From f3c991962bafa69c63f3b8d38504845800e9be80 Mon Sep 17 00:00:00 2001 From: Simon Wisselink Date: Mon, 12 Sep 2022 12:03:31 +0200 Subject: [PATCH 1/2] Fixed use of `rand()` without a parameter in math function Fixes #794 --- CHANGELOG.md | 1 + libs/plugins/function.math.php | 2 +- .../UnitTests/TemplateSource/ValueTests/Math/MathTest.php | 8 ++++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 492defd4a..0f73fe82f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Fixed PHP8.1 deprecation errors in modifiers (upper, explode, number_format and replace) [#755](https://github.com/smarty-php/smarty/pull/755) and [#788](https://github.com/smarty-php/smarty/pull/788) +- Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794) ## [4.2.0] - 2022-08-01 diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index 8560e9441..c02c8b486 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -70,7 +70,7 @@ function smarty_function_math($params, $template) $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; $operators = '[,+\/*\^%-]'; // Allowed math operators - $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; + $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)*\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; if (!preg_match($regexp, $equation)) { trigger_error("math: illegal characters", E_USER_WARNING); diff --git a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php index 82255644e..3be6ad2e2 100644 --- a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php +++ b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php @@ -156,4 +156,12 @@ public function testBracketsIllegal() $this->assertEquals($expected, $this->smarty->fetch($tpl)); } + public function testRand() + { + $tpl = $this->smarty->createTemplate('eval:{$x = "0"}{math equation="x * rand()" x=$x}'); + // this assertion may seem silly, but it serves to prove that using rand() without a parameter + // will not trigger a security error (see https://github.com/smarty-php/smarty/issues/794) + $this->assertEquals("0", $this->smarty->fetch($tpl)); + } + } From 2272e4d819b3d4970df58a7c9a01e6d7fe815c6e Mon Sep 17 00:00:00 2001 From: Simon Wisselink Date: Mon, 12 Sep 2022 12:09:41 +0200 Subject: [PATCH 2/2] Add change in regex for PRCE (PHP < 7.3) --- libs/plugins/function.math.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index c02c8b486..f9cf67fe7 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -70,7 +70,7 @@ function smarty_function_math($params, $template) $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; $operators = '[,+\/*\^%-]'; // Allowed math operators - $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)*\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; + $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)*\)|\((?1)*\)))(?:'.$operators.'(?1))?)+$/'; if (!preg_match($regexp, $equation)) { trigger_error("math: illegal characters", E_USER_WARNING);