- bugfix regarding Security Vulnerability did not solve the problem u…

…nder Linux
smarty-php · Apr 26, 2018 · f9ca3c6 · f9ca3c6
1 parent ac9d4b5
commit f9ca3c6
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 36 deletions.
diff --git a/change_log.txt b/change_log.txt
@@ -1,4 +1,8 @@
-===== 3.1.32 ===== (24.04.2018)
+===== 3.1.33-dev-1 =====
+26.04.2018
+ - bugfix  regarding Security Vulnerability did not solve the problem under Linux.
+
+===== 3.1.32 ===== (24.04.2018)
 24.04.2018
  - bugfix  possible Security Vulnerability in Smarty_Security class.
 

diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
@@ -27,7 +27,7 @@
  * @author    Uwe Tews   <uwe dot tews at gmail dot com>
  * @author    Rodney Rehm
  * @package   Smarty
- * @version   3.1.32
+ * @version   3.1.33-dev
  */
 /**
  * set SMARTY_DIR to absolute path to Smarty library files.
@@ -112,7 +112,7 @@ class Smarty extends Smarty_Internal_TemplateBase
     /**
      * smarty version
      */
-    const SMARTY_VERSION = '3.1.32';
+    const SMARTY_VERSION = '3.1.33-dev-1';
     /**
      * define variable scopes
      */
@@ -835,7 +835,7 @@ public function getPluginsDir()
                 $this->plugins_dir = (array)$this->plugins_dir;
             }
             foreach ($this->plugins_dir as $k => $v) {
-                $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, "/\\") . DIRECTORY_SEPARATOR, true);
+                $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, '/\\') . DIRECTORY_SEPARATOR, true);
             }
             $this->_cache[ 'plugin_files' ] = array();
             $this->_pluginsDirNormalized = true;
@@ -1043,20 +1043,15 @@ public function _getTemplateId($template_name,
     public function _realpath($path, $realpath = null)
     {
         static $nds = null;
-        static $sepDotsep = null;
-        static $sepDot = null;
-        static $sepSep =null;
+        static $sepDotSep = null;
+         static $sepSep =null;
         if (!isset($nds)) {
             $nds = array('/' => '\\', '\\' => '/');
-            $sepDotsep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
-            $sepDot = DIRECTORY_SEPARATOR . '.';
+            $sepDotSep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR;
             $sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR;
         }
         // normalize DIRECTORY_SEPARATOR
-        $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotsep), DIRECTORY_SEPARATOR, $path);
-        if (strpos($path,$sepDot) === false && (($realpath === false && $path[0] === '.') || $realpath === null) && $path[0] !== '\\') {
-            return $path;
-        }
+        $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotSep), DIRECTORY_SEPARATOR, $path);
         preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(.*))$%u',
                    $path,
                    $parts);
@@ -1069,7 +1064,7 @@ public function _realpath($path, $realpath = null)
             }
         }
        // remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
-        $path = str_replace(array($sepDotsep,$sepSep), DIRECTORY_SEPARATOR, $path);
+        $path = str_replace(array($sepDotSep,$sepSep), DIRECTORY_SEPARATOR, $path);
         // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
         if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false &&
             preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)

diff --git a/libs/sysplugins/smarty_security.php b/libs/sysplugins/smarty_security.php
@@ -258,8 +258,6 @@ class Smarty_Security
     public function __construct($smarty)
     {
         $this->smarty = $smarty;
-        $this->smarty->_cache[ 'template_dir_new' ] = true;
-        $this->smarty->_cache[ 'config_dir_new' ] = true;
     }
 
     /**
@@ -521,24 +519,23 @@ public function isTrustedResourceDir($filepath, $isConfig = null)
             }
             $this->_include_path_status = $this->smarty->use_include_path;
         }
-        if ($isConfig !== true) {
+
             $_dir = $this->smarty->getTemplateDir();
             if ($this->_template_dir !== $_dir) {
                 $this->_updateResourceDir($this->_template_dir, $_dir);
                 $this->_template_dir = $_dir;
             }
-        }
-        if ($isConfig !== false) {
+
             $_dir = $this->smarty->getConfigDir();
             if ($this->_config_dir !== $_dir) {
                 $this->_updateResourceDir($this->_config_dir, $_dir);
                 $this->_config_dir = $_dir;
             }
-        }
+
         if ($this->_secure_dir !== $this->secure_dir) {
             $this->secure_dir = (array)$this->secure_dir;
             foreach($this->secure_dir as $k => $d) {
-                $this->secure_dir[$k] = $this->smarty->_realpath($d.DIRECTORY_SEPARATOR,true);
+                $this->secure_dir[$k] = $this->smarty->_realpath($d. DIRECTORY_SEPARATOR,true);
             }
             $this->_updateResourceDir($this->_secure_dir, $this->secure_dir);
             $this->_secure_dir = $this->secure_dir;
@@ -597,7 +594,7 @@ public function isTrustedPHPDir($filepath)
 
             $this->_trusted_dir = $this->trusted_dir;
             foreach ((array) $this->trusted_dir as $directory) {
-                $directory = $this->smarty->_realpath($directory . DIRECTORY_SEPARATOR, true);
+                $directory = $this->smarty->_realpath($directory . '/', true);
                 $this->_php_resource_dir[ $directory ] = true;
             }
         }
@@ -616,7 +613,7 @@ public function isTrustedPHPDir($filepath)
      */
     private function _updateResourceDir($oldDir, $newDir) {
         foreach ($oldDir as $directory) {
-            $directory = $this->smarty->_realpath($directory, true);
+ //           $directory = $this->smarty->_realpath($directory, true);
             $length = strlen($directory);
             foreach ($this->_resource_dir as $dir) {
                 if (substr($dir, 0,$length) === $directory) {
@@ -625,7 +622,7 @@ private function _updateResourceDir($oldDir, $newDir) {
             }
         }
         foreach ($newDir as $directory) {
-            $directory = $this->smarty->_realpath($directory, true);
+ //           $directory = $this->smarty->_realpath($directory, true);
             $this->_resource_dir[ $directory ] = true;
         }
     }
@@ -640,30 +637,23 @@ private function _updateResourceDir($oldDir, $newDir) {
      */
     private function _checkDir($filepath, $dirs)
     {
-        $directory = dirname($filepath) . DIRECTORY_SEPARATOR;
-        if (isset($dirs[ $directory ])) {
-            return false;
-        }
-        $filepath = $this->smarty->_realpath($filepath, true);
-        $directory = dirname($filepath) . DIRECTORY_SEPARATOR;
+        $directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR;
         $_directory = array();
         while (true) {
              // test if the directory is trusted
             if (isset($dirs[ $directory ])) {
                return $_directory;
             }
             // abort if we've reached root
-            if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
-                break;
+            if (!preg_match('#[\\\\/][^\\\\/]+[\\\\/]$#', $directory)) {
+                // give up
+                throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath));
             }
             // remember the directory to add it to _resource_dir in case we're successful
             $_directory[ $directory ] = true;
            // bubble up one level
-            $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory);
+            $directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', '/', $directory);
         }
-
-        // give up
-        throw new SmartyException("directory '{$filepath}' not allowed by security setting");
     }
 
     /**