mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

smarty: patch CVE-2018-25047

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2018-25047

Pick the patch that resolved the issue referenced in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2025-12-25 15:02:19 +01:00
parent f642e61588
commit a5ac9b82bd
2 changed files with 143 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch
+140
View File
@@ -0,0 +1,140 @@
From 5f26e728152007aa57e415a5e3dd77542739aa13 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Wed, 14 Sep 2022 11:38:18 +0200
Subject: [PATCH] Applied appropriate javascript and html escaping in mailto
plugin to counter injection attacks Fixes #454
CVE: CVE-2018-25047
Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
libs/plugins/function.mailto.php | 28 ++++++++++++-------
.../PluginFunctionMailtoTest.php | 21 ++++++++++++--
2 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php
index 834d0535..671ac069 100644
--- a/libs/plugins/function.mailto.php
+++ b/libs/plugins/function.mailto.php
@@ -48,8 +48,13 @@
*/
function smarty_function_mailto($params)
{
- static $_allowed_encoding =
- array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
+ static $_allowed_encoding = [
+ 'javascript' => true,
+ 'javascript_charcode' => true,
+ 'hex' => true,
+ 'none' => true
+ ];
+
$extra = '';
if (empty($params[ 'address' ])) {
trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
@@ -57,19 +62,19 @@ function smarty_function_mailto($params)
} else {
$address = $params[ 'address' ];
}
+
$text = $address;
+
// netscape and mozilla do not decode %40 (@) in BCC field (bug?)
// so, don't encode it.
- $search = array('%40', '%2C');
- $replace = array('@', ',');
- $mail_parms = array();
+ $mail_parms = [];
foreach ($params as $var => $value) {
switch ($var) {
case 'cc':
case 'bcc':
case 'followupto':
if (!empty($value)) {
- $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
+ $mail_parms[] = $var . '=' . str_replace(['%40', '%2C'], ['@', ','], rawurlencode($value));
}
break;
case 'subject':
@@ -83,6 +88,7 @@ function smarty_function_mailto($params)
default:
}
}
+
if ($mail_parms) {
$address .= '?' . join('&', $mail_parms);
}
@@ -94,19 +100,21 @@ function smarty_function_mailto($params)
);
return;
}
+
+ $string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) .
+ '" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . '</a>';
+
if ($encode === 'javascript') {
- $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
$js_encode = '';
for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$js_encode .= '%' . bin2hex($string[ $x ]);
}
return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
} elseif ($encode === 'javascript_charcode') {
- $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$ord[] = ord($string[ $x ]);
}
- return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
+ return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
} elseif ($encode === 'hex') {
preg_match('!^(.*)(\?.*)$!', $address, $match);
if (!empty($match[ 2 ])) {
@@ -129,6 +137,6 @@ function smarty_function_mailto($params)
return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
} else {
// no encoding
- return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+ return $string;
}
}
diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
index bc5152a2..52b18ecc 100644
--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
@@ -150,7 +150,7 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
public function testUmlauts()
{
- $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+ $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
$tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
}
@@ -158,9 +158,26 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
public function testUmlautsWithoutMbstring()
{
Smarty::$_MBSTRING = false;
- $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+ $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
$tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
Smarty::$_MBSTRING = true;
}
+
+ public function testJavascriptChars()
+ {
+ $result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
+ $this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //');
+ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
+ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+ }
+
+ public function testHtmlChars()
+ {
+ $result = '<a href="mailto:me@example.com&quot;&gt;&lt;h1&gt;" class="email">me@example.com&quot;&gt;&lt;h1&gt;</a>';
+ $this->smarty->assign('address', 'me@example.com"><h1>');
+ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
+ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+ }
+
}
meta-oe/recipes-support/smarty/smarty_4.1.1.bb
+3 -1
View File
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c0f216b2120ffc367e20f2b56df51b3"
DEPENDS += "php"
SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master"
SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \
file://CVE-2018-25047.patch \
"
SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"