The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.

Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:48:01 +02:00
Simon Wisselink 31e06fc087 Security: stop {fetch} from following redirects past trusted_uri (CWE-918)
{fetch} validates the requested URL with Security::isTrustedUri(), but
for non-http schemes (e.g. https) it reads the resource via
file_get_contents(), which follows redirects by default. An open redirect
on an otherwise trusted host could therefore be used to reach a
non-trusted, internal target, bypassing the trusted_uri policy (SSRF).

When a security policy is active, pass a stream context that disables
redirect-following (follow_location => 0, max_redirects => 1) to
file_get_contents() for remote resources. Behavior is unchanged when no
security policy is set, since there is no trusted_uri to bypass.

Adds a regression test using a custom stream wrapper that captures the
context {fetch} passes to file_get_contents, plus a backwards-compat test
for the no-security-policy case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:21:12 +02:00
Simon Wisselink 99c048ce7a Security: prevent symlink path traversal out of secure_dir (CWE-22)
Security::_checkDir() validated file access using Smarty::_realpath(),
which only normalizes paths as strings and never follows symlinks. A
symlink placed inside a trusted secure_dir/template directory therefore
passed the trust check while file_get_contents() followed it to an
arbitrary file (e.g. /etc/passwd), affecting {include} and {fetch} of
local files.

Resolve the requested file with native realpath() and re-validate the
canonical, symlink-free path against the trusted directories. The trusted
directories are canonicalized the same way so legitimate symlinked
deployment paths (e.g. a Capistrano "current" release symlink, or macOS'
/var -> /private/var) keep working. Falls back to string normalization
only when the file does not yet exist on disk.

Adds regression tests covering both the rejected escape and an allowed
in-sandbox symlink, and documents the changelog convention in AGENTS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:15:19 +02:00
Antonio Norman 1c9b2ce1d3 fix for Error: Attempt to assign property "step" on null closes issue #1036 (#1071)
* fix for Error: Attempt to assign property "step" on null in extended templates + added tests closes issue #1036
2026-06-23 23:50:43 +02:00
Simon Wisselink 56ab75df2c Bugfix/issue 1189 inheritance state leak (#1190)
* Reproduce block override leakage in template inheritance
* Fixes #1189
2026-06-23 22:50:39 +02:00
Simon Wisselink 6e648ed809 Remove incomplete test cases for usesCompiler across multiple test files 2026-05-03 22:19:50 +02:00
Simon Wisselink 3577fc7091 Re-activate unit tests for user literals. 2026-04-13 22:31:06 +02:00
Simon Wisselink ff2ef3b0cb Redirect test temp dirs to system temp directory
* Redirect test temp dirs to system temp directory. Fixes #1178

Move all test-generated output (compiled templates, cache files, and
temporary template sources) from per-test-directory folders inside the
working tree to a parallel structure under sys_get_temp_dir()/smarty-tests/.

This removes 215 boilerplate .gitignore files from the repo and ensures
running the test suite leaves zero uncommitted files in the working tree.

All 2296 tests continue to pass with identical behavior.

* Isolate each test class in a unique temp directory

getTempDir() now appends a per-class uniqid token to the temp path, so
concurrent or sequential test runs never share compiled/cached output.
The token is generated lazily on first use and reset in
tearDownAfterClass(), giving every test class a fresh isolated directory.

As a result, the Bootstrap.php pre-run cleanup of smarty-tests/ is no
longer needed for correctness (stale paths are unreachable) and was
harmful to concurrent runs, so it has been removed.

* Remove individualFolders dead code and spurious assertTrue from cleanDirs()

- Remove the never-active individualFolders code path from setUpSmarty()
  (the constant was always true, making the branch unreachable)
- Remove define('individualFolders') from Config.php and the constructor
- Remove $this->assertTrue(true) from cleanDirs(): it existed solely to
  make testInit() count as a passing test; now that cleanDirs() is called
  from setUpSmarty() and from test methods directly, the assertion was
  spuriously inflating assertion counts
- Add tests/**/templates_c/, cache/, templates_tmp/ to .gitignore to
  prevent stale test output from appearing as untracked files

* Clean up each test class's unique temp dir in tearDownAfterClass()

Add a private static removeDir() helper and call it from
tearDownAfterClass() to recursively delete the per-class unique temp
directory after each test class finishes. Cleanup failures are silently
ignored (@ suppression) so they never cause test failures.

Set KEEP_SMARTY_TEST_ARTIFACTS=1 in the environment to skip cleanup and
keep the artifacts on disk for debugging.

* cleanup of unused template files, non-shared files stored in __shared folder, no longer required calls to add template folders et cetera

* fixed the unit tests

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* remove useless resetting of static properties in tearDownAfterClass

* changed an incorrect doc and formatted some code.

* add changelog

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-13 21:36:33 +02:00
Simon Wisselink 5487e31c4b Add support for Backed Enums (#1171)
* Add support for Backed Enums
Fixes #1012

Also added docs (and docs for matches operator)
2026-02-15 15:23:55 +01:00
Simon Wisselink 12ce28e265 Regex matches operator (#1169)
* Regex matches operator support
2026-02-15 14:44:48 +01:00
Simon Wisselink 139797a165 Support for Laravel Collections style object chaining (#1168)
* Support for Laravel Collections style object chaining for objects return from function calls implemented as modifiers
Fixes #1151

* explain publishing docs
2026-02-11 00:02:52 +01:00
hirosan 6709d000cd Fix static analysis warnings for isDot() and remove deprecated APC support (#1164)
* Fix static analysis warnings for isDot()
* Remove deprecated APC support
* Remove redundant isDot() check and fix static analysis warnings
2026-01-08 11:21:57 +01:00
pharixces b390e50974 Add support for shorttags in functions (#1142)
* Add support for shorttags in functions

Co-authored-by: Anne Zijlstra <a.zijlstra@iwink.nl>
Co-authored-by: Simon Wisselink <s.wisselink@iwink.nl>
2025-10-03 23:17:55 +02:00
hirosan 4ff25bbe59 Support trailing comma in array (#1128) 2025-05-03 23:34:15 +02:00
Simon Wisselink a5bbba3f05 Fix syntax error occurring when registering a function plugin that ends with the string 'close' (#1124)
Fixes #1122
2025-04-10 23:47:44 +02:00
Simon Wisselink a4b8466205 Added unit tests to prevent regressions of issue #1100 that was fixed in v4 2025-02-13 23:20:05 +01:00
Simon Wisselink cf9de567c1 Restore special handling of isset and empty as it was in v4. Fixes #1063 (#1093)
* Restore special handling of isset and empty as it was in v4. Fixes #1063
2024-12-23 01:29:07 +01:00
Wim Wisselink 1b06b37db2 Add PHP 8.4 support to Smarty (#1043) 2024-11-20 15:59:26 +01:00
Simon Wisselink a1b4c9c551 Add unit tests for short hand template function definition and shorthand template function calls. 2024-10-06 22:06:39 +02:00
Atsushi Matsuo c8f1853bfe Modify NullCoalescingTest.php and TernaryTest.php to prevent test failure on Windows (#1059) 2024-08-28 23:16:04 +02:00
Atsushi Matsuo 2f781e2e65 Fix unit tests to enable to run CacheResourceFileTest.php on Windows (#1055) 2024-08-28 23:15:57 +02:00
Amaury Bouchard 2289fa69f1 Improvement of auto-escaping (#1030)
* Evolution of auto-escaping: no double-escaping when using the 'escape' modifier; add the 'force' mode to the 'escape' modifier; add the 'raw' modifier.
* Add 'raw' modifier's documentation
---------

Co-authored-by: Simon Wisselink <s.wisselink@iwink.nl>
2024-06-30 13:25:30 +02:00
Simon Wisselink 8ecde47203 fixed error when using section with nocache.
Fixes #1034
2024-06-16 21:48:14 +02:00
Simon Wisselink 4aa1273a80 Merge branch 'support/5' 2024-05-30 13:11:33 +02:00
Simon Wisselink 2a87c65994 implemented and documented prependTemplateDir. (#1025) 2024-05-29 15:32:47 +02:00
Simon Wisselink 0be92bc8a6 Merge pull request from GHSA-4rmg-292m-wg3w 2024-05-28 22:44:30 +02:00
Simon Wisselink 5ee4363000 Fix change in signature of getTemplateVars (#995) 2024-04-13 16:53:05 +02:00
Simon Wisselink 34adf4e54c Fixed unit tests to not rely on the existence of any domain or unavailability of internet access when running tests. (#987) 2024-04-06 23:41:20 +02:00
Simon Wisselink 599bcee13e Fix Smarty::assign() not returning when called with an array as first parameter. (#973)
Fixes #972
2024-04-05 22:38:57 +02:00
Simon Wisselink 3232277bc5 Fix warning when calling hasVariable for an undefined variable (#978)
Fixes #977
2024-03-29 23:32:49 +01:00
Simon Wisselink 6f054ecc2f Fix Smarty::assign() not returning when called with an array as first parameter. (#973)
Fixes #972
2024-03-28 11:22:29 +01:00
Simon Wisselink 1da30e76e8 Documented support for is in, added support for is not in. (#955)
* Documented support for `is in`, added support for `is not in`.
Fixes #937
* minor docs improvement
2024-03-25 13:54:02 +01:00
Simon Wisselink 7255b4d73c Internal compiler classes always return a string (#918)
* Internal compiler classes always return a string (the internal has_code flag has been removed for simplicity)
* Add :string method signature to compile method everywhere.
2024-03-25 13:44:06 +01:00
Simon Wisselink 82397ec7f0 Fixed that scoped variables would overwrite parent scope. (#954)
* Fixed that scoped variables would overwrite parent scope.
Fixes #952

* Moved variable stack maintenance to methods and private properties in Data class.
2024-03-15 16:10:27 +01:00
Simon Wisselink 17da1f585e Fix Too many shorthand attributes error when using a modifier as a function with more than 3 parameters in an expression (#953)
Fixes #949
2024-03-15 10:26:17 +01:00
Simon Wisselink 41d80b99ac Implemented support for substr, implode and json_encode as modifiers. (#940)
* Implemented support for substr, implode and json_encode as modifiers. Fixes #939
* Added split and join in favor of explode and implode modifiers.
* Documented all available modifiers
2024-02-26 14:35:19 +01:00
Simon Wisselink 0912124c33 fixed ocumentation on {if is even by } syntax 2024-02-03 00:05:38 +01:00
Simon Wisselink 08c90664f0 Fixed failing {debug} tag. (#923)
Fixes #922
2024-01-01 22:41:09 +01:00
Simon Wisselink bc4e70f2c0 Do not auto-html-escape custom function results. (#908)
Fixes #906
2023-11-06 17:36:05 +01:00
Simon Wisselink 9ee3cce380 Added some extra unit test 2023-10-22 23:55:07 +02:00
Simon Wisselink babec0f29b add case sensitivity test 2023-10-22 23:51:47 +02:00
Jack Dane 212bf88eb2 Fix case-sensitive tag names (#907) (#910)
* Don't lower tags until they are used for extensions so custom tags can be case-sensitive.
2023-10-22 23:49:46 +02:00
Simon Wisselink af2e12d58e Fix use of negative numbers in math equations. (#903)
Fixes #895
2023-09-14 10:21:06 +02:00
Simon Wisselink 8fd949ac5d Smarty5 (#852)
* WIP converting code to PSR-4

* More PSR4 rewriting

* Removed autoload filters

* WIP making compile classes PSR-4

* WIP making compile classes PSR-4

* Replace Smarty:: with symfony/polyfill-mbstring

* WIP making compile classes PSR-4

* finished rewriting all compile classes into PSR-4

* Rewrote all Compile and Compiler classes to PSR-4

* WIP rewriting smarty_internal_method_*

* Finished moving smarty_internal_method_*

* smarty_internal_resource_* to PSR-4

* Refactored all _runtime_* by merging them into the proper classes or by transforming them into Runtime Extensions.

* src/Template/* to PSR-4

* src/sysplugins/* to PSR-4

* Entire src dir now PSR-4 compatible

* Add makefile, PSR-4 ModifierCompilers

* Rewrote all default modifiers and functions from the plugins folder to PSR-4 classes

* Rewrote remaining plugins to PSR-4, plugins dir is now gone.

* WIP moving Smarty to PSR-4.

* fixed pre/post/output filters and removed some old todo-comments

* filter tests passing

* Fixed TemplateObject test

* Fix CustomResourceAmbiguousTest

* Fixed CacheResource implementation and tests

* Fixed setfilter

* Fixed DefaultPluginHandlerTest for function plugins (blocks still break)

* move runPluginFromDefaultHandler to new Runtime class

* Introduce formatParamsArray method for recurring code fragment

* Fix code duplication in block compilers and fix (most) BlockPluginTests. Default plugin handler blocks still need fixing.

* minor fixes

* Implemented the DefaultHandlerBlockCompiler, made the dependencies of the template compiler into properties, fixed a couple of unit tests

* Removed support for PHP include path, and removed the ::loadPlugin method.

* Removed now unneeded PHPunit annotations @run(Tests)InSeparateProcess, @preserveGlobalState and @backupStaticAttributes. Made CacheResourceTestCommon abstract to prevent the base class from running tests (and always failing). Unregister a previously registered stream wrapper. Fixes a lot of tests.

* Fix scoping / global state problems in tests by using DI in Default Extension. Also removing a bunch of old fashioned phpdoc annotations that are superseded by namespaces.

* Make DefaultExtension lazy load again.

* Removed deprecated extends_recursion property and fix bug in CodeFrame compiler due to use of clone.

* Fixed BC loading of resource pluging from dir and all ResourcePluginTest tests

* Removed PHP functions and checks for the already removed php modifiers. Re-implemented functions as regular functions. Probably should compile these directly.

* Fixed stream resources

* 2 small fixes for unit tests

* Fixed modifiercompiler handling multiple/chained modifiers

* Rewrote global static global_tpl_vars to getters/setters on Smarty class, fixing several test cases. Added a ::getValue() method to Variable.

* Fixed issue related to scoping of left/right delimiter overrides

* Added strlen function, fixing some unit tests

* Fix bug in calling BC function handlers.

* WIP replacing direct access tpl_vars with proper getter/setters.

* WIP

* WIP rewriting variable scopes

* WIP fixing the complicated variables scopes architecture. Right now more tests are failing than before... :(

* Fixed minor unit tests

* Made variable scoping more sensible

* Fix configfile tests

* removed phpplugin, removed now unused uncompiled handler and all checks for this, fixed a refactorbug in InheritanceRuntime. Moved getRenderedTemplateCode method to Smarty\Template. Renamed Cache en Compiled base class to GeneratedPhpFile for more clarity and distinction from Resource classes. Inlined Cached::create into its only caller. Some other minor improvements. Removed php7.1 CI tests.

* Removed the allowUndefinedVars check from the smarty error handlers, because undefined vars no longer throw an error, unless smarty->error_unassigned is set to true.

* Replace direct access to inheritance property on Template object by proper getter.

* converted 3 public properties on Template into getters/setters. unified Template creation code. Provided a getter/setter for the has_nocache_code property. Removed the useless DataObject class. Fixed a few tests. Removed the variable-allow-php-templates property from the docs.

* Simplified the (no)caching architecture by:
- removing support for $cache_attrs for registered plugins,
- removing the undocumented {make_nocache} tag and the deprecated {insert} tag and associated code
- removing support for a compile_id property on include tags.

Fixes a bug in extends: resources by propagating the nocache-hashes between a master template and it's subtemplates in \Smarty\Template::_subTemplateRender. This might need further improvement.

* Removed unneeded magic setters/getters/destructors and the like.

* Replaced a bunch of direct property access with getters/setters.

* Update test runners: no longer support PHP7.1, add PHP8.2

* Fixed scope in variable assignments in included and extended templates, fixed dependencies for testing freshness of caches. Added some unit tests and fixed a class reference to pass some more tests.

* Fix searchParents parameter, fixing GetTemplateVarsTest

* @var integer > @var int for vsCode

* Fix function caching function name

* Fixed cacheability of block plugins.

* Moved handling of smarty.block.* to special compilers, because they aren't real tags. Organized tag-stack handling in compiler, unified nocache handling in compiler.

* Fixed block append/prepend functionality

* Fix testRegisterCompilerFunction by parsing argument correctly.

* Made exception msgs exactly the same again, fixing some unit tests

* Fix default plugin handler

* Simply the "isFresh" method by not including the first param anymore. Fix a couple of unit tests by respecting tag_nocache set by nocache vars used in a tag.

* Removed the undocumented {block_parent} and {parent} alternatives to {$smarty.block.parent}
and {block_child} and {child} alternatives to {$smarty.block.child}

* Fix inhertiance implementation for $smarty.block.child

* Fixed all inheritance issues

* Handle BC registered compilers and missed parameters for openTag and closeTag.

* Fix all foreach unit tests

* Fixed the {if} failures.

* Fix major {include} bug

* Fixed bug in {include} variable assignment and removed some unused/unrequired code

* Fix function call compilation using {functionname} syntax for in-template defined functions.

* Drop a unit tests bc we no longer support direct access to PHP-functinos such as sin()

* Fixed all scope assignment bugs

* Convert isset and empty to modifiercomilers, and smooth the error handling to fix unit tests.

* Fixed getCachedContent

* Add TODO list

* Run composer install before online test run

* Attempt to fix CI

* revise CI/CD workflows, bypass packagist for lexer

* Update ci.yml

* Update ci.yml

* fixes in source files

* Update ci.yml

* Update ci.yml

* attempt to load smarty-lexer directly from zip file

* Shouldnt need Github token now

* correct type of repository

* Updated the changelog

* Re-organized rendering (read source / compile / cache) process to avoid circular dependencies.
Deactivated merge_compiled_includes and the {include inline} attribute. They don't seem to do much in terms of performance, but we'll
have to check back.

* updated todo

* Fix smarty-lexer dependency for the time being

* Fix smarty-lexer dependency for the time being (remove direct ref to github)

* Pushed Lexers/Parsers into VCS again in order to be able to deliver using Packagist/Composer

* Re-organized rendering (read source / compile / cache) process to avoid circular dependencies.

* Run make regardless of timestamps, so we are sure unit tests run with the generated PHP code, not with accidental human made changes to Lexer/Parser.

* Update composer packages cache key

Update composer packages cache key to trigger refresh on lexer

* 4.0.2 of smarty-lexer is released, use that

* Throw compile error when using a modifier where it won't work. Fixes #526.

* verify that native PHP functions cannot be used as a modifier and verify that an easy userland workaround exists. Fixes #813.

* Add test for registering compiler plugin with positional params. Fixes #164

* move test methods because some other test methods rely on their relative positions

* Smarty no longer calls `mb_internal_encoding()` and doesn't check for deprecated `mbstring.func_overload` ini directive.
Fixes #480.

* Generated `<script>` tags lo longer have deprecated `type="text/javascript"` or `language="Javascript"` attributes.
Fixes #815.

* Fix error in docs on prepend/append. Fixes #818.

* Move all creating of templates to Smarty::createTemplate, adding a private property containing previously generated templates for speed.

* Load compiled object in template constructor so it will be cached.

* WIP for performance improvements.

Removed $smarty->_current_file and $smarty->allow_ambiguous_resources properties, both unused. Removed public Source::filepath property.
Cached an Compiled files (and Exceptions) no longer rely on the filepath being set. Removed explicit tests for cached and compiled filenames. The exact implementation is not important. Added tests for compile_check property, fixing a file_exists check that would always be done on source template files, even when compile_check was true. Remove code duplication between Source en Config classes. Added a local $_smarty_current_dir to the generated code files for backwards compatability for {$smarty.current_dir}.

* remove additional calls to getCached()

* updated todo

* Add mkdocs for docs

* add missing folder for unit tests

* Revert latest CI changes, we'll update docs by hand for now

* multiversion mkdocs config

* fixes to docs

* WIP improving the docs

* Improved another chunk of the designers docs

* Finished improving designers docs

* Update code examples to use Smarty\Smarty and autoload instead of require_once calls and new Smarty

* Further WIP improving docs

* Updated changelog and todo list

* WIP on API docs

* WIP docs (added page on config)

* Fixed markdown syntax. Fixes #879

* Added full support and documentation for ternary operator.
Fixes #881

* updated changelog

* fixed error in the mkdocs TOC

* Added support for null coalescing operator
Fixes #882

* Add docs for null coalescing

* more docs

* Improved docs on compile checking and inheritance

* Rewrote docs on filters and resources.

* Add makefile entries for generating docs

* Docs on caching

* finished docs on security and extending smarty

* Added Smarty::setExtensions(), fixed unit test for the null coalescing operator. Updated docs about registering a custom extension.

* updated todos

* fix template invalidation when migrating to 5.0
2023-08-08 00:04:14 +02:00
Simon Wisselink a3cbdc46fb Fix strip_tags modifier for falsy input. (#893)
Fixes #890
2023-08-04 22:40:19 +02:00
Simon Wisselink e75165565e Implement fix and tests 2023-03-24 12:19:34 +01:00
Simon Wisselink 2764816407 Add missing dirs 2023-02-23 22:30:15 +01:00