Simon Wisselink 217d8b7445 Fix SSRF bypass of trusted_uri via redirect-following in {fetch}
When a security policy is active and {fetch} is used with a non-http URL
scheme (https, ftp, ...), file_get_contents was called without a stream
context. PHP's HTTP wrapper follows redirects by default, so an Open
Redirect on a trusted host could be used to bypass the trusted_uri check
and reach arbitrary internal addresses (SSRF).

Pass a stream context with follow_location=0 and max_redirects=1 when a
security policy is configured. Behaviour is unchanged for users without
a security policy.

Reported by Aleksey Solovev (Positive Technologies), PT-03-2026.
2026-05-18 11:04:59 +02:00
2025-11-19 22:33:49 +01:00
2023-08-08 00:04:14 +02:00
2026-02-15 15:23:55 +01:00
2024-05-24 00:21:02 +02:00
2025-11-19 22:33:49 +01:00
2026-02-15 15:27:13 +01:00
2023-08-08 00:04:14 +02:00
2021-01-05 22:23:13 +01:00
2025-11-19 22:33:49 +01:00
2026-05-03 22:19:59 +02:00

Smarty template engine

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.

CI

Documentation

Read the documentation to find out how to use it.

Requirements

Smarty v5 can be run with PHP 7.2 to PHP 8.5.

Installation

Smarty versions 3.1.11 or later can be installed with Composer.

To get the latest stable version of Smarty use:

composer require smarty/smarty

More in the Getting Started section of the docs.

Sponsors

Smarty is sponsored by:

Thank you!

S
Description
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Readme 31 MiB
Languages
PHP 91.2%
Go Template 5.2%
Yacc 2.4%
Smarty 0.8%
Dockerfile 0.2%
Other 0.1%