Simon Wisselink 0460eb08cf Security: validate nested stream wrapper in stream: resource (CWE-22)
The built-in stream: resource type let a template bypass Security stream
restrictions. BasePlugin::load() matches the 'stream' sysplugin before the
stream_get_wrappers()/isTrustedStream() check, so a resource such as
stream:php://filter/read=convert.base64-encode/resource=/path was opened by
StreamPlugin::getContent() via fopen() on the nested php:// wrapper without
ever validating it. This bypassed Security::$streams (including
Security::$streams = null) and allowed reading arbitrary local files.

Parse the wrapper scheme from the resolved path in StreamPlugin::getContent()
and validate it with Security::isTrustedStream() before fopen(), giving the
stream: resource the same check the direct wrapper path already receives.

Adds regression tests covering the disabled-streams bypass, the
not-on-allowlist case, and a positive test that an explicitly allowed wrapper
still works.
2026-06-29 11:33:30 +02:00
2025-11-19 22:33:49 +01:00
2023-08-08 00:04:14 +02:00
2024-05-24 00:21:02 +02:00
2025-11-19 22:33:49 +01:00
2026-06-29 00:15:07 +02:00
2023-08-08 00:04:14 +02:00
2021-01-05 22:23:13 +01:00
2025-11-19 22:33:49 +01:00
2026-05-03 22:19:59 +02:00

Smarty template engine

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.

CI

Documentation

Read the documentation to find out how to use it.

Requirements

Smarty v5 can be run with PHP 7.2 to PHP 8.5.

Installation

Smarty versions 3.1.11 or later can be installed with Composer.

To get the latest stable version of Smarty use:

composer require smarty/smarty

More in the Getting Started section of the docs.

Sponsors

Smarty is sponsored by:

Thank you!

S
Description
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Readme 31 MiB
Languages
PHP 91.2%
Go Template 5.2%
Yacc 2.4%
Smarty 0.8%
Dockerfile 0.2%
Other 0.1%