smarty_security.php: Smarty Security: not trusted file path

Abhijith PA Sat, 04 Sep 2021 15:48:36 -0700

Hello.

I've prepared a build according to what you've said. Build available 
here[1]. Please take a look. Debdiff attached.



--abhijith

[1] - 
https://people.debian.org/~abhijith/upload/vda/smarty3_3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u4.dsc

diff -Nru smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog
--- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog        
2021-04-15 15:18:24.000000000 +0530
+++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog        
2021-09-04 23:49:02.000000000 +0530
@@ -1,3 +1,10 @@
+smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u4) UNRELEASED; 
urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Test build for regression test #989141.
+
+ -- Abhijith PA <abhij...@debian.org>  Sat, 04 Sep 2021 23:49:02 +0530
+
 smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u3) stretch-security; 
urgency=medium
 
   * Non-maintainer upload by the Debian LTS Team.
diff -Nru 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch
 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch
--- 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch
   2021-04-04 12:45:17.000000000 +0530
+++ 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch
   2021-09-04 23:47:25.000000000 +0530
@@ -2,8 +2,8 @@
 Origin: 
https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
 Last-Update: 2021-04-04
 
---- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1.orig/libs/Smarty.class.php
-+++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/libs/Smarty.class.php
+--- a/libs/Smarty.class.php
++++ b/libs/Smarty.class.php
 @@ -978,7 +978,7 @@ class Smarty extends Smarty_Internal_Tem
                  $this->plugins_dir = (array) $this->plugins_dir;
              }
@@ -48,8 +48,8 @@
          // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
          if (strpos($path, '..' . $this->ds) != false &&
              preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match)
---- 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1.orig/libs/sysplugins/smarty_security.php
-+++ 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/libs/sysplugins/smarty_security.php
+--- a/libs/sysplugins/smarty_security.php
++++ b/libs/sysplugins/smarty_security.php
 @@ -258,8 +258,6 @@ class Smarty_Security
      public function __construct($smarty)
      {
@@ -71,7 +71,7 @@
              }
 -        }
 -        if ($isConfig !== false) {
-+        
++
              $_dir = $this->smarty->getConfigDir();
              if ($this->_config_dir !== $_dir) {
                  $this->_updateResourceDir($this->_config_dir, $_dir)
@@ -82,7 +82,7 @@
              $this->secure_dir = (array)$this->secure_dir;
              foreach($this->secure_dir as $k => $d) {
 -                $this->secure_dir[$k] = 
$this->smarty->_realpath($d.DIRECTORY_SEPARATOR,true);
-+                $this->secure_dir[$k] = $this->smarty->_realpath($d. 
$this->ds,true);
++                $this->secure_dir[$k] = $this->smarty->_realpath($d. 
DIRECTORY_SEPARATOR,true);
              }
              $this->_updateResourceDir($this->_secure_dir, $this->secure_dir);
              $this->_secure_dir = $this->secure_dir;
@@ -123,7 +123,7 @@
 -        }
 -        $filepath = $this->smarty->_realpath($filepath, true);
 -        $directory = dirname($filepath) . DIRECTORY_SEPARATOR;
-+        $directory = dirname($this->smarty->_realpath($filepath, true)) . 
$this->ds;
++        $directory = dirname($this->smarty->_realpath($filepath, true)) . 
DIRECTORY_SEPARATOR;
          $_directory = array();
          while (true) {
              // test if the directory is trusted
diff -Nru 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch
 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch
--- 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch
   2021-04-15 15:17:32.000000000 +0530
+++ 
smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch
   2021-09-04 23:48:41.000000000 +0530
@@ -75,7 +75,7 @@
 --- a/libs/sysplugins/smarty_security.php
 +++ b/libs/sysplugins/smarty_security.php
 @@ -527,7 +527,7 @@ class Smarty_Security
-         
+ 
              $_dir = $this->smarty->getConfigDir();
              if ($this->_config_dir !== $_dir) {
 -                $this->_updateResourceDir($this->_config_dir, $_dir)
@@ -85,7 +85,7 @@
          if ($this->_secure_dir !== $this->secure_dir) {
 @@ -639,7 +639,8 @@ class Smarty_Security
      {
-         $directory = dirname($this->smarty->_realpath($filepath, true)) . 
$this->ds;
+         $directory = dirname($this->smarty->_realpath($filepath, true)) . 
DIRECTORY_SEPARATOR;
          $_directory = array();
 -        while (true) {
 +        if (!preg_match('#[\\\\/][.][.][\\\\/]#',$directory)) {
@@ -103,8 +103,7 @@
              // remember the directory to add it to _resource_dir in case 
we're successful
              $_directory[ $directory ] = true;
             // bubble up one level
--            $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', '/', 
$directory);
-+            $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', $this->ds, 
$directory);
+             $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', '/', 
$directory);
 +            }
          }
 +        // give up

Bug#989141: /usr/share/php/smarty3/sysplugins/smarty_security.php: Smarty Security: not trusted file path

Reply via email to