From f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 Mon Sep 17 00:00:00 2001 From: Uwe Tews Date: Thu, 26 Apr 2018 13:02:51 +0200 Subject: [PATCH] - bugfix regarding Security Vulnerability did not solve the problem under Linux --- change_log.txt | 6 ++++- libs/Smarty.class.php | 21 +++++++----------- libs/sysplugins/smarty_security.php | 34 ++++++++++------------------- 3 files changed, 25 insertions(+), 36 deletions(-) diff --git a/change_log.txt b/change_log.txt index 5765a1718..ffd6368f3 100644 --- a/change_log.txt +++ b/change_log.txt @@ -1,4 +1,8 @@ -===== 3.1.32 ===== (24.04.2018) +===== 3.1.33-dev-1 ===== +26.04.2018 + - bugfix regarding Security Vulnerability did not solve the problem under Linux. + +===== 3.1.32 ===== (24.04.2018) 24.04.2018 - bugfix possible Security Vulnerability in Smarty_Security class. diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php index 597fbbf0c..8ae85206f 100644 --- a/libs/Smarty.class.php +++ b/libs/Smarty.class.php @@ -27,7 +27,7 @@ * @author Uwe Tews * @author Rodney Rehm * @package Smarty - * @version 3.1.32 + * @version 3.1.33-dev */ /** * set SMARTY_DIR to absolute path to Smarty library files. @@ -112,7 +112,7 @@ class Smarty extends Smarty_Internal_TemplateBase /** * smarty version */ - const SMARTY_VERSION = '3.1.32'; + const SMARTY_VERSION = '3.1.33-dev-1'; /** * define variable scopes */ @@ -835,7 +835,7 @@ public function getPluginsDir() $this->plugins_dir = (array)$this->plugins_dir; } foreach ($this->plugins_dir as $k => $v) { - $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, "/\\") . DIRECTORY_SEPARATOR, true); + $this->plugins_dir[ $k ] = $this->_realpath(rtrim($v, '/\\') . DIRECTORY_SEPARATOR, true); } $this->_cache[ 'plugin_files' ] = array(); $this->_pluginsDirNormalized = true; @@ -1043,20 +1043,15 @@ public function _getTemplateId($template_name, public function _realpath($path, $realpath = null) { static $nds = null; - static $sepDotsep = null; - static $sepDot = null; - static $sepSep =null; + static $sepDotSep = null; + static $sepSep =null; if (!isset($nds)) { $nds = array('/' => '\\', '\\' => '/'); - $sepDotsep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR; - $sepDot = DIRECTORY_SEPARATOR . '.'; + $sepDotSep = DIRECTORY_SEPARATOR . '.' . DIRECTORY_SEPARATOR; $sepSep = DIRECTORY_SEPARATOR . DIRECTORY_SEPARATOR; } // normalize DIRECTORY_SEPARATOR - $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotsep), DIRECTORY_SEPARATOR, $path); - if (strpos($path,$sepDot) === false && (($realpath === false && $path[0] === '.') || $realpath === null) && $path[0] !== '\\') { - return $path; - } + $path = str_replace(array($nds[DIRECTORY_SEPARATOR], $sepDotSep), DIRECTORY_SEPARATOR, $path); preg_match('%^(?(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?(.*))$%u', $path, $parts); @@ -1069,7 +1064,7 @@ public function _realpath($path, $realpath = null) } } // remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns - $path = str_replace(array($sepDotsep,$sepSep), DIRECTORY_SEPARATOR, $path); + $path = str_replace(array($sepDotSep,$sepSep), DIRECTORY_SEPARATOR, $path); // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first if (strpos($path, '..' . DIRECTORY_SEPARATOR) !== false && preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match) diff --git a/libs/sysplugins/smarty_security.php b/libs/sysplugins/smarty_security.php index 126f6fb46..9c7758f7e 100644 --- a/libs/sysplugins/smarty_security.php +++ b/libs/sysplugins/smarty_security.php @@ -258,8 +258,6 @@ class Smarty_Security public function __construct($smarty) { $this->smarty = $smarty; - $this->smarty->_cache[ 'template_dir_new' ] = true; - $this->smarty->_cache[ 'config_dir_new' ] = true; } /** @@ -521,24 +519,23 @@ public function isTrustedResourceDir($filepath, $isConfig = null) } $this->_include_path_status = $this->smarty->use_include_path; } - if ($isConfig !== true) { + $_dir = $this->smarty->getTemplateDir(); if ($this->_template_dir !== $_dir) { $this->_updateResourceDir($this->_template_dir, $_dir); $this->_template_dir = $_dir; } - } - if ($isConfig !== false) { + $_dir = $this->smarty->getConfigDir(); if ($this->_config_dir !== $_dir) { $this->_updateResourceDir($this->_config_dir, $_dir); $this->_config_dir = $_dir; } - } + if ($this->_secure_dir !== $this->secure_dir) { $this->secure_dir = (array)$this->secure_dir; foreach($this->secure_dir as $k => $d) { - $this->secure_dir[$k] = $this->smarty->_realpath($d.DIRECTORY_SEPARATOR,true); + $this->secure_dir[$k] = $this->smarty->_realpath($d. DIRECTORY_SEPARATOR,true); } $this->_updateResourceDir($this->_secure_dir, $this->secure_dir); $this->_secure_dir = $this->secure_dir; @@ -597,7 +594,7 @@ public function isTrustedPHPDir($filepath) $this->_trusted_dir = $this->trusted_dir; foreach ((array) $this->trusted_dir as $directory) { - $directory = $this->smarty->_realpath($directory . DIRECTORY_SEPARATOR, true); + $directory = $this->smarty->_realpath($directory . '/', true); $this->_php_resource_dir[ $directory ] = true; } } @@ -616,7 +613,7 @@ public function isTrustedPHPDir($filepath) */ private function _updateResourceDir($oldDir, $newDir) { foreach ($oldDir as $directory) { - $directory = $this->smarty->_realpath($directory, true); + // $directory = $this->smarty->_realpath($directory, true); $length = strlen($directory); foreach ($this->_resource_dir as $dir) { if (substr($dir, 0,$length) === $directory) { @@ -625,7 +622,7 @@ private function _updateResourceDir($oldDir, $newDir) { } } foreach ($newDir as $directory) { - $directory = $this->smarty->_realpath($directory, true); + // $directory = $this->smarty->_realpath($directory, true); $this->_resource_dir[ $directory ] = true; } } @@ -640,12 +637,7 @@ private function _updateResourceDir($oldDir, $newDir) { */ private function _checkDir($filepath, $dirs) { - $directory = dirname($filepath) . DIRECTORY_SEPARATOR; - if (isset($dirs[ $directory ])) { - return false; - } - $filepath = $this->smarty->_realpath($filepath, true); - $directory = dirname($filepath) . DIRECTORY_SEPARATOR; + $directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR; $_directory = array(); while (true) { // test if the directory is trusted @@ -653,17 +645,15 @@ private function _checkDir($filepath, $dirs) return $_directory; } // abort if we've reached root - if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) { - break; + if (!preg_match('#[\\\\/][^\\\\/]+[\\\\/]$#', $directory)) { + // give up + throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath)); } // remember the directory to add it to _resource_dir in case we're successful $_directory[ $directory ] = true; // bubble up one level - $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory); + $directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', '/', $directory); } - - // give up - throw new SmartyException("directory '{$filepath}' not allowed by security setting"); } /**