mirror of
https://github.com/smarty-php/smarty.git
synced 2026-07-05 07:51:22 +02:00
0460eb08cf1adf9979d0679f94bb901296e83ee6
The built-in stream: resource type let a template bypass Security stream restrictions. BasePlugin::load() matches the 'stream' sysplugin before the stream_get_wrappers()/isTrustedStream() check, so a resource such as stream:php://filter/read=convert.base64-encode/resource=/path was opened by StreamPlugin::getContent() via fopen() on the nested php:// wrapper without ever validating it. This bypassed Security::$streams (including Security::$streams = null) and allowed reading arbitrary local files. Parse the wrapper scheme from the resolved path in StreamPlugin::getContent() and validate it with Security::isTrustedStream() before fopen(), giving the stream: resource the same check the direct wrapper path already receives. Adds regression tests covering the disabled-streams bypass, the not-on-allowlist case, and a positive test that an explicitly allowed wrapper still works.
Smarty template engine
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Documentation
Read the documentation to find out how to use it.
Requirements
Smarty v5 can be run with PHP 7.2 to PHP 8.5.
Installation
Smarty versions 3.1.11 or later can be installed with Composer.
To get the latest stable version of Smarty use:
composer require smarty/smarty
More in the Getting Started section of the docs.
Sponsors
Smarty is sponsored by:
- Marc Laporte @marclaporte
- Temma, the MVC framework based on Smarty
Thank you!
Languages
PHP
91.2%
Go Template
5.2%
Yacc
2.4%
Smarty
0.8%
Dockerfile
0.2%
Other
0.1%