From 55cd6251feb1af02ef3a1ff70bfad2da4f957f42 Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Sat, 22 Jul 2017 23:48:18 -0700 Subject: [PATCH] upgraded smarty version --- composer.json | 2 +- composer.lock | 194 ++++++++++---------- vendor/composer/installed.json | 199 +++++++++++++++------ vendor/smarty/smarty/ChangeLog | 9 + vendor/smarty/smarty/libs/Smarty.class.php | 10 +- .../internals/core.assemble_plugin_filepath.php | 8 +- .../smarty/smarty/libs/plugins/function.math.php | 189 ++++++++++--------- 7 files changed, 368 insertions(+), 243 deletions(-) rewrite vendor/smarty/smarty/libs/plugins/function.math.php (67%) diff --git a/composer.json b/composer.json index 7fa201f06..5ff1a9da3 100644 --- a/composer.json +++ b/composer.json @@ -13,7 +13,7 @@ "mpdf/mpdf": "6.1.3", "adldap2/adldap2": "7.0.4", - "smarty/smarty": "2.6.29", + "smarty/smarty": "2.6.30", "adodb/adodb-php": "5.20.9", "phpmailer/phpmailer": "5.2.16", "rospdf/pdf-php": "0.12.22", diff --git a/composer.lock b/composer.lock index 7e4f103ef..770c4717d 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "8c28f15aec3a66835c60a6f17eb9a987", + "content-hash": "9d131b3202760ebf0b9320b4782f9816", "packages": [ { "name": "adldap2/adldap2", @@ -1180,6 +1180,97 @@ "time": "2015-05-06T18:49:49+00:00" }, { + "name": "phing/phing", + "version": "2.14.0", + "source": { + "type": "git", + "url": "https://github.com/phingofficial/phing.git", + "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/phingofficial/phing/zipball/7dd73c83c377623def54b58121f46b4dcb35dd61", + "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "ext-pdo_sqlite": "*", + "lastcraft/simpletest": "@dev", + "mikey179/vfsstream": "^1.6", + "pdepend/pdepend": "2.x", + "pear/archive_tar": "1.4.x", + "pear/http_request2": "dev-trunk", + "pear/net_growl": "dev-trunk", + "pear/pear-core-minimal": "1.10.1", + "pear/versioncontrol_git": "@dev", + "pear/versioncontrol_svn": "~0.5", + "phpdocumentor/phpdocumentor": "2.x", + "phploc/phploc": "~2.0.6", + "phpmd/phpmd": "~2.2", + "phpunit/phpunit": ">=3.7", + "sebastian/git": "~1.0", + "sebastian/phpcpd": "2.x", + "squizlabs/php_codesniffer": "~2.2", + "symfony/yaml": "~2.7" + }, + "suggest": { + "pdepend/pdepend": "PHP version of JDepend", + "pear/archive_tar": "Tar file management class", + "pear/versioncontrol_git": "A library that provides OO interface to handle Git repository", + "pear/versioncontrol_svn": "A simple OO-style interface for Subversion, the free/open-source version control system", + "phpdocumentor/phpdocumentor": "Documentation Generator for PHP", + "phploc/phploc": "A tool for quickly measuring the size of a PHP project", + "phpmd/phpmd": "PHP version of PMD tool", + "phpunit/php-code-coverage": "Library that provides collection, processing, and rendering functionality for PHP code coverage information", + "phpunit/phpunit": "The PHP Unit Testing Framework", + "sebastian/phpcpd": "Copy/Paste Detector (CPD) for PHP code", + "tedivm/jshrink": "Javascript Minifier built in PHP" + }, + "bin": [ + "bin/phing" + ], + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.14.x-dev" + } + }, + "autoload": { + "classmap": [ + "classes/phing/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "classes" + ], + "license": [ + "LGPL-3.0" + ], + "authors": [ + { + "name": "Michiel Rook", + "email": "mrook@php.net" + }, + { + "name": "Phing Community", + "homepage": "https://www.phing.info/trac/wiki/Development/Contributors" + } + ], + "description": "PHing Is Not GNU make; it's a PHP project build system or build tool based on Apache Ant.", + "homepage": "https://www.phing.info/", + "keywords": [ + "build", + "phing", + "task", + "tool" + ], + "time": "2016-03-10T21:39:23+00:00" + }, + { "name": "phpmailer/phpmailer", "version": "v5.2.16", "source": { @@ -1544,16 +1635,16 @@ }, { "name": "smarty/smarty", - "version": "v2.6.29", + "version": "v2.6.30", "source": { "type": "git", "url": "https://github.com/smarty-php/smarty.git", - "reference": "47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83" + "reference": "c5c9d6514ceaf15fe35345886668726829560f93" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83", - "reference": "47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c5c9d6514ceaf15fe35345886668726829560f93", + "reference": "c5c9d6514ceaf15fe35345886668726829560f93", "shasum": "" }, "require": { @@ -1591,7 +1682,7 @@ "keywords": [ "templating" ], - "time": "2015-06-21T13:10:14+00:00" + "time": "2016-07-19T18:31:12+00:00" }, { "name": "symfony/config", @@ -2536,97 +2627,6 @@ "time": "2017-04-12T18:52:22+00:00" }, { - "name": "phing/phing", - "version": "2.14.0", - "source": { - "type": "git", - "url": "https://github.com/phingofficial/phing.git", - "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/phingofficial/phing/zipball/7dd73c83c377623def54b58121f46b4dcb35dd61", - "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61", - "shasum": "" - }, - "require": { - "php": ">=5.2.0" - }, - "require-dev": { - "ext-pdo_sqlite": "*", - "lastcraft/simpletest": "@dev", - "mikey179/vfsstream": "^1.6", - "pdepend/pdepend": "2.x", - "pear/archive_tar": "1.4.x", - "pear/http_request2": "dev-trunk", - "pear/net_growl": "dev-trunk", - "pear/pear-core-minimal": "1.10.1", - "pear/versioncontrol_git": "@dev", - "pear/versioncontrol_svn": "~0.5", - "phpdocumentor/phpdocumentor": "2.x", - "phploc/phploc": "~2.0.6", - "phpmd/phpmd": "~2.2", - "phpunit/phpunit": ">=3.7", - "sebastian/git": "~1.0", - "sebastian/phpcpd": "2.x", - "squizlabs/php_codesniffer": "~2.2", - "symfony/yaml": "~2.7" - }, - "suggest": { - "pdepend/pdepend": "PHP version of JDepend", - "pear/archive_tar": "Tar file management class", - "pear/versioncontrol_git": "A library that provides OO interface to handle Git repository", - "pear/versioncontrol_svn": "A simple OO-style interface for Subversion, the free/open-source version control system", - "phpdocumentor/phpdocumentor": "Documentation Generator for PHP", - "phploc/phploc": "A tool for quickly measuring the size of a PHP project", - "phpmd/phpmd": "PHP version of PMD tool", - "phpunit/php-code-coverage": "Library that provides collection, processing, and rendering functionality for PHP code coverage information", - "phpunit/phpunit": "The PHP Unit Testing Framework", - "sebastian/phpcpd": "Copy/Paste Detector (CPD) for PHP code", - "tedivm/jshrink": "Javascript Minifier built in PHP" - }, - "bin": [ - "bin/phing" - ], - "type": "library", - "extra": { - "branch-alias": { - "dev-master": "2.14.x-dev" - } - }, - "autoload": { - "classmap": [ - "classes/phing/" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "include-path": [ - "classes" - ], - "license": [ - "LGPL-3.0" - ], - "authors": [ - { - "name": "Michiel Rook", - "email": "mrook@php.net" - }, - { - "name": "Phing Community", - "homepage": "https://www.phing.info/trac/wiki/Development/Contributors" - } - ], - "description": "PHing Is Not GNU make; it's a PHP project build system or build tool based on Apache Ant.", - "homepage": "https://www.phing.info/", - "keywords": [ - "build", - "phing", - "task", - "tool" - ], - "time": "2016-03-10T21:39:23+00:00" - }, - { "name": "phpdocumentor/reflection-common", "version": "1.0", "source": { diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index be760cb3e..ca2495b8e 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1,58 +1,5 @@ [ { - "name": "smarty/smarty", - "version": "v2.6.29", - "version_normalized": "2.6.29.0", - "source": { - "type": "git", - "url": "https://github.com/smarty-php/smarty.git", - "reference": "47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/smarty-php/smarty/zipball/47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83", - "reference": "47fa66cdcf0bde5c44923fb0e15dd0921f8d3a83", - "shasum": "" - }, - "require": { - "php": ">=5.2" - }, - "time": "2015-06-21T13:10:14+00:00", - "type": "library", - "extra": { - "branch-alias": { - "dev-master": "2.6.x-dev" - } - }, - "installation-source": "dist", - "autoload": { - "classmap": [ - "libs/Smarty.class.php", - "libs/Smarty_Compiler.class.php", - "libs/Config_File.class.php" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "LGPL-3.0" - ], - "authors": [ - { - "name": "Monte Ohrt", - "email": "monte@ohrt.com" - }, - { - "name": "Uwe Tews", - "email": "uwe.tews@googlemail.com" - } - ], - "description": "Smarty - the compiling PHP template engine", - "homepage": "http://www.smarty.net", - "keywords": [ - "templating" - ] - }, - { "name": "phpmailer/phpmailer", "version": "v5.2.16", "version_normalized": "5.2.16.0", @@ -2569,5 +2516,151 @@ ], "description": "Symfony EventDispatcher Component", "homepage": "https://symfony.com" + }, + { + "name": "smarty/smarty", + "version": "v2.6.30", + "version_normalized": "2.6.30.0", + "source": { + "type": "git", + "url": "https://github.com/smarty-php/smarty.git", + "reference": "c5c9d6514ceaf15fe35345886668726829560f93" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/smarty-php/smarty/zipball/c5c9d6514ceaf15fe35345886668726829560f93", + "reference": "c5c9d6514ceaf15fe35345886668726829560f93", + "shasum": "" + }, + "require": { + "php": ">=5.2" + }, + "time": "2016-07-19T18:31:12+00:00", + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.6.x-dev" + } + }, + "installation-source": "dist", + "autoload": { + "classmap": [ + "libs/Smarty.class.php", + "libs/Smarty_Compiler.class.php", + "libs/Config_File.class.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-3.0" + ], + "authors": [ + { + "name": "Monte Ohrt", + "email": "monte@ohrt.com" + }, + { + "name": "Uwe Tews", + "email": "uwe.tews@googlemail.com" + } + ], + "description": "Smarty - the compiling PHP template engine", + "homepage": "http://www.smarty.net", + "keywords": [ + "templating" + ] + }, + { + "name": "phing/phing", + "version": "2.14.0", + "version_normalized": "2.14.0.0", + "source": { + "type": "git", + "url": "https://github.com/phingofficial/phing.git", + "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/phingofficial/phing/zipball/7dd73c83c377623def54b58121f46b4dcb35dd61", + "reference": "7dd73c83c377623def54b58121f46b4dcb35dd61", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "ext-pdo_sqlite": "*", + "lastcraft/simpletest": "@dev", + "mikey179/vfsstream": "^1.6", + "pdepend/pdepend": "2.x", + "pear/archive_tar": "1.4.x", + "pear/http_request2": "dev-trunk", + "pear/net_growl": "dev-trunk", + "pear/pear-core-minimal": "1.10.1", + "pear/versioncontrol_git": "@dev", + "pear/versioncontrol_svn": "~0.5", + "phpdocumentor/phpdocumentor": "2.x", + "phploc/phploc": "~2.0.6", + "phpmd/phpmd": "~2.2", + "phpunit/phpunit": ">=3.7", + "sebastian/git": "~1.0", + "sebastian/phpcpd": "2.x", + "squizlabs/php_codesniffer": "~2.2", + "symfony/yaml": "~2.7" + }, + "suggest": { + "pdepend/pdepend": "PHP version of JDepend", + "pear/archive_tar": "Tar file management class", + "pear/versioncontrol_git": "A library that provides OO interface to handle Git repository", + "pear/versioncontrol_svn": "A simple OO-style interface for Subversion, the free/open-source version control system", + "phpdocumentor/phpdocumentor": "Documentation Generator for PHP", + "phploc/phploc": "A tool for quickly measuring the size of a PHP project", + "phpmd/phpmd": "PHP version of PMD tool", + "phpunit/php-code-coverage": "Library that provides collection, processing, and rendering functionality for PHP code coverage information", + "phpunit/phpunit": "The PHP Unit Testing Framework", + "sebastian/phpcpd": "Copy/Paste Detector (CPD) for PHP code", + "tedivm/jshrink": "Javascript Minifier built in PHP" + }, + "time": "2016-03-10T21:39:23+00:00", + "bin": [ + "bin/phing" + ], + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.14.x-dev" + } + }, + "installation-source": "dist", + "autoload": { + "classmap": [ + "classes/phing/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "classes" + ], + "license": [ + "LGPL-3.0" + ], + "authors": [ + { + "name": "Michiel Rook", + "email": "mrook@php.net" + }, + { + "name": "Phing Community", + "homepage": "https://www.phing.info/trac/wiki/Development/Contributors" + } + ], + "description": "PHing Is Not GNU make; it's a PHP project build system or build tool based on Apache Ant.", + "homepage": "https://www.phing.info/", + "keywords": [ + "build", + "phing", + "task", + "tool" + ] } ] diff --git a/vendor/smarty/smarty/ChangeLog b/vendor/smarty/smarty/ChangeLog index 79cbd46bb..a864d097f 100644 --- a/vendor/smarty/smarty/ChangeLog +++ b/vendor/smarty/smarty/ChangeLog @@ -1,3 +1,12 @@ +2016-07-19 Uwe Tews + * {math} shell injection vulnerability patch provided by Tim Weber + +2015-12-30 Uwe Tews + + * fixed plugin filepath cache must not be static, because of possible problem + when using multiple Smarty instances with diffrent plugins_dir settings + https://github.com/smarty-php/smarty/issues/146 + 2015-06-21 Uwe Tews * PHP7 raises E_DEPRECATED use __construct for compatibility diff --git a/vendor/smarty/smarty/libs/Smarty.class.php b/vendor/smarty/smarty/libs/Smarty.class.php index 1aae5e663..41d53706f 100644 --- a/vendor/smarty/smarty/libs/Smarty.class.php +++ b/vendor/smarty/smarty/libs/Smarty.class.php @@ -27,7 +27,7 @@ * @author Monte Ohrt * @author Andrei Zmievski * @package Smarty - * @version 2.6.29 + * @version 2.6.30 */ /* $Id$ */ @@ -465,7 +465,7 @@ class Smarty * * @var string */ - var $_version = '2.6.29'; + var $_version = '2.6.30'; /** * current template inclusion depth @@ -562,6 +562,12 @@ class Smarty */ var $_cache_including = false; + /** + * plugin filepath cache + * + * @var array + */ + var $_filepaths_cache = array(); /**#@-*/ /** * The class constructor. diff --git a/vendor/smarty/smarty/libs/internals/core.assemble_plugin_filepath.php b/vendor/smarty/smarty/libs/internals/core.assemble_plugin_filepath.php index 690d3ddbc..22c02483f 100644 --- a/vendor/smarty/smarty/libs/internals/core.assemble_plugin_filepath.php +++ b/vendor/smarty/smarty/libs/internals/core.assemble_plugin_filepath.php @@ -14,11 +14,9 @@ */ function smarty_core_assemble_plugin_filepath($params, &$smarty) { - static $_filepaths_cache = array(); - $_plugin_filename = $params['type'] . '.' . $params['name'] . '.php'; - if (isset($_filepaths_cache[$_plugin_filename])) { - return $_filepaths_cache[$_plugin_filename]; + if (isset($smarty->_filepaths_cache[$_plugin_filename])) { + return $smarty->_filepaths_cache[$_plugin_filename]; } $_return = false; @@ -58,7 +56,7 @@ function smarty_core_assemble_plugin_filepath($params, &$smarty) } } } - $_filepaths_cache[$_plugin_filename] = $_return; + $smarty->_filepaths_cache[$_plugin_filename] = $_return; return $_return; } diff --git a/vendor/smarty/smarty/libs/plugins/function.math.php b/vendor/smarty/smarty/libs/plugins/function.math.php dissimilarity index 67% index 6575e0600..655fe728d 100644 --- a/vendor/smarty/smarty/libs/plugins/function.math.php +++ b/vendor/smarty/smarty/libs/plugins/function.math.php @@ -1,85 +1,104 @@ - - * Name: math
- * Purpose: handle math computations in template
- * @link http://smarty.php.net/manual/en/language.function.math.php {math} - * (Smarty online manual) - * @author Monte Ohrt - * @param array - * @param Smarty - * @return string - */ -function smarty_function_math($params, &$smarty) -{ - // be sure equation parameter is present - if (empty($params['equation'])) { - $smarty->trigger_error("math: missing equation parameter"); - return; - } - - // strip out backticks, not necessary for math - $equation = str_replace('`','',$params['equation']); - - // make sure parenthesis are balanced - if (substr_count($equation,"(") != substr_count($equation,")")) { - $smarty->trigger_error("math: unbalanced parenthesis"); - return; - } - - // match all vars in equation, make sure all are passed - preg_match_all("!(?:0x[a-fA-F0-9]+)|([a-zA-Z][a-zA-Z0-9_]*)!",$equation, $match); - $allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10', - 'max','min','pi','pow','rand','round','sin','sqrt','srand','tan'); - - foreach($match[1] as $curr_var) { - if ($curr_var && !in_array($curr_var, array_keys($params)) && !in_array($curr_var, $allowed_funcs)) { - $smarty->trigger_error("math: function call $curr_var not allowed"); - return; - } - } - - foreach($params as $key => $val) { - if ($key != "equation" && $key != "format" && $key != "assign") { - // make sure value is not empty - if (strlen($val)==0) { - $smarty->trigger_error("math: parameter $key is empty"); - return; - } - if (!is_numeric($val)) { - $smarty->trigger_error("math: parameter $key: is not numeric"); - return; - } - $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation); - } - } - - eval("\$smarty_math_result = ".$equation.";"); - - if (empty($params['format'])) { - if (empty($params['assign'])) { - return $smarty_math_result; - } else { - $smarty->assign($params['assign'],$smarty_math_result); - } - } else { - if (empty($params['assign'])){ - printf($params['format'],$smarty_math_result); - } else { - $smarty->assign($params['assign'],sprintf($params['format'],$smarty_math_result)); - } - } -} - -/* vim: set expandtab: */ - -?> \ No newline at end of file + + * Name: math
+ * Purpose: handle math computations in template + * + * @link http://www.smarty.net/manual/en/language.function.math.php {math} + * (Smarty online manual) + * @author Monte Ohrt + * + * @param array $params parameters + * @param Smarty_Internal_Template $template template object + * + * @return string|null + */ +function smarty_function_math($params, $template) +{ + static $_allowed_funcs = + array('int' => true, 'abs' => true, 'ceil' => true, 'cos' => true, 'exp' => true, 'floor' => true, + 'log' => true, 'log10' => true, 'max' => true, 'min' => true, 'pi' => true, 'pow' => true, 'rand' => true, + 'round' => true, 'sin' => true, 'sqrt' => true, 'srand' => true, 'tan' => true); + // be sure equation parameter is present + if (empty($params[ 'equation' ])) { + trigger_error("math: missing equation parameter", E_USER_WARNING); + + return; + } + + $equation = $params[ 'equation' ]; + + // make sure parenthesis are balanced + if (substr_count($equation, "(") != substr_count($equation, ")")) { + trigger_error("math: unbalanced parenthesis", E_USER_WARNING); + + return; + } + + // disallow backticks + if (strpos($equation, '`') !== false) { + trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); + + return; + } + + // also disallow dollar signs + if (strpos($equation, '$') !== false) { + trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); + + return; + } + + // match all vars in equation, make sure all are passed + preg_match_all('!(?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)!', $equation, $match); + + foreach ($match[ 1 ] as $curr_var) { + if ($curr_var && !isset($params[ $curr_var ]) && !isset($_allowed_funcs[ $curr_var ])) { + trigger_error("math: function call $curr_var not allowed", E_USER_WARNING); + + return; + } + } + + foreach ($params as $key => $val) { + if ($key != "equation" && $key != "format" && $key != "assign") { + // make sure value is not empty + if (strlen($val) == 0) { + trigger_error("math: parameter $key is empty", E_USER_WARNING); + + return; + } + if (!is_numeric($val)) { + trigger_error("math: parameter $key: is not numeric", E_USER_WARNING); + + return; + } + $equation = preg_replace("/\b$key\b/", " \$params['$key'] ", $equation); + } + } + $smarty_math_result = null; + eval("\$smarty_math_result = " . $equation . ";"); + + if (empty($params[ 'format' ])) { + if (empty($params[ 'assign' ])) { + return $smarty_math_result; + } else { + $template->assign($params[ 'assign' ], $smarty_math_result); + } + } else { + if (empty($params[ 'assign' ])) { + printf($params[ 'format' ], $smarty_math_result); + } else { + $template->assign($params[ 'assign' ], sprintf($params[ 'format' ], $smarty_math_result)); + } + } +} -- 2.11.4.GIT