smarty: patch CVE-2023-28447

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-12-25 15:02:21 +01:00
parent 2acc0c3720
commit 6ba8215d31
2 changed files with 75 additions and 0 deletions
@@ -0,0 +1,74 @@
+From 456aad251e7dd399fef136f652a1684c05fefa5a Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Fri, 24 Mar 2023 12:19:34 +0100
+Subject: [PATCH] Implement fix and tests
+
+CVE: CVE-2023-28447
+Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libs/plugins/modifier.escape.php              |  4 +++-
+ libs/plugins/modifiercompiler.escape.php      |  4 +++-
+ .../PluginModifierEscapeTest.php              | 21 +++++++++++++++++++
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
+index 3ce48382..70d2db92 100644
+--- a/libs/plugins/modifier.escape.php
+++ b/libs/plugins/modifier.escape.php
+@@ -188,7 +188,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
+                     // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                     '<!--' => '<\!--',
+                     '<s'   => '<\s',
+-                    '<S'   => '<\S'
+                    '<S'   => '<\S',
+	                "`" => "\\\\`",
+	                "\${" => "\\\\\\$\\{"
+                 )
+             );
+         case 'mail':
+diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
+index 1fc5e781..0e13c829 100644
+--- a/libs/plugins/modifiercompiler.escape.php
+++ b/libs/plugins/modifiercompiler.escape.php
+@@ -89,7 +89,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
+                 // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                 return 'strtr((string)' .
+                        $params[ 0 ] .
+-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
+                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", 
+                       "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
+                       "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
+         }
+     } catch (SmartyException $e) {
+         // pass through to regular plugin fallback
+diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+index 46a8297f..752e1bfe 100644
+--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+@@ -207,4 +207,25 @@ class PluginModifierEscapeTest extends PHPUnit_Smarty
+         $this->assertEquals("sma'rty@&#187;example&#171;.com", $this->smarty->fetch($tpl));
+         Smarty::$_MBSTRING = true;
+     }
+
+	public function testTemplateLiteralBackticks()
+	{
+		$tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
+		$this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
+	}
+
+	public function testTemplateLiteralInterpolation()
+	{
+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+		$this->smarty->assign('vector', "`Hello, \${name}!`");
+		$this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
+	}
+
+	public function testTemplateLiteralBackticksAndInterpolation()
+	{
+		$this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+		$this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
+	}
+
+ }
@@ -9,6 +9,7 @@ DEPENDS += "php"

 SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \
           file://CVE-2018-25047.patch \
+           file://CVE-2023-28447.patch \
           "

 SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"