Sicherheit: Mehrere Probleme in php-Smarty
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in php-Smarty
ID: FEDORA-2019-e595e8a7d7
Distribution: Fedora
Plattformen: Fedora 29
Datum: Mi, 6. März 2019, 10:15
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982
Applikationen: php-Smarty


Fedora Update Notification
2019-03-06 06:57:11.060955

Name : php-Smarty
Product : Fedora 29
Version : 3.1.33
Release : 1.fc29
URL : http://www.smarty.net
Summary : Smarty - the compiling PHP template engine
Description :
Smarty is a template engine for PHP, facilitating the separation of
presentation (HTML/CSS) from application logic. This implies that PHP
code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

Update Information:

===== 3.1.33 release ===== 12.09.2018 ===== 3.1.33-dev-12 ===== 03.09.2018
- bugfix {foreach} using new style property access like {$item@property} on
Smarty 2 style named foreach loop could produce errors
https://github.com/smarty-php/smarty/issues/484 31.08.2018 - bugfix some
custom left and right delimiters like '{^' '^}' did not work
https://github.com/smarty-php/smarty/issues/450 https://github.com/smarty-
php/smarty/pull/482 - reformating for PSR-2 coding standards
https://github.com/smarty-php/smarty/pull/483 - bugfix on Windows absolute
filepathes did fail if the drive letter was followed by a linux
DIRECTORY_SEPARATOR like C:/ at Smarty > 3.1.33-dev-5
https://github.com/smarty-php/smarty/issues/451 - PSR-2 code style fixes for
config and template file Lexer/Parser generated with the Smarty
generator from https://github.com/smarty-php/smarty-lexer
https://github.com/smarty-php/smarty/pull/483 26.08.2018 -
bugfix/enhancement {capture} allow variable as capture block name in Smarty
special variable like $smarty.capture.$foo https://github.com/smarty-
php/smarty/issues/478 https://github.com/smarty-php/smarty/pull/481 =====
3.1.33-dev-6 ===== 19.08.2018 - fix PSR-2 coding standards and PHPDoc
https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-
php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix
PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 =====
3.1.33-dev-4 ===== 17.05.2018 - bugfix strip-block produces different output
in Smarty v3.1.32 https://github.com/smarty-php/smarty/issues/436 - bugfix
Smarty::compileAllTemplates ignores `$extension` parameter
https://github.com/smarty-php/smarty/issues/437 https://github.com/smarty-
php/smarty/pull/438 - improvement do not compute total property in {foreach}
not needed https://github.com/smarty-php/smarty/issues/443 - bugfix plugins
may not be loaded when setMergeCompiledIncludes is true
https://github.com/smarty-php/smarty/issues/435 26.04.2018 - bugfix
regarding Security Vulnerability did not solve the problem under Linux.
Security issue CVE-2018-16831 ===== 3.1.32 ===== (24.04.2018) 24.04.2018 -
bugfix possible Security Vulnerability in Smarty_Security class. 26.03.2018
- bugfix plugins may not be loaded if {function} or {block} tags are executed
nocache mode https://github.com/smarty-php/smarty/issues/371 26.03.2018 -
new feature {parent} = {$smarty.block.parent} {child} = {$smarty.block.child}
23.03.2018 - bugfix preg_replace could fail on large content resulting in a
blank page https://github.com/smarty-php/smarty/issues/417 21.03.2018 -
bugfix {$smarty.section...} used outside {section}{/section} showed incorrect
values if {section}{/section} was called inside another loop
https://github.com/smarty-php/smarty/issues/422 - bugfix short form of
{section} attributes did not work https://github.com/smarty-
php/smarty/issues/428 17.03.2018 - improvement Smarty::compileAllTemplates()
exit with a non-zero status code if max errors is reached
https://github.com/smarty-php/smarty/pull/402 16.03.2018 - bugfix extends
resource did not work with user defined left/right delimiter
https://github.com/smarty-php/smarty/issues/419 22.11.2017 - bugfix {break}
and {continue} could fail if {foreach}{/foreach} did contain other looping
tags like {for}, {section} and {while} https://github.com/smarty-
php/smarty/issues/323 20.11.2017 - bugfix rework of newline spacing between
tag code and template text. now again identical with Smarty2 (forum topic
26878) - replacement of " by ' 05.11.2017 - lexer/parser
optimization -
code cleanup and optimizations - bugfix {$smarty.section.name.loop} used
together with {$smarty.section.name.total} could produce wrong results
(forum topic 27041) 26.10.2017 - bugfix Smarty version was not filled in
header comment of compiled and cached files - optimization replace internal
Smarty::$ds property by DIRECTORY_SEPARATOR - deprecate functions
Smarty::muteExpectedErrors() and Smarty::unmuteExpectedErrors() as Smarty
does no longer use error suppression like @filemtime(). for backward
compatibility code is moved from Smarty class to an external class and still
be called. - correction of PHPDoc blocks - minor code cleanup
21.10.2017 - bugfix custom delimiters could fail since modification of
version 3.1.32-dev-23 https://github.com/smarty-php/smarty/issues/394
18.10.2017 - bugfix fix implementation of unclosed block tag in double
string of 12.10.2017 https://github.com/smarty-php/smarty/issues/396
https://github.com/smarty-php/smarty/issues/397 https://github.com/smarty-
php/smarty/issues/391 https://github.com/smarty-php/smarty/issues/392
12.10.2017 - bugfix $smarty.block.child and $smarty.block.parent could not
used like any $smarty special variable https://github.com/smarty-
php/smarty/issues/393 - unclosed block tag in double quoted string must throw
compiler exception. https://github.com/smarty-php/smarty/issues/391
https://github.com/smarty-php/smarty/issues/392 07.10.2017 - bugfix
modification of 9.8.2017 did fail on some recursive tag nesting.
https://github.com/smarty-php/smarty/issues/389 26.8.2017 - bugfix chained
modifier failed when last modifier parameter is a signed value
https://github.com/smarty-php/smarty/issues/327 - bugfix templates filepath
with multibyte characters did not work https://github.com/smarty-
php/smarty/issues/385 - bugfix {make_nocache} did display code if the
did not contain other nocache code https://github.com/smarty-
php/smarty/issues/369 09.8.2017 - improvement repeated delimiter like {{
}} will be treated as literal
https://groups.google.com/forum/#!topic/smarty-developers/h9r82Bx4KZw 05.8.2017
- bugfix wordwrap modifier could fail if used in nocache code. converted
plugin file shared.mb_wordwrap.php into modifier.mb_wordwrap.php - cleanup of
_getSmartyObj() 31.7.2017 - Call clearstatcache() after mkdir() failure
https://github.com/smarty-php/smarty/pull/379 30.7.2017 - rewrite mkdir()
bugfix to retry automatically see https://github.com/smarty-php/smarty/pull/377
https://github.com/smarty-php/smarty/pull/379 21.7.2017 - security possible
PHP code injection on custom resources at display() or fetch() calls if the
resource does not sanitize the template name - bugfix fix 'mkdir(): File
exists' error on create directory from parallel processes
https://github.com/smarty-php/smarty/pull/377 - bugfix solve preg_match() hhvm
parameter problem https://github.com/smarty-php/smarty/pull/372 27.5.2017 -
bugfix change compiled code for registered function and modifiers to called as
callable to allow closures https://github.com/smarty-php/smarty/pull/368,
https://github.com/smarty-php/smarty/issues/273 - bugfix
https://github.com/smarty-php/smarty/pull/368 did break the default plugin
handler - improvement replace phpversion() by PHP_VERSION constant.
https://github.com/smarty-php/smarty/pull/363 21.5.2017 - performance store
flag for already required shared plugin functions in static variable or
Smarty's $_cache to improve performance when plugins are often called
4528#commitcomment-22280086 - bugfix remove special treatment of classes
implementing ArrayAccess in {foreach} https://github.com/smarty-
php/smarty/issues/332 - bugfix remove deleted files by clear_cache() and
clear_compiled_template() from ACP cache if present, add some is_file()
checks to avoid possible warnings on filemtime() caused by above functions.
https://github.com/smarty-php/smarty/issues/341 - bugfix version 3.1.31 did
fail under PHP 5.2 https://github.com/smarty-php/smarty/issues/365
19.5.2017 - change properties $accessMap and $obsoleteProperties from
to protected https://github.com/smarty-php/smarty/issues/351 - new feature
The named capture buffers can now be accessed also as array See
NEWS_FEATURES.txt https://github.com/smarty-php/smarty/issues/366 -
improvement check if ini_get() and ini_set() not disabled
https://github.com/smarty-php/smarty/pull/362 24.4.2017 - fix spelling
b1b4#commitcomment-21803095 17.4.2017 - correct generated code on empty()
and isset() call, observe change PHP behaviour since PHP 5.5
https://github.com/smarty-php/smarty/issues/347 14.4.2017 - merge pull
requests https://github.com/smarty-php/smarty/pull/349,
https://github.com/smarty-php/smarty/pull/322 and https://github.com/smarty-
php/smarty/pull/337 to fix spelling and annotation 13.4.2017 - bugfix
array_merge() parameter should be checked https://github.com/smarty-
php/smarty/issues/350 ===== 3.1.31 ===== (14.12.2016) 23.11.2016 - move
template object cache into static variables 19.11.2016 - bugfix
inheritance root child templates containing nested {block}{/block} could call
sub-bock content from parent template https://github.com/smarty-
php/smarty/issues/317 - change version checking 11.11.2016 - bugfix when
Smarty is using a cached template object on Smarty::fetch() or
Smarty::isCached() the inheritance data must be removed
https://github.com/smarty-php/smarty/issues/312 - smaller speed optimization
08.11.2016 - add bootstrap file to load and register Smarty_Autoloader.
Change composer.json to make it known to composer 07.11.2016 -
of lexer speed https://github.com/smarty-php/smarty/issues/311 27.10.2016 -
bugfix template function definitions array has not been cached between
Smarty::fetch() and Smarty::display() calls https://github.com/smarty-
php/smarty/issues/301 23.10.2016 - improvement/bugfix when Smarty::fetch()
is called on a template object the inheritance and tplFunctions property
should be copied to the called template object 21.10.2016 - bugfix for
compile locking touched timestamp of old compiled file was not restored on
compilation error https://github.com/smarty-php/smarty/issues/308 20.10.2016
- bugfix nocache code was not removed in cache file when subtemplate did
PHP short tags in text but no other nocache code https://github.com/smarty-
php/smarty/issues/300 19.10.2016 - bugfix {make_nocache $var} did fail
variable value did contain '\' https://github.com/smarty-php/smarty/issues/305
- bugfix {make_nocache $var} remove spaces from variable value
https://github.com/smarty-php/smarty/issues/304 12.10.2016 - bugfix
{include} with template names including variable or constants could fail after
bugfix from 28.09.2016 https://github.com/smarty-php/smarty/issues/302
08.10.2016 - optimization move runtime extension for template functions into
Smarty objects 29.09.2016 - improvement new Smarty::$extends_recursion
property to disable execution of {extends} in templates called by extends
resource https://github.com/smarty-php/smarty/issues/296 28.09.2016 -
bugfix the generated code for calling a subtemplate must pass the template
resource name in single quotes https://github.com/smarty-php/smarty/issues/299
- bugfix nocache hash was not removed for <?xml ?> tags in subtemplates
https://github.com/smarty-php/smarty/issues/300 27.09.2016 - bugfix when
Smarty does use an internally cached template object on Smarty::fetch() calls
the template and config variables must be cleared https://github.com/smarty-
php/smarty/issues/297 20.09.2016 - bugfix some $smarty special template
variables are no longer accessed as real variable. using them on calls like
{if isset($smarty.foo)} or {if empty($smarty.foo)} will fail
http://www.smarty.net/forums/viewtopic.php?t=26222 - temporary fix for
https://github.com/smarty-php/smarty/issues/293 main reason still under
investigation - improvement new tags {block_parent} {block_child} in template
inheritance 19.09.2016 - optimization clear compiled and cached folder
completely on detected version change - cleanup convert cache resource file
method clear into runtime extension 15.09.2016 - bugfix assigning a
variable in if condition by function like {if $value = array_shift($array)} the
function got called twice https://github.com/smarty-php/smarty/issues/291 -
bugfix function plugins called with assign attribute like {foo
assign='bar'} did
not output returned content because because assumption was made that
it was assigned to a variable https://github.com/smarty-php/smarty/issues/292
- bugfix calling $smarty->isCached() on a not existing cache file with
$smarty->cache_locking = true; could cause a 10 second delay
http://www.smarty.net/forums/viewtopic.php?t=26282 - improvement make
Smarty::clearCompiledTemplate() on custom resource independent from changes of
templateId computation 11.09.2016 - improvement {math} misleading
E_USER_WARNING messages when parameter value = null https://github.com/smarty-
php/smarty/issues/288 - improvement move often used code snippets into
- performance Smarty::configLoad() did load unneeded template source object
09.09.2016 - bugfix/optimization {foreach} did not execute the {foreachelse}
when iterating empty objects https://github.com/smarty-php/smarty/pull/287 -
bugfix {foreach} must keep the @properties when restoring a saved $item
as the properties might be used outside {foreach} https://github.com/smarty-
php/smarty/issues/267 - improvement {foreach} observe {break n} and {continue
n} nesting levels when restoring saved $item and $key variables 08.09.2016
- bugfix implement wrapper for removed method getConfigVariable()
https://github.com/smarty-php/smarty/issues/286 07.09.2016 - bugfix using
nocache like attribute with value true like {plugin nocache=true} did not work
https://github.com/smarty-php/smarty/issues/285 - bugfix uppercase TRUE, FALSE
and NULL did not work when security was enabled https://github.com/smarty-
php/smarty/issues/282 - bugfix when {foreach} was looping over an object the
total property like {$item@total} did always return 1 https://github.com/smarty-
php/smarty/issues/281 - bugfix {capture}{/capture} did add in 3.1.30
unintended additional blank lines https://github.com/smarty-
php/smarty/issues/268 01.09.2016 - performance require_once should be
called only once for shared plugins https://github.com/smarty-
php/smarty/issues/280 26.08.2016 - bugfix change of 23.08.2016 failed on
linux when use_include_path = true 23.08.2016 - bugfix remove constant DS
as shortcut for DIRECTORY_SEPARATOR as the user may have defined it to
else https://github.com/smarty-php/smarty/issues/277 20.08-2016 - bugfix
{config_load ... scope="global"} shall not throw an arror but fallback
scope="smarty" https://github.com/smarty-php/smarty/issues/274 - bugfix
{make_nocache} failed when using composer autoloader https://github.com/smarty-
php/smarty/issues/275 14.08.2016 - bugfix $smarty_>debugging = true;
E_NOTICE messages when {eval} tag was used https://github.com/smarty-
php/smarty/issues/266 - bugfix Class
'Smarty_Internal_Runtime_ValidateCompiled' not found when upgrading
from some
older Smarty versions with existing compiled or cached template
https://github.com/smarty-php/smarty/issues/269 - optimization remove unneeded
call to update acopes when {assign} scope and template scope was local
===== 3.1.30 ===== (07.08.2016) 07.08.2016 - bugfix update of 04.08.2016
was incomplete 05.08.2016 - bugfix compiling of templates failed when the
Smarty delimiter did contain '/' https://github.com/smarty-php/smarty/issues/264
- updated error checking at template and config default handler 04.08.2016
- improvement move template function source parameter into extension
26.07.2016 - optimization unneeded loading of compiled resource 24.07.2016
- regression this->addPluginsDir('/abs/path/to/dir') adding absolute
without trailing '/' did fail https://github.com/smarty-php/smarty/issues/260
23.07.2016 - bugfix setTemplateDir('/') and
setTemplateDir('') did create
wrong absolute filepath https://github.com/smarty-php/smarty/issues/245 -
optimization of filepath normalization - improvement remove double function
declaration in plugin shared.escape_special_cars.php https://github.com/smarty-
php/smarty/issues/229 19.07.2016 - bugfix multiple {include} with relative
filepath within {block}{/block} could fail https://github.com/smarty-
php/smarty/issues/246 - bugfix {math} shell injection vulnerability patch
provided by Tim Weber 18.07.2016 - bugfix {foreach} if key variable and
item@key attribute have been used both the key variable was not updated
https://github.com/smarty-php/smarty/issues/254 - bugfix modifier on plugins
like {plugin|modifier ... } did fail when the plugin does return an array
https://github.com/smarty-php/smarty/issues/228 - bugfix avoid
opcache_invalidate to result in ErrorException when opcache.restrict_api is not
empty https://github.com/smarty-php/smarty/pull/244 - bugfix multiple
{include} with relative filepath within {block}{/block} could fail
https://github.com/smarty-php/smarty/issues/246 14.07.2016 - bugfix wrong
parameter on compileAllTemplates() and compileAllConfig()
https://github.com/smarty-php/smarty/issues/231 13.07.2016 - bugfix PHP 7
compatibility on registered compiler plugins https://github.com/smarty-
php/smarty/issues/241 - update testInstall() https://github.com/smarty-
php/smarty/issues/248https://github.com/smarty-php/smarty/issues/248 - bugfix
enable debugging could fail when template objects did already exists
https://github.com/smarty-php/smarty/issues/237 - bugfix template function
data should be merged when loading subtemplate https://github.com/smarty-
php/smarty/issues/240 - bugfix wrong parameter on compileAllTemplates()
https://github.com/smarty-php/smarty/issues/231 12.07.2016 - bugfix
{foreach} item variable must be created also on empty from array
https://github.com/smarty-php/smarty/issues/238 and https://github.com/smarty-
php/smarty/issues/239 - bugfix enableSecurity() must init cache flags
https://github.com/smarty-php/smarty/issues/247 27.05.2016 -
bugfix/improvement of compileAlltemplates() follow symlinks in template folder
(PHP >= 5.3.1) https://github.com/smarty-php/smarty/issues/224 clear
internal cache and expension handler for each template to avoid possible
conflicts https://github.com/smarty-php/smarty/issues/231 16.05.2016 -
optimization {foreach} compiler and processing - broken PHP 5.3 and 5.4
compatibility 15.05.2016 - optimization and cleanup of resource code
10.05.2016 - optimization of inheritance processing 07.05.2016 -bugfix
Only variables should be assigned by reference https://github.com/smarty-
php/smarty/issues/227 02.05.2016 - enhancement {block} tag names can now
variable https://github.com/smarty-php/smarty/issues/221 01.05.2016 -
bugfix same relative filepath at {include} called from template in different
folders could display wrong sub-template 29.04.2016 - bugfix {strip}
space on linebreak between html tags https://github.com/smarty-
php/smarty/issues/213 24.04.2016 - bugfix nested {include} with relative
file path could fail when called in {block} ... {/block}
https://github.com/smarty-php/smarty/issues/218 14.04.2016 - bugfix special
variable {$smarty.capture.name} was not case sensitive on name
https://github.com/smarty-php/smarty/issues/210 - bugfix the default template
handler must calculate the source uid https://github.com/smarty-
php/smarty/issues/205 13.04.2016 - bugfix template inheritance status must
be saved when calling sub-templates https://github.com/smarty-
php/smarty/issues/215 27.03.2016 - bugfix change of 11.03.2016 cause again
{capture} data could not been seen in other templates with
{$smarty.capture.name} https://github.com/smarty-php/smarty/issues/153
11.03.2016 - optimization of capture and security handling - improvement
$smarty->clearCompiledTemplate() should return on recompiled or uncompiled
resources 10.03.2016 - optimization of resource processing 09.03.2016
- improvement rework of 'scope' attribute handling see see
https://github.com/smarty-php/smarty/issues/194 https://github.com/smarty-
php/smarty/issues/186 https://github.com/smarty-php/smarty/issues/179 - bugfix
correct Autoloader update of 2.3.2014 https://github.com/smarty-
php/smarty/issues/199 04.03.2016 - bugfix change from 01.03.2016 will
$smarty->isCached(..) failure if called multiple time for same template
(forum topic 25935) 02.03.2016 - revert autoloader optimizations because
unexplainable warning when using plugins https://github.com/smarty-
php/smarty/issues/199 01.03.2016 - bugfix template objects must be cached
on $smarty->fetch('foo.tpl) calls incase the template is fetched
times (forum topic 25909) 25.02.2016 - bugfix wrong _realpath with 4 or
more parent-directories https://github.com/smarty-php/smarty/issues/190 -
optimization of _realpath - bugfix instanceof expression in template code
be treated as value https://github.com/smarty-php/smarty/issues/191 20.02.2016
- bugfix {strip} must keep space between hmtl tags. Broken by changes of
10.2.2016 https://github.com/smarty-php/smarty/issues/184 - new feature/bugfix
{foreach}{section} add 'properties' attribute to force compilation of
properties see NEW_FEATURES.txt https://github.com/smarty-
php/smarty/issues/189 19.02.2016 - revert output buffer flushing on
display, echo content again because possible problems when PHP files had
characters (newline} after ?> at file end https://github.com/smarty-
php/smarty/issues/187 14.02.2016 - new tag {make_nocache} read
NEW_FEATURES.txt https://github.com/smarty-php/smarty/issues/110 -
optimization of sub-template processing - bugfix using extendsall as default
resource and {include} inside {block} tags could produce unexpected results
https://github.com/smarty-php/smarty/issues/183 - optimization of tag
attribute compiling - optimization make compiler tag object cache static for
higher compilation speed 11.02.2016 - improvement added KnockoutJS
to trimwhitespace outputfilter https://github.com/smarty-php/smarty/issues/82
https://github.com/smarty-php/smarty/pull/181 10.02.2016 - bugfix {strip}
must keep space on output creating smarty tags within html tags
https://github.com/smarty-php/smarty/issues/177 - bugfix wrong precedence on
special if conditions like '$foo is ... by $bar' could cause wrong code
https://github.com/smarty-php/smarty/issues/178 - improvement because of
ambiguities the inline constant support has been removed from the $foo.bar
syntax https://github.com/smarty-php/smarty/issues/149 - bugfix other {strip}
error with output tags between hmtl https://github.com/smarty-
php/smarty/issues/180 09.02.2016 - move some code from parser into
- reformat all code for unique style - update/bugfix scope attribute handling
reworked. Read the newfeatures.txt file 05.02.2016 - improvement internal
compiler changes 01.02.2016 - bugfix {foreach} compilation failed when
$smarty->merge_compiled_includes = true and pre-filters are used.
- bugfix implement replacement code for _tag_stack property
https://github.com/smarty-php/smarty/issues/151 28.01.2016 - bugfix allow
windows network filepath or wrapper (forum topic 25876)
https://github.com/smarty-php/smarty/issues/170 - bugfix if fetch('foo.tpl')
is called on a template object the $parent parameter should default to the
calling template object https://github.com/smarty-php/smarty/issues/152
27.01.2016 - revert bugfix compiling {section} did create warning - bugfix
{$smarty.section.customer.loop} did throw compiler error
https://github.com/smarty-php/smarty/issues/161 update of yesterdays fix -
bugfix string resource could inject code at {block} or inline subtemplates
through PHP comments https://github.com/smarty-php/smarty/issues/157
- bugfix output filters did not observe nocache code
flhttps://github.com/smarty-php/smarty/issues/154g https://github.com/smarty-
php/smarty/issues/160 - bugfix {extends} with relative file path did not work
https://github.com/smarty-php/smarty/issues/154 https://github.com/smarty-
php/smarty/issues/158 - bugfix {capture} data could not been seen in other
templates with {$smarty.capture.name} https://github.com/smarty-
php/smarty/issues/153 26.01.2016 - improvement observe Smarty::$_CHARSET
debugging console https://github.com/smarty-php/smarty/issues/169 - bugfix
compiling {section} did create warning - bugfix
{$smarty.section.customer.loop} did throw compiler error
https://github.com/smarty-php/smarty/issues/161 02.01.2016 - update scope
handling - optimize block plugin compiler - improvement runtime checks if
registered block plugins are callable 01.01.2016 - remove
Smarty::$resource_cache_mode property 31.12.2015 - optimization of
{assign}, {if} and {while} compiled code 30.12.2015 - bugfix plugin names
starting with "php" did not compile https://github.com/smarty-
php/smarty/issues/147 29.12.2015 - bugfix Smarty::error_reporting was not
observed when display() or fetch() was called on template objects
https://github.com/smarty-php/smarty/issues/145 28.12.2015 - optimization
of {foreach} code size and processing 27.12.2015 - improve inheritance
- update external methods - code fixes - PHPdoc updates 25.12.2015 -
compile {block} tag code and its processing into classes - optimization
replace hhvm extension by inline code - new feature If ACP is enabled force
apc_compile_file() when compiled or cached template was updated 24.12.2015
- new feature Compiler does now observe the template_dir setting and will
separate compiled files if required - bugfix post filter did fail on template
inheritance https://github.com/smarty-php/smarty/issues/144 23.12.2015 -
optimization move internal method decodeProperties back into template object
optimization move subtemplate processing back into template object - new
feature Caching does now observe the template_dir setting and will create
separate cache files if required 22.12.2015 - change $xxx_dir properties
from private to protected in case Smarty class gets extended - code
optimizations 21.12.2015 - bugfix a filepath starting with '/' or
'\' on
windows should normalize to the root dir of current working drive
https://github.com/smarty-php/smarty/issues/134 - optimization of filepath
normalization - bugfix {strip} must remove all blanks between html tags
https://github.com/smarty-php/smarty/issues/136 ===== 3.1.29 =====
(21.12.2015) 21.12.2015 - optimization improve speed of filetime checks on
extends and extendsall resource 20.12.2015 - bugfix failure when the
default resource type was set to 'extendsall' https://github.com/smarty-
php/smarty/issues/123 - update compilation of Smarty special variables -
bugfix add addition check for OS type on normalization of file path
https://github.com/smarty-php/smarty/issues/134 - bugfix the source uid of the
extendsall resource must contain $template_dir settings
https://github.com/smarty-php/smarty/issues/123 19.12.2015 - bugfix using
$smarty.capture.foo in expressions could fail https://github.com/smarty-
php/smarty/pull/138 - bugfix broken PHP 5.2 compatibility
https://github.com/smarty-php/smarty/issues/139 - remove no longer used code
- improvement make sure that compiled and cache templates never can contain a
trailing '?>? 18.12.2015 - bugfix regression when modifier
parameter was
followed by math https://github.com/smarty-php/smarty/issues/132 17.12.2015
- bugfix {$smarty.capture.nameFail} did lowercase capture name
https://github.com/smarty-php/smarty/issues/135 - bugfix using {block
append/prepend} on same block in multiple levels of inheritance templates could
fail (forum topic 25827) - bugfix text content consisting of just a single
like in {if true}0{/if} was suppressed (forum topic 25834) 16.12.2015 -
bugfix {foreach} did fail if from atrribute is a Generator class
https://github.com/smarty-php/smarty/issues/128 - bugfix direct access
$smarty->template_dir = 'foo'; should call Smarty::setTemplateDir()
https://github.com/smarty-php/smarty/issues/121 15.12.2015 - bugfix
{$smarty.cookies.foo} did return the $_COOKIE array not the 'foo' value
https://github.com/smarty-php/smarty/issues/122 - bugfix a call to
clearAllCache() and other should clear all internal template object caches
(forum topic 25828) 14.12.2015 - bugfix {$smarty.config.foo} broken in
3.1.28 https://github.com/smarty-php/smarty/issues/120 - bugfix multiple
calls of {section} with same name droped E_NOTICE error
https://github.com/smarty-php/smarty/issues/118 ===== 3.1.28 =====
(13.12.2015) 13.12.2015 - bugfix {foreach} and {section} with uppercase
characters in name attribute did not work (forum topic 25819) - bugfix
$smarty->debugging_ctrl = 'URL' did not work (forum topic 25811) -
Debug Console could display incorrect data when using subtemplates 09.12.2015
- bugfix Smarty did fail under PHP 7.0.0 with use_include_path = true;
09.12.2015 - bugfix {strip} should exclude some html tags from stripping,
related to fix for https://github.com/smarty-php/smarty/issues/111 08.12.2015
- bugfix internal template function data got stored in wrong compiled file
https://github.com/smarty-php/smarty/issues/114 05.12.2015 -bugfix {strip}
should insert a single space https://github.com/smarty-php/smarty/issues/111
25.11.2015 -bugfix a left delimter like '[%' did fail on
[%$var_[%$variable%]%] (forum topic 25798) 02.11.2015 - bugfix {include}
with variable file name like {include file="foo_`$bar`.tpl"} did fail
3.1.28-dev https://github.com/smarty-php/smarty/issues/102 01.11.2015 -
update config file processing 31.10.2015 - bugfix add missing $trusted_dir
property to SmartyBC class (forum topic 25751) 29.10.2015 - improve
template scope handling 24.10.2015 - more optimizations of template
processing - bugfix Error when using {include} within {capture}
https://github.com/smarty-php/smarty/issues/100 21.10.2015 - move some code
into runtime extensions 18.10.2015 - optimize filepath normalization -
rework of template inheritance - speed and size optimizations - bugfix
HHVM temporary cache file must only be created when caches template was updated
- fix compiled code for new {block} assign attribute - update code generated
by template function call handler 18.09.2015 - bugfix {if $foo instanceof
$bar} failed to compile if 2nd value is a variable https://github.com/smarty-
php/smarty/issues/92 17.09.2015 - bugfix {foreach} first attribute was not
correctly reset since commit 05a8fa2 of 02.08.2015 https://github.com/smarty-
php/smarty/issues/90 16.09.2015 - update compiler by moving no longer
needed properties, code optimizations and other 14.09.2015 - optimize
autoloader - optimize subtemplate handling - update template inheritance
processing - move code of {call} processing back into
class - improvement invalidate OPCACHE for cleared compiled and cached
template files (forum topic 25557) - bugfix unintended multiple debug windows
(forum topic 25699) 30.08.2015 - size optimization move some runtime
functions into extension - optimize inline template processing -
optimization merge inheritance child and parent templates into one compiled
template file 29.08.2015 - improvement convert template inheritance into
runtime processing - bugfix {$smarty.block.parent} did always reference the
root parent block https://github.com/smarty-php/smarty/issues/68 23.08.2015
- introduce Smarty::$resource_cache_mode and cache template object of {include}
inside loop - load seldom used Smarty API methods dynamically to reduce
footprint - cache template object of {include} if same template is included
several times - convert debug console processing to object - use output
buffers for better performance and less memory usage - optimize nocache hash
processing - remove not really needed properties - optimize rendering -
move caching to Smarty::_cache - remove properties with redundant content -
optimize Smarty::templateExists() - optimize use_include_path processing -
relocate properties for size optimization - remove redundant code - bugfix
compiling super globals like {$smarty.get.foo} did fail in the master branch
https://github.com/smarty-php/smarty/issues/77 06.08.2015 - avoid possible
circular object references caused by parser/lexer objects - rewrite
compileAll... utility methods - commit several internal improvements -
bugfix Smarty failed when compile_id did contain "|" 03.08.2015 -
clear cache methods - bugfix compileAllConfig() was broken since 3.1.22
because of the changes in config file processing - improve getIncludePath()
return directory if no file was given 02.08.2015 - optimization and code
cleanup of {foreach} and {section} compiler - rework {capture} compiler
01.08.2015 - update DateTime object can be instance of DateTimeImmutable
since PHP5.5 https://github.com/smarty-php/smarty/pull/75 - improvement show
resource type and start of template source instead of uid on eval: and string:
resource (forum topic 25630) 31.07.2015 - optimize {foreach} and {section}
compiler 29.07.2015 - optimize {section} compiler for speed and size of
compiled code 28.07.2015 - update for PHP 7 compatibility 26.07.2015
improvement impement workaround for HHVM PHP incompatibillity
https://github.com/facebook/hhvm/issues/4797 25.07.2015 - bugfix parser did
hang on text starting <?something https://github.com/smarty-php/smarty/issues/74
20.07.2015 - bugfix config files got recompiled on each request -
improvement invalidate PHP 5.5 opcache for recompiled and cached templates
https://github.com/smarty-php/smarty/issues/72 12.07.2015 - optimize
{extends} compilation 10.07.2015 - bugfix force file: resource in demo
resource.extendsall.php 08.07.2015 - bugfix convert each word of class
names to ucfirst in in compiler. (forum topic 25588) 07.07.2015 -
improvement allow fetch() or display() called on a template object to get
from other template like $template->fetch('foo.tpl')
https://github.com/smarty-php/smarty/issues/70 - improvement Added $limit
parameter to regex_replace modifier #71 - new feature multiple indices on
file: resource 06.07.2015 - optimize {block} compilation - optimization
get rid of __get and __set in source object 01.07.2015 - optimize compile
check handling - update {foreach} compiler - bugfix debugging console did
not display string values containing \n, \r or \t correctly
https://github.com/smarty-php/smarty/issues/66 - optimize source resources
28.06.2015 - move $smarty->enableSecurity() into Smarty_Security class
optimize security isTrustedResourceDir() - move auto load filter methods into
extension - move $smarty->getTemplateVars() into extension - move
getStreamVariable() into extension - move $smarty->append() and
$smarty->appendByRef() into extension - optimize autoloader - optimize
path normalization - bugfix PATH_SEPARATOR was replaced by mistake in
autoloader - remove redundant code 27.06.2015 - bugfix resolve naming
conflict between custom Smarty delimiter '<%' and PHP ASP tags
https://github.com/smarty-php/smarty/issues/64 - update $smarty->_realpath for
relative path not starting with './' - update Smarty security with
realpath handling - update {include_php} with new realpath handling - move
$smarty->loadPlugin() into extension - minor compiler optimizations -
allow function plugins with name ending with 'close' https://github.com/smarty-
php/smarty/issues/52 - rework of $smarty->clearCompiledTemplate() and move
to its own extension 19.06.2015 - improvement allow closures as callback
$smarty->registerFilter() https://github.com/smarty-php/smarty/issues/59 =====
3.1.27===== (18.06.2015) 18.06.2015 - bugfix another update on file path
normalization failed on path containing something like "/.foo/"
https://github.com/smarty-php/smarty/issues/56 ===== 3.1.26===== (18.06.2015)
18.06.2015 - bugfix file path normalization failed on path containing
something like "/.foo/" https://github.com/smarty-php/smarty/issues/56
17.06.2015 - bugfix calling a plugin with nocache option but no other
attributes like {foo nocache} caused call to undefined function
https://github.com/smarty-php/smarty/issues/55 ===== 3.1.25===== (15.06.2015)
15.06.2015 - optimization of smarty_cachereource_keyvaluestore.php code
14.06.2015 - bugfix a relative sub template path could fail if template_dir
path did contain /../ https://github.com/smarty-php/smarty/issues/50 -
optimization rework of path normalization - bugfix an output tag with
variable, modifier followed by an operator like {$foo|modifier+1} did fail
https://github.com/smarty-php/smarty/issues/53 13.06.2015 - bugfix a custom
cache resource using smarty_cachereource_keyvaluestore.php did fail if php.ini
mbstring.func_overload = 2 (forum topic 25568) 11.06.2015 - bugfix the
lexer could hang on very large quoted strings (forum topic 25570) 08.06.2015
- bugfix using {$foo} as array index like $bar.{$foo} or in double quoted
like "some {$foo} thing" failed https://github.com/smarty-php/smarty/issues/49
04.06.2015 - bugfix possible error message on unset() while compiling
tags https://github.com/smarty-php/smarty/issues/46 01.06.2015 - bugfix
<?xml ... ?> including template variables broken since 3.1.22
https://github.com/smarty-php/smarty/issues/47 27.05.2015 - bugfix
{include} with variable file name must not create by default individual cache
file (since 3.1.22) https://github.com/smarty-php/smarty/issues/43 24.05.2015
- bugfix if condition string 'neq' broken due to a typo
https://github.com/smarty-php/smarty/issues/42 ===== 3.1.24===== (23.05.2015)
23.05.2015 - improvement on php_handling to allow very large PHP sections,
better error handling - improvement allow extreme large comment sections
(forum 25538) 21.05.2015 - bugfix broken PHP 5.2 compatibility when
compiling <?php tags https://github.com/smarty-php/smarty/issues/40 - bugfix
named {foreach} comparison like $smarty.foreach.foobar.index > 1 did compile
into wrong code https://github.com/smarty-php/smarty/issues/41 19.05.2015 -
bugfix compiler did overwrite existing variable value when setting the nocache
attribute https://github.com/smarty-php/smarty/issues/39 - bugfix output
filter trimwhitespace could run into the pcre.backtrack_limit on large output
(code.google issue 220) - bugfix compiler could run into the
pcre.backtrack_limit on larger comment or {php} tag sections (forum 25538)
18.05.2015 - improvement introduce shortcuts in lexer/parser rules for most
frequent terms for higher compilation speed 16.05.2015 - bugfix
{php}{/php} did work just for single lines https://github.com/smarty-
php/smarty/issues/33 - improvement remove not needed ?><?php
transitions from
compiled code - improvement reduce number of lexer tokens on operators and if
conditions - improvement higher compilation speed by modified lexer/parser
generator at "smarty/smarty-lexer" 13.05.2015 - improvement remove
needed ?><?php transitions from compiled code - improvement of
- use fresh Smarty object to display the debug console because of possible
problems when the Smarty was extended or Smarty properties had been
modified in the class source - display Smarty version number -
Truncate lenght of Origin display and extend strin value display to 80
- bugfix in Smarty_Security 'nl2br' should be a trusted modifier, not
function (code.google issue 223) 12.05.2015 - bugfix
{$smarty.constant.TEST} did fail on undefined constant
https://github.com/smarty-php/smarty/issues/28 - bugfix access to undefined
config variable like {#undef#} did fail https://github.com/smarty-
php/smarty/issues/29 - bugfix in nested {foreach} saved item attributes got
overwritten https://github.com/smarty-php/smarty/issues/33 ===== 3.1.23 =====
(12.05.2015) 12.05.2015 - bugfix of smaller performance issue introduce in
3.1.22 when caching is enabled - bugfix missig entry for smarty-temmplate-
config in autoloader ===== 3.1.22 ===== tag was deleted because 3.1.22 did
fail caused by the missing entry for smarty-temmplate-config in autoloader
10.05.2015 - bugfix custom cache resource did not observe compile_id and
cache_id when $cache_locking == true - bugfix cache lock was not handled
correctly after timeout when $cache_locking == true - improvement added
constants for $debugging 07.05.2015 - improvement of the debugging
Read NEW_FEATURES.txt - optimization of resource class loading 06.05.2015
- bugfix in 3.1.22-dev cache resource must not be loaded for subtemplates -
bugfix/improvement in 3.1.22-dev cache locking did not work as expected
05.05.2015 - optimization on cache update when main template is modified -
optimization move <?php ?> handling from parser to new compiler module
05.05.2015 - bugfix code could be messed up when {tags} are used in multiple
attributes https://github.com/smarty-php/smarty/issues/23 04.05.2015 -
bugfix Smarty_Resource::parseResourceName incompatible with Google AppEngine
(https://github.com/smarty-php/smarty/issues/22) - improvement use is_file()
checks to avoid errors suppressed by @ which could still cause problems
(https://github.com/smarty-php/smarty/issues/24) 28.04.2015 - bugfix
plugins of merged subtemplates not loaded in 3.1.22-dev (forum topic 25508) 2nd
fix 28.04.2015 - bugfix plugins of merged subtemplates not loaded in
3.1.22-dev (forum topic 25508) 23.04.2015 - bugfix a nocache template
variable used as parameter at {insert} was by mistake cached 20.04.2015 -
bugfix at a template function containing nocache code a parmeter could
a template variable of same name 27.03.2015 - bugfix
Smarty_Security->allow_constants=false; did also disable true, false and
(change of 16.03.2015) - improvement added a whitelist for trusted constants
to security Smarty_Security::$trusted_constants (forum topic 25471)
- bugfix make sure that function properties get saved only in compiled files
containing the fuction definition {forum topic 25452} - bugfix correct update
of global variable values on exit of template functions. (reported under Smarty
Developers) 16.03.2015 - bugfix problems with {function}{/function} and
{call} tags in different subtemplate cache files {forum topic 25452} - bugfix
Smarty_Security->allow_constants=false; did not disallow direct usage of
constants like {SMARTY_DIR} {forum topic 25457} - bugfix {block}{/block} tags
did not work inside double quoted strings https://github.com/smarty-
php/smarty/issues/18 15.03.2015 - bugfix $smarty->compile_check must
restored before rendering of a just updated cache file {forum 25452}
14.03.2015 - bugfix {nocache} {/nocache} tags corrupted code when used
within a nocache section caused by a nocache template variable. - bugfix
template functions defined with {function} in an included subtemplate could not
be called in nocache mode with {call... nocache} if the subtemplate
had it's own cache file {forum 25452} 10.03.2015 - bugfix {include ...
nocache} whith variable file or compile_id attribute was not executed in
mode. 12.02.2015 - bugfix multiple Smarty::fetch() of same template when
$smarty->merge_compiled_includes = true; could cause function already
error 11.02.2015 - bugfix recursive {includes} did create E_NOTICE message
when $smarty->merge_compiled_includes = true; (github issue #16)
- new feature security can now control access to static methods and properties
see also NEW_FEATURES.txt 21.01.2015 - bugfix clearCompiledTemplates(),
clearAll() and clear() could try to delete whole drive at wrong path
because realpath() fail (forum 25397) - bugfix 'self::' and
'parent::' was
interpreted in template syntax as static class 04.01.2015 - push last weeks
changes to github - different optimizations - improvement automatically
different versions of compiled templates and config files depending on
property settings. - optimization restructure template processing by moving
code into classes it better belongs to - optimization restructure config file
processing 31.12.2014 - bugfix use function_exists('mb_get_info')
for setting
Smarty::$_MBSTRING. Function mb_split could be overloaded depending on
php.ini mbstring.func_overload 29.12.2014 - new feature security can now
limit the template nesting level by property $max_template_nesting
see also NEW_FEATURES.txt (forum 25370) 29.12.2014 - new feature security
can now disable special $smarty variables listed in property
$disabled_special_smarty_vars see also NEW_FEATURES.txt (forum
25370) 27.12.2014 - bugfix clear internal _is_file_cache when plugins_dir
was modified 13.12.2014 - improvement optimization of lexer and parser
resulting in a up to 30% higher compiling speed 11.12.2014 - bugfix
parser ambiguity between constant print tag {CONST} and other smarty tags after
change of 09.12.2014 09.12.2014 - bugfix variables $null, $true and $false
did not work after the change of 12.11.2014 (forum 25342) - bugfix call of
template function by a variable name did not work after latest changes (forum
25342) 23.11.2014 - bugfix a plugin with attached modifier could fail if
the tag was immediately followed by another Smarty tag (since 3.1.21) (forum
25326) 13.11.2014 - improvement move autoload code into Autoloader.php.
Composer autoloader when possible 12.11.2014 - new feature added support of
namespaces to template code 08.11.2014 - 10.11.2014 - bugfix subtemplate
called in nocache mode could be called with wrong compile_id when it did change
on one of the calling templates - improvement add code of template functions
called in nocache mode dynamically to cache file (related to bugfix of
01.11.2014) - bugfix Debug Console did not include all data from merged
compiled subtemplates 04.11.2014 - new feature $smarty->debugging =
true; =>
overwrite existing Debug Console window (old behaviour)
$smarty->debugging = 2; => individual Debug Console window by template
03.11.2014 - bugfix Debug Console did not show included subtemplates since
3.1.17 (forum 25301) - bugfix Modifier debug_print_var did not limit recursion
or prevent recursive object display at Debug Console (ATTENTION: parameter
order has changed to be able to specify maximum recursion) - bugfix Debug
consol did not include subtemplate information with
$smarty->merge_compiled_includes = true - improvement The template
are no longer displayed as objects on the Debug Console - improvement
$smarty->createData($parent = null, $name = null) new optional name
for display at Debug Console - addition of some hooks for future extension of
Debug Console 01.11.2014 - bugfix and enhancement on subtemplate {include}
and template {function} tags. * Calling a template which has a nocache
section could fail if it was called from a cached and a not cached subtemplate.
* Calling the same subtemplate cached and not cached with the
$smarty->merge_compiled_includes enabled could cause problems * Many
related changes 30.10.2014 - bugfix access to class constant by object like
{$object::CONST} or variable class name {$class::CONST} did not work (forum
25301) 26.10.2014 - bugfix E_NOTICE message was created during compilation
when ASP tags '<%' or '%>' are in template source text -
merge_compiled_includes option failed when caching enables and same
was included cached and not cached

* Fri Feb 22 2019 Shawn Iwinski <shawn@iwin.ski> - 3.1.33-1
- Update to 3.1.33
- RHBZ #s: 1532492, 1532493, 1532494, 1628739, 1628740, 1628741, 1631095,
1631096, 1631098
- CVEs: CVE-2017-1000480, CVE-2018-13982, CVE-2018-16831
- License LGPLv2+ => LGPLv3
* Sat Feb 2 2019 Fedora Release Engineering <releng@fedoraproject.org> -
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

[ 1 ] Bug #1631098 - CVE-2018-13982 php-Smarty: Path traversal vulnerability
in Smarty_Security::isTrustedResourceDir() [epel-all]
[ 2 ] Bug #1628740 - CVE-2018-16831 php-Smarty: trusted_dir protection
mechanism bypass [epel-all]
[ 3 ] Bug #1532493 - CVE-2017-1000480 php-Smarty: Code injection when calling
fetch() or display() on unsanitized template names [epel-all]
[ 4 ] Bug #1631096 - CVE-2018-13982 php-Smarty: Path traversal vulnerability
in Smarty_Security::isTrustedResourceDir() [fedora-all]
[ 5 ] Bug #1628741 - CVE-2018-16831 php-Smarty: trusted_dir protection
mechanism bypass [fedora-all]
[ 6 ] Bug #1532494 - CVE-2017-1000480 php-Smarty: Code injection when calling
fetch() or display() on unsanitized template names [fedora-all]

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-e595e8a7d7' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten