Commit 8a1eb21b authored by Mike Gabriel's avatar Mike Gabriel

debian/patches: Add CVE-2018-16831.patch. CVE-2018-16831: Don't traverse non-trusted file paths.

parent 35c4b54e
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -1210,11 +1210,12 @@
*/
public function _realpath($path, $realpath = null)
{
- $nds = $this->ds == '/' ? '\\' : '/';
- // normalize $this->ds
- $path = str_replace($nds, $this->ds, $path);
- preg_match('%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(?:[[:print:]]*))$%',
- $path, $parts);
+ $nds = array('/' => '\\', '\\' => '/');
+ preg_match(
+ '%^(?<root>(?:[[:alpha:]]:[\\\\]|/|[\\\\]{2}[[:alpha:]]+|[[:print:]]{2,}:[/]{2}|[\\\\])?)(?<path>(?:[[:print:]]*))$%u',
+ $path,
+ $parts
+ );
$path = $parts[ 'path' ];
if ($parts[ 'root' ] == '\\') {
$parts[ 'root' ] = substr(getcwd(), 0, 2) . $parts[ 'root' ];
@@ -1223,25 +1224,18 @@
$path = getcwd() . $this->ds . $path;
}
}
- // remove noop 'DIRECTORY_SEPARATOR DIRECTORY_SEPARATOR' and 'DIRECTORY_SEPARATOR.DIRECTORY_SEPARATOR' patterns
- $path = preg_replace('#([\\\\/]([.]?[\\\\/])+)#', $this->ds, $path);
- // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first
- if (strpos($path, '..' . $this->ds) != false &&
- preg_match_all('#(([.]?[\\\\/])*([.][.])[\\\\/]([.]?[\\\\/])*)+#', $path, $match)
- ) {
- $counts = array();
- foreach ($match[ 0 ] as $m) {
- $counts[] = (int) ((strlen($m) - 1) / 3);
- }
- sort($counts);
- foreach ($counts as $count) {
- $path = preg_replace('#(([\\\\/]([.]?[\\\\/])*[^\\\\/.]+){' . $count .
- '}[\\\\/]([.]?[\\\\/])*([.][.][\\\\/]([.]?[\\\\/])*){' . $count . '})(?=[^.])#',
- $this->ds, $path);
- }
- }
-
- return $parts[ 'root' ] . $path;
+ // normalize the directory separator
+ $path = str_replace(array($nds[$this->ds], $this->ds . '.' . $this->ds), $this->ds, $path);
+ $parts[ 'root' ] = str_replace($nds[ $this->ds ], $this->ds, $parts[ 'root' ]);
+ do {
+ $path = preg_replace(
+ array('#[\\\\/]{2}#', '#[\\\\/][.][\\\\/]#', '#[\\\\/]([^\\\\/.]+)[\\\\/][.][.][\\\\/]#'),
+ $this->ds,
+ $path,
+ -1,
+ $count);
+ } while($count > 0);
+ return $realpath !== false ? $parts[ 'root' ] . $path : str_ireplace(getcwd(), '.', $parts[ 'root' ] . $path);
}
/**
--- a/libs/sysplugins/smarty_security.php
+++ b/libs/sysplugins/smarty_security.php
@@ -641,7 +641,8 @@
{
$directory = dirname($filepath) . DIRECTORY_SEPARATOR;
$_directory = array();
- while (true) {
+ if (!preg_match('#[\\\\/][.][.][\\\\/]#',$directory)) {
+ while (true) {
// remember the directory to add it to _resource_dir in case we're successful
$_directory[ $directory ] = true;
// test if the directory is trusted
@@ -653,14 +654,16 @@
}
// abort if we've reached root
if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
- break;
+ //give up
+ throw new SmartyException("directory '{$filepath}' not allowed by security setting");
}
// bubble up one level
$directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DIRECTORY_SEPARATOR, $directory);
+ }
}
// give up
- throw new SmartyException("directory '{$filepath}' not allowed by security setting");
+ throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ',$filepath));
}
/**
0001_CVE-2017-1000480.patch
CVE-2018-16831.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment