diff options
| author | Simon Wisselink <wisskid@users.noreply.github.com> | 2022-01-10 00:01:43 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-10 00:01:43 +0100 |
| commit | 215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71 (patch) | |
| tree | ad131a0c00890f6e65498ee6d21203dabfd85de8 /libs/plugins | |
| parent | efb416e5ef563f0ec3e0cbbc5a656288760800ab (diff) | |
| download | smarty-215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71.tar.gz smarty-215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71.tar.bz2 smarty-215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71.zip | |
Merge pull request from GHSA-29gp-2c3m-3j6m
* Temporary fix. Waiting for CVE
* Add CVE
Diffstat (limited to 'libs/plugins')
| -rw-r--r-- | libs/plugins/function.math.php | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index 5d58284f..442b04c7 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -28,7 +28,12 @@ function smarty_function_math($params, $template) 'int' => true, 'abs' => true, 'ceil' => true, + 'acos' => true, + 'acosh' => true, 'cos' => true, + 'cosh' => true, + 'deg2rad' => true, + 'rad2deg' => true, 'exp' => true, 'floor' => true, 'log' => true, @@ -39,27 +44,51 @@ function smarty_function_math($params, $template) 'pow' => true, 'rand' => true, 'round' => true, + 'asin' => true, + 'asinh' => true, 'sin' => true, + 'sinh' => true, 'sqrt' => true, 'srand' => true, - 'tan' => true + 'atan' => true, + 'atanh' => true, + 'tan' => true, + 'tanh' => true ); + // be sure equation parameter is present if (empty($params[ 'equation' ])) { trigger_error("math: missing equation parameter", E_USER_WARNING); return; } $equation = $params[ 'equation' ]; + + // Remove whitespaces + $equation = preg_replace('/\s+/', '', $equation); + + // Adapted from https://www.php.net/manual/en/function.eval.php#107377 + $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number + $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; + $operators = '[+\/*\^%-]'; // Allowed math operators + $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; + + if (!preg_match($regexp, $equation)) { + trigger_error("math: illegal characters", E_USER_WARNING); + return; + } + // make sure parenthesis are balanced if (substr_count($equation, '(') !== substr_count($equation, ')')) { trigger_error("math: unbalanced parenthesis", E_USER_WARNING); return; } + // disallow backticks if (strpos($equation, '`') !== false) { trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); return; } + // also disallow dollar signs if (strpos($equation, '$') !== false) { trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); @@ -96,6 +125,7 @@ function smarty_function_math($params, $template) } $smarty_math_result = null; eval("\$smarty_math_result = " . $equation . ";"); + if (empty($params[ 'format' ])) { if (empty($params[ 'assign' ])) { return $smarty_math_result; |
