From 60068c2c7a6d58c7793287cfea0bd80b81e0e377 Mon Sep 17 00:00:00 2001 From: David Fernandez Gonzalez Date: Wed, 23 Mar 2022 16:00:18 +0100 Subject: [PATCH] Import Debian changes 3.1.39-2ubuntu1 smarty3 (3.1.39-2ubuntu1) jammy; urgency=medium * SECURITY UPDATE: execution of restricted php methods - debian/patches/CVE-2021-21408.patch: Prevent evasion of the static_classes security policy in lexer/smarty_internal_templateparser.y and libs/sysplugins/smarty_internal_templateparser.php. - CVE-2021-21408 * SECURITY UPDATE: code injection through math function - debian/patches/CVE-2021-29454-1.patch: verify if the input to the math function is a mathematical expression in libs/plugins/function.math.php. - debian/patches/CVE-2021-29454-2.patch: fix to support multiple operators in math equations in libs/plugins/function.math.php. - debian/patches/CVE-2021-29454-3.patch: fix to allow multiple parameters in mathematical functions in libs/plugins/function.math.php. - CVE-2021-29454 * Fix for compatibility with php 8.1. - debian/patches/php8-1compatibility.patch smarty3 (3.1.39-2) unstable; urgency=medium * debian/watch: + Fix Github watch URL. smarty3 (3.1.39-1) unstable; urgency=medium * New upstream release. * debian/copyright: + Update copyright attributions. smarty3 (3.1.38-1) unstable; urgency=medium * New upstream release. * debian/patches: + Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied upstream. smarty3 (3.1.36-2) unstable; urgency=medium * debian/control: + Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~). * debian/patches: + Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring lexer source functionally up-to-date with (manually edited) compiled version. (Closes: #977604). * debian/watch: + Switch to format version 4. smarty3 (3.1.36-1) unstable; urgency=medium * New upstream release. * debian/rules: + Stop creating Git snapshots, use upstream orig tarballs (generated from Github tags) instead. + Upstream changelog has been renamed to CHANGELOG.md. * debian/copyright: + Update copyright attributions. + Drop global Comment: field. No tarball repacking anymore. * debian/control: + Bump Standards-Version: to 4.5.1. No changes needed. + Bump DH compat level to version 13. * debian/upstream/metadata: + Add file. Comply with DEP-12. smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/control: + Bump Standards-Version: to 4.4.1. No changes needed. + Add Rules-Requires-Root: field and set it to "no". * debian/{control,compat}: + Switch to debhelper-compat notation. Bump DH comat level to version 12. smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium * New upstream release. - CVE-2018-16831: Don't bypass trusted directories with "../". (Closes: #908698). * debian/control: + Bump Standards-Version: to 4.2.1. No changes needed. smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/*: White-space clean-up at EOL. * debian/patches: + Drop 0001_CVE-2017-1000480.patch. Applied upstream. * debian/rules: + Avoid using dpkg-parsechangelog. * debian/copyright: + Update copyright attributions. + Use secure URI to obtain copyright references. + Add global Comment: field. Explain about brokenness of upstream tarballs. * debian/control: + Update Vcs-*: fields. Packaging Git has been migrated to salsa.debian.org. + Bump Standards-Version: to 4.1.4. No changes needed. * debian/{control,compat}: + Bump DH version level to 11. smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium * debian/patches: + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: #886460). smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium * Re-upload to Debian unstable to enforce package rebuild (as we don't have binNMUs for arch:all packages). * debian/control: + Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~). This is to assure correct lexer/parser generation which was broken by smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further reference. smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/rules: + Self-pack orig tarball from Git commit, due to broken upstream tarball generation on Github. For details see: https://github.com/smarty-php/smarty/issues/325 * debian/copyright: + Update copyright attributions. smarty3 (3.1.30-1) unstable; urgency=medium * Upload to unstable. * Update versioned B-D: + smarty-lexert (>= 3.1.30+dfsg1-1~). smarty3 (3.1.30-1~exp1) experimental; urgency=medium * New upstream release. Upload to experimental for testing with GOsa, FusionDirectory and other web portals that depend on Smarty3. * debian/copyright: + Update copyright attributions. smarty3 (3.1.29-2) unstable; urgency=medium * Re-upload unchanged to unstable. smarty3 (3.1.29-1) experimental; urgency=medium * New upstream release. (Closes: #825250). * debian/smarty3-lexer: + Remove shipped-with .plex and .y files for template and configfile parser/lexer. This version uses smarty-lexer src:package at build time instead. * debian/control: + Add B-D pkg-php-tools (for dh_phpcomposer) + Versioned B-D: debhelper (>= 9). + Use encrypted URLs for Vcs-*: field. + Bump Standards: to 3.9.8. No changes needed. * debian/{control,rules}: + Create internal lexer and parser PHP code at package build time (using B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old trigger_error class API of Smarty.class.php. (Closes: #799282). * debian/smarty3.{install,docs}: + Use debhelper for installing bin:package files. * debian/compat: + Bump to DH version level 9. * debian/watch: + Upstream location has changed, now on Github. * debian/rules: + Use pure debhelper, with phpcomposer. + Make package build idempotent. * debian/copyright: + Update copyright attributions. smarty3 (3.1.21-1.1) unstable; urgency=medium * Non-maintainer upload in coordination with the maintainer. * Update depends and README.Debian for the php 7.0 transition. Thanks to Wolfgang Schweer for the patch! (Closes: #821660) smarty3 (3.1.21-1) unstable; urgency=medium * New upstream release. (Closes: #765920). * debian/smarty3-lexer: + Add 4 files from smarty3 SVN that are used to generate some PHP files in the upstream tarball. See README.lexer for details. (Closes: #636148). * debian/copyright: + Add copyright information for debian/smarty3-lexer/*. + Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream- shipped COPYING.lib file more thoroughly. + Relicense debian/* under same license as upstream sources (LGPL-3+). * debian/control: + Bump Standards: to 3.9.6. No changes needed. smarty3 (3.1.19-1) unstable; urgency=medium * New upstream release. + Obtain upstream sources as zip files from upstream. Stop checking out SVN tags. This change drops three embedded PHP libraries and files with problematic PHP licenses. (Closes: #752614). * debian/control: + Alioth-canonicalize Vcs-Git field. + Bump Standards: to 3.9.5. No changes needed. * lintian: + Drop unused override: embedded-php-library. smarty3 (3.1.13-1) unstable; urgency=low * New upstream release. * /debian/control: + Use my DD address in Maintainer: field. + Bump Standards: to 3.9.4. No changes needed. * /debian/patches: + Drop patch: 001_escape-smarty-exception-messages.patch, included in new upstream release. smarty3 (3.1.10-2) unstable; urgency=low * Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch. Closes: #688153. smarty3 (3.1.10-1) unstable; urgency=low * New upstream release. Closes: #678095. smarty3 (3.1.8-2) unstable; urgency=low * Package smarty3 provides smarty (closes: #657536). * Make /debian/copyright machine parsable, explicitly names files that have dissenting licenses, license /debian folder under GPLv2+. smarty3 (3.1.8-1) experimental; urgency=low * New upstream release (rev. 4611). * New package maintainer (closes: #668200). * Add watch file (closes: #657385). * Add Vcs-* lines to control file. * Add README.source that explains how we obtain code from upstream SVN. Make sure all upstream source files are shipped with the Debian source package (closes: #636148). smarty3 (3.1.0-1) experimental; urgency=low * New upstream release (rev. 4284) * Used the code source from subversion (Closes: #636148) * debian/copyright: + added LexerGenerator copyright + added ParserGenerator copyright * Fixed security holes: + multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053, CVE-2010-4722, CVE-2010-4724, CVE-2010-4726) + not consider the umask value when setting the permissions of files (CVE-2009-5054) + not prevent access to the dynamic and private object members of an assigned object (CVE-2010-4723) + not properly handle an on value of the asp_tags option in the php.ini file (CVE-2010-4725) + not properly handle the tags (CVE-2010-4727) smarty3 (3.0.8-1) unstable; urgency=low * New upstream release (Closes: #631619) * Bumped Standards-Version to 3.9.2 * Updated licence to LGPL-3 smarty3 (3.0~rc1-2) unstable; urgency=low * Bumped Standards-Version to 3.9.1 * Removed debian/watch smarty3 (3.0~rc1-1) unstable; urgency=low * Initial release (Closes: #580754) --- debian/README.Debian | 12 + debian/changelog | 332 +++++++++++++++++++++++ debian/control | 38 +++ debian/copyright | 48 ++++ debian/patches/CVE-2021-21408.patch | 39 +++ debian/patches/CVE-2021-29454-1.patch | 87 ++++++ debian/patches/CVE-2021-29454-2.patch | 22 ++ debian/patches/CVE-2021-29454-3.patch | 20 ++ debian/patches/README | 3 + debian/patches/php8-1compatibility.patch | 140 ++++++++++ debian/patches/series | 5 + debian/rules | 63 +++++ debian/smarty3.dirs | 2 + debian/smarty3.docs | 3 + debian/smarty3.install | 1 + debian/source/format | 1 + debian/upstream/metadata | 5 + debian/watch | 3 + 18 files changed, 824 insertions(+) create mode 100644 debian/README.Debian create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/patches/CVE-2021-21408.patch create mode 100644 debian/patches/CVE-2021-29454-1.patch create mode 100644 debian/patches/CVE-2021-29454-2.patch create mode 100644 debian/patches/CVE-2021-29454-3.patch create mode 100644 debian/patches/README create mode 100644 debian/patches/php8-1compatibility.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/smarty3.dirs create mode 100644 debian/smarty3.docs create mode 100644 debian/smarty3.install create mode 100644 debian/source/format create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..5d392cf --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,12 @@ +smarty3 for Debian +------------------ + +In order to use Smarty 3 from your php scripts, you'll have to add +/usr/share/php/smarty3 on the include_path of php, that is in the +file /etc/php/{apache,apache2}/php.ini or use +require("smarty3/Smarty.class.php"); + +On smarty update, please note you will have to clear out all smarty +generated files, by default in a templates_c directory. + + -- Thierry Randrianiriana , Sat, 8 May 2010 15:05:10 +0300 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..91e16e1 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,332 @@ +smarty3 (3.1.39-2ubuntu1) jammy; urgency=medium + + * SECURITY UPDATE: execution of restricted php methods + - debian/patches/CVE-2021-21408.patch: Prevent evasion of the + static_classes security policy in + lexer/smarty_internal_templateparser.y and + libs/sysplugins/smarty_internal_templateparser.php. + - CVE-2021-21408 + * SECURITY UPDATE: code injection through math function + - debian/patches/CVE-2021-29454-1.patch: verify if the input to + the math function is a mathematical expression in + libs/plugins/function.math.php. + - debian/patches/CVE-2021-29454-2.patch: fix to support multiple + operators in math equations in + libs/plugins/function.math.php. + - debian/patches/CVE-2021-29454-3.patch: fix to allow multiple + parameters in mathematical functions in + libs/plugins/function.math.php. + - CVE-2021-29454 + * Fix for compatibility with php 8.1. + - debian/patches/php8-1compatibility.patch + + -- David Fernandez Gonzalez Wed, 23 Mar 2022 16:00:18 +0100 + +smarty3 (3.1.39-2) unstable; urgency=medium + + * debian/watch: + + Fix Github watch URL. + + -- Mike Gabriel Thu, 29 Apr 2021 14:40:03 +0200 + +smarty3 (3.1.39-1) unstable; urgency=medium + + * New upstream release. + * debian/copyright: + + Update copyright attributions. + + -- Mike Gabriel Tue, 23 Feb 2021 11:41:59 +0100 + +smarty3 (3.1.38-1) unstable; urgency=medium + + * New upstream release. + * debian/patches: + + Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied + upstream. + + -- Mike Gabriel Mon, 18 Jan 2021 17:20:40 +0100 + +smarty3 (3.1.36-2) unstable; urgency=medium + + * debian/control: + + Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~). + * debian/patches: + + Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring + lexer source functionally up-to-date with (manually edited) compiled + version. (Closes: #977604). + * debian/watch: + + Switch to format version 4. + + -- Mike Gabriel Fri, 18 Dec 2020 14:53:44 +0000 + +smarty3 (3.1.36-1) unstable; urgency=medium + + * New upstream release. + * debian/rules: + + Stop creating Git snapshots, use upstream orig tarballs (generated from + Github tags) instead. + + Upstream changelog has been renamed to CHANGELOG.md. + * debian/copyright: + + Update copyright attributions. + + Drop global Comment: field. No tarball repacking anymore. + * debian/control: + + Bump Standards-Version: to 4.5.1. No changes needed. + + Bump DH compat level to version 13. + * debian/upstream/metadata: + + Add file. Comply with DEP-12. + + -- Mike Gabriel Mon, 07 Dec 2020 09:33:25 +0100 + +smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium + + * New upstream release. + * debian/control: + + Bump Standards-Version: to 4.4.1. No changes needed. + + Add Rules-Requires-Root: field and set it to "no". + * debian/{control,compat}: + + Switch to debhelper-compat notation. Bump DH comat level to version 12. + + -- Mike Gabriel Mon, 18 Nov 2019 10:49:54 +0100 + +smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium + + * New upstream release. + - CVE-2018-16831: Don't bypass trusted directories with "../". (Closes: + #908698). + * debian/control: + + Bump Standards-Version: to 4.2.1. No changes needed. + + -- Mike Gabriel Mon, 17 Sep 2018 13:04:18 +0200 + +smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium + + * New upstream release. + * debian/*: White-space clean-up at EOL. + * debian/patches: + + Drop 0001_CVE-2017-1000480.patch. Applied upstream. + * debian/rules: + + Avoid using dpkg-parsechangelog. + * debian/copyright: + + Update copyright attributions. + + Use secure URI to obtain copyright references. + + Add global Comment: field. Explain about brokenness of upstream tarballs. + * debian/control: + + Update Vcs-*: fields. Packaging Git has been migrated to + salsa.debian.org. + + Bump Standards-Version: to 4.1.4. No changes needed. + * debian/{control,compat}: + + Bump DH version level to 11. + + -- Mike Gabriel Sun, 27 May 2018 23:21:33 +0200 + +smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium + + * debian/patches: + + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: + #886460). + + -- Mike Gabriel Sun, 14 Jan 2018 11:13:16 +0100 + +smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium + + * Re-upload to Debian unstable to enforce package rebuild (as we don't + have binNMUs for arch:all packages). + + * debian/control: + + Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~). + This is to assure correct lexer/parser generation which was broken by + smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further + reference. + + -- Mike Gabriel Tue, 21 Mar 2017 10:13:01 +0100 + +smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium + + * New upstream release. + * debian/rules: + + Self-pack orig tarball from Git commit, due to broken upstream + tarball generation on Github. For details see: + https://github.com/smarty-php/smarty/issues/325 + * debian/copyright: + + Update copyright attributions. + + -- Mike Gabriel Tue, 24 Jan 2017 21:17:51 +0100 + +smarty3 (3.1.30-1) unstable; urgency=medium + + * Upload to unstable. + * Update versioned B-D: + + smarty-lexert (>= 3.1.30+dfsg1-1~). + + -- Mike Gabriel Fri, 25 Nov 2016 19:52:30 +0100 + +smarty3 (3.1.30-1~exp1) experimental; urgency=medium + + * New upstream release. Upload to experimental for testing with + GOsa, FusionDirectory and other web portals that depend on Smarty3. + * debian/copyright: + + Update copyright attributions. + + -- Mike Gabriel Thu, 20 Oct 2016 14:00:22 +0200 + +smarty3 (3.1.29-2) unstable; urgency=medium + + * Re-upload unchanged to unstable. + + -- Mike Gabriel Fri, 07 Oct 2016 14:03:44 +0200 + +smarty3 (3.1.29-1) experimental; urgency=medium + + * New upstream release. (Closes: #825250). + * debian/smarty3-lexer: + + Remove shipped-with .plex and .y files for template and configfile + parser/lexer. This version uses smarty-lexer src:package at build + time instead. + * debian/control: + + Add B-D pkg-php-tools (for dh_phpcomposer) + + Versioned B-D: debhelper (>= 9). + + Use encrypted URLs for Vcs-*: field. + + Bump Standards: to 3.9.8. No changes needed. + * debian/{control,rules}: + + Create internal lexer and parser PHP code at package build time (using + B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian + package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old + trigger_error class API of Smarty.class.php. (Closes: #799282). + * debian/smarty3.{install,docs}: + + Use debhelper for installing bin:package files. + * debian/compat: + + Bump to DH version level 9. + * debian/watch: + + Upstream location has changed, now on Github. + * debian/rules: + + Use pure debhelper, with phpcomposer. + + Make package build idempotent. + * debian/copyright: + + Update copyright attributions. + + -- Mike Gabriel Mon, 30 May 2016 14:03:16 +0200 + +smarty3 (3.1.21-1.1) unstable; urgency=medium + + * Non-maintainer upload in coordination with the maintainer. + * Update depends and README.Debian for the php 7.0 transition. Thanks to + Wolfgang Schweer for the patch! (Closes: #821660) + + -- Holger Levsen Mon, 23 May 2016 11:32:02 +0200 + +smarty3 (3.1.21-1) unstable; urgency=medium + + * New upstream release. (Closes: #765920). + * debian/smarty3-lexer: + + Add 4 files from smarty3 SVN that are used to generate some PHP + files in the upstream tarball. See README.lexer for details. + (Closes: #636148). + * debian/copyright: + + Add copyright information for debian/smarty3-lexer/*. + + Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream- + shipped COPYING.lib file more thoroughly. + + Relicense debian/* under same license as upstream sources (LGPL-3+). + * debian/control: + + Bump Standards: to 3.9.6. No changes needed. + + -- Mike Gabriel Sun, 19 Oct 2014 23:45:18 +0200 + +smarty3 (3.1.19-1) unstable; urgency=medium + + * New upstream release. + + Obtain upstream sources as zip files from upstream. Stop checking out + SVN tags. This change drops three embedded PHP libraries and files with + problematic PHP licenses. (Closes: #752614). + * debian/control: + + Alioth-canonicalize Vcs-Git field. + + Bump Standards: to 3.9.5. No changes needed. + * lintian: + + Drop unused override: embedded-php-library. + + -- Mike Gabriel Mon, 04 Aug 2014 21:32:20 +0200 + +smarty3 (3.1.13-1) unstable; urgency=low + + * New upstream release. + * /debian/control: + + Use my DD address in Maintainer: field. + + Bump Standards: to 3.9.4. No changes needed. + * /debian/patches: + + Drop patch: 001_escape-smarty-exception-messages.patch, included in new + upstream release. + + -- Mike Gabriel Mon, 06 May 2013 10:19:14 +0200 + +smarty3 (3.1.10-2) unstable; urgency=low + + * Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch. + Closes: #688153. + + -- Mike Gabriel Sat, 22 Sep 2012 21:32:58 +0200 + +smarty3 (3.1.10-1) unstable; urgency=low + + * New upstream release. Closes: #678095. + + -- Mike Gabriel Tue, 19 Jun 2012 16:41:06 +0200 + +smarty3 (3.1.8-2) unstable; urgency=low + + * Package smarty3 provides smarty (closes: #657536). + * Make /debian/copyright machine parsable, explicitly names files that + have dissenting licenses, license /debian folder under GPLv2+. + + -- Mike Gabriel Thu, 17 May 2012 00:32:29 +0200 + +smarty3 (3.1.8-1) experimental; urgency=low + + * New upstream release (rev. 4611). + * New package maintainer (closes: #668200). + * Add watch file (closes: #657385). + * Add Vcs-* lines to control file. + * Add README.source that explains how we obtain code from + upstream SVN. Make sure all upstream source files are + shipped with the Debian source package (closes: #636148). + + -- Mike Gabriel Thu, 10 May 2012 10:44:55 +0200 + +smarty3 (3.1.0-1) experimental; urgency=low + + * New upstream release (rev. 4284) + * Used the code source from subversion (Closes: #636148) + * debian/copyright: + + added LexerGenerator copyright + + added ParserGenerator copyright + * Fixed security holes: + + multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053, + CVE-2010-4722, CVE-2010-4724, CVE-2010-4726) + + not consider the umask value when setting the permissions of files + (CVE-2009-5054) + + not prevent access to the dynamic and private object members of an + assigned object (CVE-2010-4723) + + not properly handle an on value of the asp_tags option in the php.ini file + (CVE-2010-4725) + + not properly handle the tags (CVE-2010-4727) + + -- Thierry Randrianiriana Sat, 17 Sep 2011 21:22:11 +0300 + +smarty3 (3.0.8-1) unstable; urgency=low + + * New upstream release (Closes: #631619) + * Bumped Standards-Version to 3.9.2 + * Updated licence to LGPL-3 + + -- Thierry Randrianiriana Wed, 20 Jul 2011 11:29:24 +0300 + +smarty3 (3.0~rc1-2) unstable; urgency=low + + * Bumped Standards-Version to 3.9.1 + * Removed debian/watch + + -- Thierry Randrianiriana Tue, 21 Sep 2010 14:45:44 +0300 + +smarty3 (3.0~rc1-1) unstable; urgency=low + + * Initial release (Closes: #580754) + + -- Thierry Randrianiriana Sat, 08 May 2010 14:36:04 +0300 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..fef3259 --- /dev/null +++ b/debian/control @@ -0,0 +1,38 @@ +Source: smarty3 +Section: web +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Mike Gabriel +Uploaders: + Debian Edu Packaging Team , +Build-Depends: + debhelper-compat (= 13), + pkg-php-tools (>= 1.7~), + smarty-lexer (>= 3.1.32+dfsg1-3~), +Standards-Version: 4.5.1 +Rules-Requires-Root: no +Vcs-Git: https://salsa.debian.org/debian/smarty3.git +Vcs-Browser: https://salsa.debian.org/debian/smarty3 +Homepage: http://www.smarty.net/ + +Package: smarty3 +Architecture: all +Depends: + php | php-cgi | php-cli, + ${misc:Depends}, + ${phpcomposer:Debian-require}, +Provides: + ${phpcomposer:Debian-provide}, +Suggests: + ${phpcomposer:Debian-suggest}, +Conflicts: + ${phpcomposer:Debian-conflict}, +Description: ${phpcomposer:description} + Smarty is a template engine for PHP. More specifically, it + facilitates a manageable way to separate application logic and content + from its presentation. + . + Smarty 3.1 is a departure from 2.0 compatibility. Most notably, all + backward compatibility has been moved to a separate class file named + SmartyBC.class.php. If you require compatibility with 2.0, you will + need to use this class. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..e330400 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,48 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Smarty +Upstream-Contact: + Monte Ohrt + Uwe Tews +Source: http://www.smarty.net + +Files: CHANGELOG.md + COMPOSER_RELEASE_NOTES.txt + demo/* + lexer/* + libs/* + INHERITANCE_RELEASE_NOTES.txt + NEW_FEATURES.txt + README + README.md + SMARTY_2_BC_NOTES.txt + SMARTY_3.0_BC_NOTES.txt + SMARTY_3.1_NOTES.txt + composer.json + expectException +Copyright: + 2001-2008, New Digital Group, Inc. +License: LGPL-3+ + +Files: debian/* +Copyright: + 2010-2011, Thierry Randrianiriana + 2012-2020, Mike Gabriel +License: LGPL-3+ + +License: LGPL-3+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Library General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + . + You should have received a copy of the GNU Library General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU Library General + Public License version 3 can be found in "/usr/share/common-licenses/LGPL-3". diff --git a/debian/patches/CVE-2021-21408.patch b/debian/patches/CVE-2021-21408.patch new file mode 100644 index 0000000..ae06dda --- /dev/null +++ b/debian/patches/CVE-2021-21408.patch @@ -0,0 +1,39 @@ +Backport of: 28519ca00fe6890ef2d464f8400a16188c4b6f36 Mon Sep 17 00:00:00 2001 +From: Simon Wisselink +Date: Mon, 10 Jan 2022 10:48:27 +0100 +Subject: [PATCH] Merge pull request from GHSA-4h9c-v5vg-5m6m + +--- + lexer/smarty_internal_templateparser.y | 3 ++ + .../smarty_internal_templateparser.php | 4 ++ + 2 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/lexer/smarty_internal_templateparser.y b/lexer/smarty_internal_templateparser.y +index c6890642f..8f8120216 100644 +--- a/lexer/smarty_internal_templateparser.y ++++ b/lexer/smarty_internal_templateparser.y +@@ -758,6 +758,9 @@ value(res) ::= doublequoted_with_quotes(s). { + + + value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } + $prefixVar = $this->compiler->getNewPrefixVariable(); + if (vi['var'] === '\'smarty\'') { + $this->compiler->appendPrefixCode("compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>'); +diff --git a/libs/sysplugins/smarty_internal_templateparser.php b/libs/sysplugins/smarty_internal_templateparser.php +index aaeae63b7..7c8735cfd 100644 +--- a/libs/sysplugins/smarty_internal_templateparser.php ++++ b/libs/sysplugins/smarty_internal_templateparser.php +@@ -2837,6 +2837,10 @@ public function yy_r91() + // line 765 "../smarty/lexer/smarty_internal_templateparser.y" + public function yy_r95() + { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } ++ + $prefixVar = $this->compiler->getNewPrefixVariable(); + if ($this->yystack[ $this->yyidx + -2 ]->minor[ 'var' ] === '\'smarty\'') { + $this->compiler->appendPrefixCode(" +Date: Mon, 10 Jan 2022 00:01:43 +0100 +Subject: [PATCH] Merge pull request from GHSA-29gp-2c3m-3j6m + +* Temporary fix. Waiting for CVE + +* Add CVE +--- +diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php +index 5d58284fc..442b04c78 100644 +--- a/libs/plugins/function.math.php ++++ b/libs/plugins/function.math.php +@@ -28,7 +28,12 @@ function smarty_function_math($params, $template) + 'int' => true, + 'abs' => true, + 'ceil' => true, ++ 'acos' => true, ++ 'acosh' => true, + 'cos' => true, ++ 'cosh' => true, ++ 'deg2rad' => true, ++ 'rad2deg' => true, + 'exp' => true, + 'floor' => true, + 'log' => true, +@@ -39,27 +44,51 @@ function smarty_function_math($params, $template) + 'pow' => true, + 'rand' => true, + 'round' => true, ++ 'asin' => true, ++ 'asinh' => true, + 'sin' => true, ++ 'sinh' => true, + 'sqrt' => true, + 'srand' => true, +- 'tan' => true ++ 'atan' => true, ++ 'atanh' => true, ++ 'tan' => true, ++ 'tanh' => true + ); ++ + // be sure equation parameter is present + if (empty($params[ 'equation' ])) { + trigger_error("math: missing equation parameter", E_USER_WARNING); + return; + } + $equation = $params[ 'equation' ]; ++ ++ // Remove whitespaces ++ $equation = preg_replace('/\s+/', '', $equation); ++ ++ // Adapted from https://www.php.net/manual/en/function.eval.php#107377 ++ $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number ++ $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; ++ $operators = '[+\/*\^%-]'; // Allowed math operators ++ $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; ++ ++ if (!preg_match($regexp, $equation)) { ++ trigger_error("math: illegal characters", E_USER_WARNING); ++ return; ++ } ++ + // make sure parenthesis are balanced + if (substr_count($equation, '(') !== substr_count($equation, ')')) { + trigger_error("math: unbalanced parenthesis", E_USER_WARNING); + return; + } ++ + // disallow backticks + if (strpos($equation, '`') !== false) { + trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); + return; + } ++ + // also disallow dollar signs + if (strpos($equation, '$') !== false) { + trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); +@@ -96,6 +125,7 @@ function smarty_function_math($params, $template) + } + $smarty_math_result = null; + eval("\$smarty_math_result = " . $equation . ";"); ++ + if (empty($params[ 'format' ])) { + if (empty($params[ 'assign' ])) { + return $smarty_math_result; diff --git a/debian/patches/CVE-2021-29454-2.patch b/debian/patches/CVE-2021-29454-2.patch new file mode 100644 index 0000000..ed8b815 --- /dev/null +++ b/debian/patches/CVE-2021-29454-2.patch @@ -0,0 +1,22 @@ +Backport of: 059bea274cf50524c4c972954f0404b2e586ea3d Mon Sep 17 00:00:00 2001 +From: Claas Augner +Date: Tue, 18 Jan 2022 00:10:17 +0100 +Subject: [PATCH] Support multiple operators in math equations (#708) + +* fix(math): fix equation regexp + +Fixes #702. +--- +diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php +index 442b04c78..fd5b3d166 100644 +--- a/libs/plugins/function.math.php ++++ b/libs/plugins/function.math.php +@@ -70,7 +70,7 @@ function smarty_function_math($params, $template) + $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number + $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; + $operators = '[+\/*\^%-]'; // Allowed math operators +- $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; ++ $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; + + if (!preg_match($regexp, $equation)) { + trigger_error("math: illegal characters", E_USER_WARNING); diff --git a/debian/patches/CVE-2021-29454-3.patch b/debian/patches/CVE-2021-29454-3.patch new file mode 100644 index 0000000..692a4b2 --- /dev/null +++ b/debian/patches/CVE-2021-29454-3.patch @@ -0,0 +1,20 @@ +Backport of: 02633ecaba4a019f583df718345d55aad424e2ac Mon Sep 17 00:00:00 2001 +From: Pavel Kochman +Date: Fri, 4 Feb 2022 21:03:25 +0100 +Subject: [PATCH] math equation return warning: math: illegal character for : + {math equation="max(x, y)" x=$x y=$y} + +--- +diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php +index fd5b3d166..8560e9441 100644 +--- a/libs/plugins/function.math.php ++++ b/libs/plugins/function.math.php +@@ -69,7 +69,7 @@ function smarty_function_math($params, $template) + // Adapted from https://www.php.net/manual/en/function.eval.php#107377 + $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number + $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; +- $operators = '[+\/*\^%-]'; // Allowed math operators ++ $operators = '[,+\/*\^%-]'; // Allowed math operators + $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; + + if (!preg_match($regexp, $equation)) { diff --git a/debian/patches/README b/debian/patches/README new file mode 100644 index 0000000..80c1584 --- /dev/null +++ b/debian/patches/README @@ -0,0 +1,3 @@ +0xxx: Grabbed from upstream development. +1xxx: Possibly relevant for upstream adoption. +2xxx: Only relevant for official Debian release. diff --git a/debian/patches/php8-1compatibility.patch b/debian/patches/php8-1compatibility.patch new file mode 100644 index 0000000..e3172e3 --- /dev/null +++ b/debian/patches/php8-1compatibility.patch @@ -0,0 +1,140 @@ +Description: Fix for compatibility with PHP 8.1 +Origin: backport, https://github.com/smarty-php/smarty/commit/da76d927ed77fb6b3cb8345b83776712d0778e55 +Last-Update: 2022-03-25 +--- +Index: smarty3-3.1.39/libs/plugins/function.html_select_date.php +=================================================================== +--- smarty3-3.1.39.orig/libs/plugins/function.html_select_date.php ++++ smarty3-3.1.39/libs/plugins/function.html_select_date.php +@@ -306,11 +306,36 @@ function smarty_function_html_select_dat + $_html_months .= '' . + $option_separator; + } ++ ++ $formatter = null; ++ $format_compare = '%m'; ++ if (class_exists('IntlDateFormatter')) { ++ $format_compare = 'm'; ++ $patterns = array('%b', '%h', '%B', '%m'); ++ $replacement = array('MMM', 'MMM', 'MMMM', 'MM'); ++ $month_format = str_replace($patterns, $replacement, $month_format); ++ $month_value_format = str_replace($patterns, $replacement, $month_value_format); ++ $formatter = new IntlDateFormatter( ++ setlocale(LC_TIME, '0'), ++ IntlDateFormatter::NONE, ++ IntlDateFormatter::NONE) ++ ; ++ } + for ($i = 1; $i <= 12; $i++) { ++ if (null !== $formatter) { ++ $formatter->setPattern($month_format); ++ $_text = $formatter->format($_month_timestamps[ $i ]); ++ $formatter->setPattern($month_value_format); ++ $_value = $formatter->format($_month_timestamps[ $i ]); ++ } else { ++ $_text = strftime($month_format, $_month_timestamps[ $i ]); ++ $_value = strftime($month_value_format, $_month_timestamps[ $i ]); ++ } ++ + $_val = sprintf('%02d', $i); + $_text = isset($month_names) ? smarty_function_escape_special_chars($month_names[ $i ]) : +- ($month_format === '%m' ? $_val : strftime($month_format, $_month_timestamps[ $i ])); +- $_value = $month_value_format === '%m' ? $_val : strftime($month_value_format, $_month_timestamps[ $i ]); ++ ($month_format === $format_compare ? $_val : $_text); ++ $_value = $month_value_format === $format_compare ? $_val : $_value; + $_html_months .= '' . $option_separator; + } +Index: smarty3-3.1.39/libs/sysplugins/smarty_internal_cacheresource_file.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smarty_internal_cacheresource_file.php ++++ smarty3-3.1.39/libs/sysplugins/smarty_internal_cacheresource_file.php +@@ -196,12 +196,8 @@ class Smarty_Internal_CacheResource_File + */ + public function hasLock(Smarty $smarty, Smarty_Template_Cached $cached) + { +- if (version_compare(PHP_VERSION, '5.3.0', '>=')) { +- clearstatcache(true, $cached->lock_id); +- } else { +- clearstatcache(); +- } +- if (is_file($cached->lock_id)) { ++ clearstatcache(true, $cached->lock_id ?? ''); ++ if (null !== $cached->lock_id && is_file($cached->lock_id)) { + $t = filemtime($cached->lock_id); + return $t && (time() - $t < $smarty->locking_timeout); + } else { +Index: smarty3-3.1.39/libs/sysplugins/smarty_internal_compile_function.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smarty_internal_compile_function.php ++++ smarty3-3.1.39/libs/sysplugins/smarty_internal_compile_function.php +@@ -157,7 +157,7 @@ class Smarty_Internal_Compile_Functioncl + $output = "template->compiled->nocache_hash}%%*/smarty->ext->_tplFunction->restoreTemplateVariables(\\\$_smarty_tpl, '{$_name}');?>\n"; + $output .= "/*/%%SmartyNocache:{$compiler->template->compiled->nocache_hash}%%*/\";\n?>"; +- $output .= "template->compiled->nocache_hash}', \$_smarty_tpl->compiled->nocache_hash, ob_get_clean());\n"; ++ $output .= "template->compiled->nocache_hash}', \$_smarty_tpl->compiled->nocache_hash ?? '', ob_get_clean());\n"; + $output .= "}\n}\n"; + $output .= "/*/ {$_funcName}_nocache */\n\n"; + $output .= "?>\n"; +Index: smarty3-3.1.39/libs/sysplugins/smarty_internal_config_file_compiler.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smarty_internal_config_file_compiler.php ++++ smarty3-3.1.39/libs/sysplugins/smarty_internal_config_file_compiler.php +@@ -158,7 +158,7 @@ class Smarty_Internal_Config_File_Compil + } + // template header code + $template_header = +- "template->source->filepath}' */ ?>\n"; + $code = 'smarty->ext->configLoad->_loadConfigVars($_smarty_tpl, ' . +Index: smarty3-3.1.39/libs/sysplugins/smarty_internal_runtime_codeframe.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smarty_internal_runtime_codeframe.php ++++ smarty3-3.1.39/libs/sysplugins/smarty_internal_runtime_codeframe.php +@@ -45,7 +45,7 @@ class Smarty_Internal_Runtime_CodeFrame + $properties[ 'cache_lifetime' ] = $_template->cache_lifetime; + } + $output = "source->filepath) . "' */\n\n"; + $output .= "/* @var Smarty_Internal_Template \$_smarty_tpl */\n"; + $dec = "\$_smarty_tpl->_decodeProperties(\$_smarty_tpl, " . var_export($properties, true) . ',' . +Index: smarty3-3.1.39/libs/sysplugins/smarty_internal_templatecompilerbase.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smarty_internal_templatecompilerbase.php ++++ smarty3-3.1.39/libs/sysplugins/smarty_internal_templatecompilerbase.php +@@ -1151,7 +1151,7 @@ abstract class Smarty_Internal_TemplateC + flush(); + } + $e = new SmartyCompilerException($error_text); +- $e->line = $line; ++ $e->setLine($line); + $e->source = trim(preg_replace('![\t\r\n]+!', ' ', $match[ $line - 1 ])); + $e->desc = $args; + $e->template = $this->template->source->filepath; +Index: smarty3-3.1.39/libs/sysplugins/smartycompilerexception.php +=================================================================== +--- smarty3-3.1.39.orig/libs/sysplugins/smartycompilerexception.php ++++ smarty3-3.1.39/libs/sysplugins/smartycompilerexception.php +@@ -16,12 +16,12 @@ class SmartyCompilerException extends Sm + } + + /** +- * The line number of the template error +- * +- * @type int|null ++ * @param int $line + */ +- public $line = null; +- ++ public function setLine($line) ++ { ++ $this->line = $line; ++ } + /** + * The template source snippet relating to the error + * diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..894da71 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +CVE-2021-21408.patch +CVE-2021-29454-1.patch +CVE-2021-29454-2.patch +CVE-2021-29454-3.patch +php8-1compatibility.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..9ccfc19 --- /dev/null +++ b/debian/rules @@ -0,0 +1,63 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +#export DH_VERBOSE=1 + +include /usr/share/dpkg/pkg-info.mk + +%: + dh $@ --with phpcomposer + +override_dh_auto_build: + if [ ! -e libs/sysplugins/smarty_internal_configfilelexer.php.orig ]; then \ + cp libs/sysplugins/smarty_internal_configfilelexer.php libs/sysplugins/smarty_internal_configfilelexer.php.orig; \ + fi + if [ ! -e libs/sysplugins/smarty_internal_configfileparser.php.orig ]; then \ + cp libs/sysplugins/smarty_internal_configfileparser.php libs/sysplugins/smarty_internal_configfileparser.php.orig; \ + fi + php /usr/share/php/smarty-lexer/Create_Config_Parser.php + + if [ ! -e libs/sysplugins/smarty_internal_templatelexer.php.orig ]; then \ + cp libs/sysplugins/smarty_internal_templatelexer.php libs/sysplugins/smarty_internal_templatelexer.php.orig; \ + fi + if [ ! -e libs/sysplugins/smarty_internal_templateparser.php.orig ]; then \ + cp libs/sysplugins/smarty_internal_templateparser.php libs/sysplugins/smarty_internal_templateparser.php.orig; \ + fi + php /usr/share/php/smarty-lexer/Create_Template_Parser.php + + dh_auto_build + +override_dh_auto_clean: + if [ -e libs/sysplugins/smarty_internal_configfilelexer.php.orig ]; then \ + mv libs/sysplugins/smarty_internal_configfilelexer.php.orig libs/sysplugins/smarty_internal_configfilelexer.php; \ + fi + if [ -e libs/sysplugins/smarty_internal_configfileparser.php.orig ]; then \ + mv libs/sysplugins/smarty_internal_configfileparser.php.orig libs/sysplugins/smarty_internal_configfileparser.php; \ + fi + + if [ -e libs/sysplugins/smarty_internal_templatelexer.php.orig ]; then \ + mv libs/sysplugins/smarty_internal_templatelexer.php.orig libs/sysplugins/smarty_internal_templatelexer.php; \ + fi + if [ -e libs/sysplugins/smarty_internal_templateparser.php.orig ]; then \ + mv libs/sysplugins/smarty_internal_templateparser.php.orig libs/sysplugins/smarty_internal_templateparser.php; \ + fi + + rm -f lexer/smarty_internal_configfilelexer.php + rm -f lexer/smarty_internal_configfileparser.out + rm -f lexer/smarty_internal_configfileparser.php + rm -f lexer/smarty_internal_templatelexer.php + rm -f lexer/smarty_internal_templateparser.out + rm -f lexer/smarty_internal_templateparser.php + +override_dh_install: + dh_install + rm -f debian/smarty3/usr/share/php/smarty3/sysplugins/*.php.bak + rm -f debian/smarty3/usr/share/php/smarty3/sysplugins/*.php.bak + rm -f debian/smarty3/usr/share/php/smarty3/sysplugins/*.php.orig + rm -f debian/smarty3/usr/share/php/smarty3/sysplugins/*.php.orig + +override_dh_installchangelogs: + dh_installchangelogs CHANGELOG.md + +get-orig-source: + uscan --noconf --force-download --rename --download-current-version --destdir=.. diff --git a/debian/smarty3.dirs b/debian/smarty3.dirs new file mode 100644 index 0000000..64a3c93 --- /dev/null +++ b/debian/smarty3.dirs @@ -0,0 +1,2 @@ +usr/share/php/smarty3 +usr/share/doc/smarty3 diff --git a/debian/smarty3.docs b/debian/smarty3.docs new file mode 100644 index 0000000..d7e1c7d --- /dev/null +++ b/debian/smarty3.docs @@ -0,0 +1,3 @@ +README +SMARTY* +demo/ diff --git a/debian/smarty3.install b/debian/smarty3.install new file mode 100644 index 0000000..eeee7b3 --- /dev/null +++ b/debian/smarty3.install @@ -0,0 +1 @@ +libs/* usr/share/php/smarty3/ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..8449279 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,5 @@ +Name: Smarty3 +Bug-Database: https://github.com/smarty-php/smarty/issues +Bug-Submit: https://github.com/smarty-php/smarty/issues/new +Repository: https://github.com/smarty-php/smarty.git +Repository-Browse: https://github.com/smarty-php/smarty diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..7bc846e --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=4 +opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/smarty-$1.tar.gz/ \ +https://github.com/smarty-php/smarty/tags .*/archive/refs/tags/v?([\d\.]+).tar.gz