From 059bea274cf50524c4c972954f0404b2e586ea3d Mon Sep 17 00:00:00 2001
From: Claas Augner <github@caugner.de>
Date: Tue, 18 Jan 2022 00:10:17 +0100
Subject: [PATCH] Support multiple operators in math equations (#708)

* fix(math): fix equation regexp

Fixes #702.
---
 CHANGELOG.md                                              | 3 +++
 libs/plugins/function.math.php                            | 2 +-
 .../UnitTests/TemplateSource/ValueTests/Math/MathTest.php | 8 ++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1fd531e9e..9d7a77f14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- Fixed illegal characters bug in math function security check [#702](https://github.com/smarty-php/smarty/issues/702)
+
 ## [4.0.3] - 2022-01-10
 
 ### Security
diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php
index 442b04c78..fd5b3d166 100644
--- a/libs/plugins/function.math.php
+++ b/libs/plugins/function.math.php
@@ -70,7 +70,7 @@ function smarty_function_math($params, $template)
     $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number
     $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))';
     $operators = '[+\/*\^%-]'; // Allowed math operators
-    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/';
+    $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/';
 
     if (!preg_match($regexp, $equation)) {
         trigger_error("math: illegal characters", E_USER_WARNING);
diff --git a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
index 299a6852b..645c0a404 100644
--- a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
+++ b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
@@ -44,6 +44,14 @@ public function testFunction()
         $this->assertEquals($expected, $this->smarty->fetch($tpl));
     }
 
+    public function testMultipleOperators()
+    {
+        $this->smarty->disableSecurity();
+        $expected = "2 -- 2";
+        $tpl = $this->smarty->createTemplate('eval:{$x = 5}{$y = 4}{math equation="x - y + 1" x=$x y=$y} -- {math equation="5 - 4 + 1"}');
+        $this->assertEquals($expected, $this->smarty->fetch($tpl));
+    }
+
     public function testSyntaxSin()
     {
         $this->smarty->disableSecurity();