summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoruwetews <uwe.tews@googlemail.com>2016-07-19 20:17:47 +0200
committeruwetews <uwe.tews@googlemail.com>2016-07-19 20:17:47 +0200
commit50068ca52a484cb7b82fb5ae592e9024a0fbcd3c (patch)
treefac95b1cba769bfe86d88ed22254f3002a8d9f0c
parentf39e61762ce1fe73a1858f7877dc93f38ef40510 (diff)
downloadsmarty-50068ca52a484cb7b82fb5ae592e9024a0fbcd3c.tar.gz
smarty-50068ca52a484cb7b82fb5ae592e9024a0fbcd3c.tar.bz2
smarty-50068ca52a484cb7b82fb5ae592e9024a0fbcd3c.zip
- bugfix {match} shell injection vulnerability patch provided by Tim Weber
-rw-r--r--change_log.txt1
-rw-r--r--libs/Smarty.class.php2
-rw-r--r--libs/plugins/function.math.php16
3 files changed, 17 insertions, 2 deletions
diff --git a/change_log.txt b/change_log.txt
index 39bbfe6d..857ada7e 100644
--- a/change_log.txt
+++ b/change_log.txt
@@ -1,6 +1,7 @@
 ===== 3.1.30-dev ===== (xx.xx.xx)
19.07.2016
- bugfix multiple {include} with relative filepath within {block}{/block} could fail https://github.com/smarty-php/smarty/issues/246
+ - bugfix {match} shell injection vulnerability patch provided by Tim Weber
18.07.2016
- bugfix {foreach} if key variable and item@key attribute have been used both the key variable was not updated https://github.com/smarty-php/smarty/issues/254
diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
index 98eeddbe..94bfb22c 100644
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -121,7 +121,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/**
* smarty version
*/
- const SMARTY_VERSION = '3.1.30-dev/85';
+ const SMARTY_VERSION = '3.1.30-dev/86';
/**
* define variable scopes
diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php
index a6e2a152..655fe728 100644
--- a/libs/plugins/function.math.php
+++ b/libs/plugins/function.math.php
@@ -44,8 +44,22 @@ function smarty_function_math($params, $template)
return;
}
+ // disallow backticks
+ if (strpos($equation, '`') !== false) {
+ trigger_error("math: backtick character not allowed in equation", E_USER_WARNING);
+
+ return;
+ }
+
+ // also disallow dollar signs
+ if (strpos($equation, '$') !== false) {
+ trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING);
+
+ return;
+ }
+
// match all vars in equation, make sure all are passed
- preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!", $equation, $match);
+ preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match);
foreach ($match[ 1 ] as $curr_var) {
if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) {