mirror of
https://github.com/smarty-php/smarty.git
synced 2026-07-04 23:41:02 +02:00
hotfix/vulnreportpositivetechnologies
When a security policy is active and {fetch} is used with a non-http URL
scheme (https, ftp, ...), file_get_contents was called without a stream
context. PHP's HTTP wrapper follows redirects by default, so an Open
Redirect on a trusted host could be used to bypass the trusted_uri check
and reach arbitrary internal addresses (SSRF).
Pass a stream context with follow_location=0 and max_redirects=1 when a
security policy is configured. Behaviour is unchanged for users without
a security policy.
Reported by Aleksey Solovev (Positive Technologies), PT-03-2026.
Smarty template engine
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Documentation
Read the documentation to find out how to use it.
Requirements
Smarty v5 can be run with PHP 7.2 to PHP 8.5.
Installation
Smarty versions 3.1.11 or later can be installed with Composer.
To get the latest stable version of Smarty use:
composer require smarty/smarty
More in the Getting Started section of the docs.
Sponsors
Smarty is sponsored by:
- Marc Laporte @marclaporte
- Temma, the MVC framework based on Smarty
Thank you!
Languages
PHP
91.2%
Go Template
5.2%
Yacc
2.4%
Smarty
0.8%
Dockerfile
0.2%
Other
0.1%