Headline
CVE-2021-21408: Merge pull request from GHSA-4h9c-v5vg-5m6m · smarty-php/smarty@19ae410
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.
@@ -257,19 +257,41 @@ public function testTrustedStaticClass() $this->assertEquals(‘25’, $this->smarty->fetch($tpl)); }
/** * test not trusted PHP function * @runInSeparateProcess * @preserveGlobalState disabled */ public function testNotTrustedStaticClass() { /** * test not trusted PHP function * @runInSeparateProcess * @preserveGlobalState disabled */ public function testNotTrustedStaticClass() { $this->expectException(‘SmartyException’); $this->expectExceptionMessage(‘access to static class \’mysecuritystaticclass\’ not allowed by security setting’); $this->smarty->security_policy->static_classes = array(‘null’); $this->smarty->fetch(‘string:{mysecuritystaticclass::square(5)}’); }
/** * test not trusted PHP function */ public function testNotTrustedStaticClassEval() { $this->expectException(‘SmartyException’); $this->expectExceptionMessage(‘dynamic static class not allowed by security setting’); $this->smarty->security_policy->static_classes = array(‘null’); $this->smarty->fetch(‘string:{$test = "mysecuritystaticclass"}{$test::square(5)}’); }
/** * test not trusted PHP function */ public function testNotTrustedStaticClassSmartyVar() { $this->expectException(‘SmartyException’); $this->expectExceptionMessage(‘dynamic static class not allowed by security setting’); $this->smarty->security_policy->static_classes = array(‘null’); $this->smarty->fetch(‘string:{$smarty.template_object::square(5)}’); }
public function testChangedTrustedDirectory() { $this->smarty->security_policy->secure_dir = array(
Related news
Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.
Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.