Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in php-Smarty
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in php-Smarty
ID: FEDORA-2019-e595e8a7d7
Distribution: Fedora
Plattformen: Fedora 29
Datum: Mi, 6. März 2019, 10:15
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831
Applikationen: Smarty PHP template engine

Originalnachricht

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2019-e595e8a7d7
2019-03-06 06:57:11.060955
-------------------------------------------------------------------------------
-

Name : php-Smarty
Product : Fedora 29
Version : 3.1.33
Release : 1.fc29
URL : http://www.smarty.net
Summary : Smarty - the compiling PHP template engine
Description :
Smarty is a template engine for PHP, facilitating the separation of
presentation (HTML/CSS) from application logic. This implies that PHP
code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

-------------------------------------------------------------------------------
-
Update Information:

===== 3.1.33 release ===== 12.09.2018 ===== 3.1.33-dev-12 ===== 03.09.2018
- bugfix {foreach} using new style property access like {$item@property} on
Smarty 2 style named foreach loop could produce errors
https://github.com/smarty-php/smarty/issues/484 31.08.2018 - bugfix some
custom left and right delimiters like '{^' '^}' did not work
https://github.com/smarty-php/smarty/issues/450 https://github.com/smarty-
php/smarty/pull/482 - reformating for PSR-2 coding standards
https://github.com/smarty-php/smarty/pull/483 - bugfix on Windows absolute
filepathes did fail if the drive letter was followed by a linux
DIRECTORY_SEPARATOR like C:/ at Smarty > 3.1.33-dev-5
https://github.com/smarty-php/smarty/issues/451 - PSR-2 code style fixes for
config and template file Lexer/Parser generated with the Smarty
Lexer/Parser
generator from https://github.com/smarty-php/smarty-lexer
https://github.com/smarty-php/smarty/pull/483 26.08.2018 -
bugfix/enhancement {capture} allow variable as capture block name in Smarty
special variable like $smarty.capture.$foo https://github.com/smarty-
php/smarty/issues/478 https://github.com/smarty-php/smarty/pull/481 =====
3.1.33-dev-6 ===== 19.08.2018 - fix PSR-2 coding standards and PHPDoc
blocks
https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-
php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix
PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 =====
3.1.33-dev-4 ===== 17.05.2018 - bugfix strip-block produces different output
in Smarty v3.1.32 https://github.com/smarty-php/smarty/issues/436 - bugfix
Smarty::compileAllTemplates ignores `$extension` parameter
https://github.com/smarty-php/smarty/issues/437 https://github.com/smarty-
php/smarty/pull/438 - improvement do not compute total property in {foreach}
if
not needed https://github.com/smarty-php/smarty/issues/443 - bugfix plugins
may not be loaded when setMergeCompiledIncludes is true
https://github.com/smarty-php/smarty/issues/435 26.04.2018 - bugfix
regarding Security Vulnerability did not solve the problem under Linux.
Security issue CVE-2018-16831 ===== 3.1.32 ===== (24.04.2018) 24.04.2018 -
bugfix possible Security Vulnerability in Smarty_Security class. 26.03.2018
- bugfix plugins may not be loaded if {function} or {block} tags are executed
in
nocache mode https://github.com/smarty-php/smarty/issues/371 26.03.2018 -
new feature {parent} = {$smarty.block.parent} {child} = {$smarty.block.child}
23.03.2018 - bugfix preg_replace could fail on large content resulting in a
blank page https://github.com/smarty-php/smarty/issues/417 21.03.2018 -
bugfix {$smarty.section...} used outside {section}{/section} showed incorrect
values if {section}{/section} was called inside another loop
https://github.com/smarty-php/smarty/issues/422 - bugfix short form of
{section} attributes did not work https://github.com/smarty-
php/smarty/issues/428 17.03.2018 - improvement Smarty::compileAllTemplates()
exit with a non-zero status code if max errors is reached
https://github.com/smarty-php/smarty/pull/402 16.03.2018 - bugfix extends
resource did not work with user defined left/right delimiter
https://github.com/smarty-php/smarty/issues/419 22.11.2017 - bugfix {break}
and {continue} could fail if {foreach}{/foreach} did contain other looping
tags like {for}, {section} and {while} https://github.com/smarty-
php/smarty/issues/323 20.11.2017 - bugfix rework of newline spacing between
tag code and template text. now again identical with Smarty2 (forum topic
26878) - replacement of " by ' 05.11.2017 - lexer/parser
optimization -
code cleanup and optimizations - bugfix {$smarty.section.name.loop} used
together with {$smarty.section.name.total} could produce wrong results
(forum topic 27041) 26.10.2017 - bugfix Smarty version was not filled in
header comment of compiled and cached files - optimization replace internal
Smarty::$ds property by DIRECTORY_SEPARATOR - deprecate functions
Smarty::muteExpectedErrors() and Smarty::unmuteExpectedErrors() as Smarty
does no longer use error suppression like @filemtime(). for backward
compatibility code is moved from Smarty class to an external class and still
can
be called. - correction of PHPDoc blocks - minor code cleanup
21.10.2017 - bugfix custom delimiters could fail since modification of
version 3.1.32-dev-23 https://github.com/smarty-php/smarty/issues/394
18.10.2017 - bugfix fix implementation of unclosed block tag in double
quoted
string of 12.10.2017 https://github.com/smarty-php/smarty/issues/396
https://github.com/smarty-php/smarty/issues/397 https://github.com/smarty-
php/smarty/issues/391 https://github.com/smarty-php/smarty/issues/392
12.10.2017 - bugfix $smarty.block.child and $smarty.block.parent could not
be
used like any $smarty special variable https://github.com/smarty-
php/smarty/issues/393 - unclosed block tag in double quoted string must throw
compiler exception. https://github.com/smarty-php/smarty/issues/391
https://github.com/smarty-php/smarty/issues/392 07.10.2017 - bugfix
modification of 9.8.2017 did fail on some recursive tag nesting.
https://github.com/smarty-php/smarty/issues/389 26.8.2017 - bugfix chained
modifier failed when last modifier parameter is a signed value
https://github.com/smarty-php/smarty/issues/327 - bugfix templates filepath
with multibyte characters did not work https://github.com/smarty-
php/smarty/issues/385 - bugfix {make_nocache} did display code if the
template
did not contain other nocache code https://github.com/smarty-
php/smarty/issues/369 09.8.2017 - improvement repeated delimiter like {{
and
}} will be treated as literal
https://groups.google.com/forum/#!topic/smarty-developers/h9r82Bx4KZw 05.8.2017
- bugfix wordwrap modifier could fail if used in nocache code. converted
plugin file shared.mb_wordwrap.php into modifier.mb_wordwrap.php - cleanup of
_getSmartyObj() 31.7.2017 - Call clearstatcache() after mkdir() failure
https://github.com/smarty-php/smarty/pull/379 30.7.2017 - rewrite mkdir()
bugfix to retry automatically see https://github.com/smarty-php/smarty/pull/377
https://github.com/smarty-php/smarty/pull/379 21.7.2017 - security possible
PHP code injection on custom resources at display() or fetch() calls if the
resource does not sanitize the template name - bugfix fix 'mkdir(): File
exists' error on create directory from parallel processes
https://github.com/smarty-php/smarty/pull/377 - bugfix solve preg_match() hhvm
parameter problem https://github.com/smarty-php/smarty/pull/372 27.5.2017 -
bugfix change compiled code for registered function and modifiers to called as
callable to allow closures https://github.com/smarty-php/smarty/pull/368,
https://github.com/smarty-php/smarty/issues/273 - bugfix
https://github.com/smarty-php/smarty/pull/368 did break the default plugin
handler - improvement replace phpversion() by PHP_VERSION constant.
https://github.com/smarty-php/smarty/pull/363 21.5.2017 - performance store
flag for already required shared plugin functions in static variable or
Smarty's $_cache to improve performance when plugins are often called
https://github.com/smarty-php/smarty/commit/51e0d5cd405d764a4ea257d1bac1fb1205f7
4528#commitcomment-22280086 - bugfix remove special treatment of classes
implementing ArrayAccess in {foreach} https://github.com/smarty-
php/smarty/issues/332 - bugfix remove deleted files by clear_cache() and
clear_compiled_template() from ACP cache if present, add some is_file()
checks to avoid possible warnings on filemtime() caused by above functions.
https://github.com/smarty-php/smarty/issues/341 - bugfix version 3.1.31 did
fail under PHP 5.2 https://github.com/smarty-php/smarty/issues/365
19.5.2017 - change properties $accessMap and $obsoleteProperties from
private
to protected https://github.com/smarty-php/smarty/issues/351 - new feature
The named capture buffers can now be accessed also as array See
NEWS_FEATURES.txt https://github.com/smarty-php/smarty/issues/366 -
improvement check if ini_get() and ini_set() not disabled
https://github.com/smarty-php/smarty/pull/362 24.4.2017 - fix spelling
https://github.com/smarty-php/smarty/commit/e3eda8a5f5653d8abb960eb1bc47e3eca679
b1b4#commitcomment-21803095 17.4.2017 - correct generated code on empty()
and isset() call, observe change PHP behaviour since PHP 5.5
https://github.com/smarty-php/smarty/issues/347 14.4.2017 - merge pull
requests https://github.com/smarty-php/smarty/pull/349,
https://github.com/smarty-php/smarty/pull/322 and https://github.com/smarty-
php/smarty/pull/337 to fix spelling and annotation 13.4.2017 - bugfix
array_merge() parameter should be checked https://github.com/smarty-
php/smarty/issues/350 ===== 3.1.31 ===== (14.12.2016) 23.11.2016 - move
template object cache into static variables 19.11.2016 - bugfix
inheritance root child templates containing nested {block}{/block} could call
sub-bock content from parent template https://github.com/smarty-
php/smarty/issues/317 - change version checking 11.11.2016 - bugfix when
Smarty is using a cached template object on Smarty::fetch() or
Smarty::isCached() the inheritance data must be removed
https://github.com/smarty-php/smarty/issues/312 - smaller speed optimization
08.11.2016 - add bootstrap file to load and register Smarty_Autoloader.
Change composer.json to make it known to composer 07.11.2016 -
optimization
of lexer speed https://github.com/smarty-php/smarty/issues/311 27.10.2016 -
bugfix template function definitions array has not been cached between
Smarty::fetch() and Smarty::display() calls https://github.com/smarty-
php/smarty/issues/301 23.10.2016 - improvement/bugfix when Smarty::fetch()
is called on a template object the inheritance and tplFunctions property
should be copied to the called template object 21.10.2016 - bugfix for
compile locking touched timestamp of old compiled file was not restored on
compilation error https://github.com/smarty-php/smarty/issues/308 20.10.2016
- bugfix nocache code was not removed in cache file when subtemplate did
contain
PHP short tags in text but no other nocache code https://github.com/smarty-
php/smarty/issues/300 19.10.2016 - bugfix {make_nocache $var} did fail
when
variable value did contain '\' https://github.com/smarty-php/smarty/issues/305
- bugfix {make_nocache $var} remove spaces from variable value
https://github.com/smarty-php/smarty/issues/304 12.10.2016 - bugfix
{include} with template names including variable or constants could fail after
bugfix from 28.09.2016 https://github.com/smarty-php/smarty/issues/302
08.10.2016 - optimization move runtime extension for template functions into
Smarty objects 29.09.2016 - improvement new Smarty::$extends_recursion
property to disable execution of {extends} in templates called by extends
resource https://github.com/smarty-php/smarty/issues/296 28.09.2016 -
bugfix the generated code for calling a subtemplate must pass the template
resource name in single quotes https://github.com/smarty-php/smarty/issues/299
- bugfix nocache hash was not removed for <?xml ?> tags in subtemplates
https://github.com/smarty-php/smarty/issues/300 27.09.2016 - bugfix when
Smarty does use an internally cached template object on Smarty::fetch() calls
the template and config variables must be cleared https://github.com/smarty-
php/smarty/issues/297 20.09.2016 - bugfix some $smarty special template
variables are no longer accessed as real variable. using them on calls like
{if isset($smarty.foo)} or {if empty($smarty.foo)} will fail
http://www.smarty.net/forums/viewtopic.php?t=26222 - temporary fix for
https://github.com/smarty-php/smarty/issues/293 main reason still under
investigation - improvement new tags {block_parent} {block_child} in template
inheritance 19.09.2016 - optimization clear compiled and cached folder
completely on detected version change - cleanup convert cache resource file
method clear into runtime extension 15.09.2016 - bugfix assigning a
variable in if condition by function like {if $value = array_shift($array)} the
function got called twice https://github.com/smarty-php/smarty/issues/291 -
bugfix function plugins called with assign attribute like {foo
assign='bar'} did
not output returned content because because assumption was made that
it was assigned to a variable https://github.com/smarty-php/smarty/issues/292
- bugfix calling $smarty->isCached() on a not existing cache file with
$smarty->cache_locking = true; could cause a 10 second delay
http://www.smarty.net/forums/viewtopic.php?t=26282 - improvement make
Smarty::clearCompiledTemplate() on custom resource independent from changes of
templateId computation 11.09.2016 - improvement {math} misleading
E_USER_WARNING messages when parameter value = null https://github.com/smarty-
php/smarty/issues/288 - improvement move often used code snippets into
methods
- performance Smarty::configLoad() did load unneeded template source object
09.09.2016 - bugfix/optimization {foreach} did not execute the {foreachelse}
when iterating empty objects https://github.com/smarty-php/smarty/pull/287 -
bugfix {foreach} must keep the @properties when restoring a saved $item
variable
as the properties might be used outside {foreach} https://github.com/smarty-
php/smarty/issues/267 - improvement {foreach} observe {break n} and {continue
n} nesting levels when restoring saved $item and $key variables 08.09.2016
- bugfix implement wrapper for removed method getConfigVariable()
https://github.com/smarty-php/smarty/issues/286 07.09.2016 - bugfix using
nocache like attribute with value true like {plugin nocache=true} did not work
https://github.com/smarty-php/smarty/issues/285 - bugfix uppercase TRUE, FALSE
and NULL did not work when security was enabled https://github.com/smarty-
php/smarty/issues/282 - bugfix when {foreach} was looping over an object the
total property like {$item@total} did always return 1 https://github.com/smarty-
php/smarty/issues/281 - bugfix {capture}{/capture} did add in 3.1.30
unintended additional blank lines https://github.com/smarty-
php/smarty/issues/268 01.09.2016 - performance require_once should be
called only once for shared plugins https://github.com/smarty-
php/smarty/issues/280 26.08.2016 - bugfix change of 23.08.2016 failed on
linux when use_include_path = true 23.08.2016 - bugfix remove constant DS
as shortcut for DIRECTORY_SEPARATOR as the user may have defined it to
something
else https://github.com/smarty-php/smarty/issues/277 20.08-2016 - bugfix
{config_load ... scope="global"} shall not throw an arror but fallback
to
scope="smarty" https://github.com/smarty-php/smarty/issues/274 - bugfix
{make_nocache} failed when using composer autoloader https://github.com/smarty-
php/smarty/issues/275 14.08.2016 - bugfix $smarty_>debugging = true;
did
E_NOTICE messages when {eval} tag was used https://github.com/smarty-
php/smarty/issues/266 - bugfix Class
'Smarty_Internal_Runtime_ValidateCompiled' not found when upgrading
from some
older Smarty versions with existing compiled or cached template
files
https://github.com/smarty-php/smarty/issues/269 - optimization remove unneeded
call to update acopes when {assign} scope and template scope was local
(default)
===== 3.1.30 ===== (07.08.2016) 07.08.2016 - bugfix update of 04.08.2016
was incomplete 05.08.2016 - bugfix compiling of templates failed when the
Smarty delimiter did contain '/' https://github.com/smarty-php/smarty/issues/264
- updated error checking at template and config default handler 04.08.2016
- improvement move template function source parameter into extension
26.07.2016 - optimization unneeded loading of compiled resource 24.07.2016
- regression this->addPluginsDir('/abs/path/to/dir') adding absolute
path
without trailing '/' did fail https://github.com/smarty-php/smarty/issues/260
23.07.2016 - bugfix setTemplateDir('/') and
setTemplateDir('') did create
wrong absolute filepath https://github.com/smarty-php/smarty/issues/245 -
optimization of filepath normalization - improvement remove double function
declaration in plugin shared.escape_special_cars.php https://github.com/smarty-
php/smarty/issues/229 19.07.2016 - bugfix multiple {include} with relative
filepath within {block}{/block} could fail https://github.com/smarty-
php/smarty/issues/246 - bugfix {math} shell injection vulnerability patch
provided by Tim Weber 18.07.2016 - bugfix {foreach} if key variable and
item@key attribute have been used both the key variable was not updated
https://github.com/smarty-php/smarty/issues/254 - bugfix modifier on plugins
like {plugin|modifier ... } did fail when the plugin does return an array
https://github.com/smarty-php/smarty/issues/228 - bugfix avoid
opcache_invalidate to result in ErrorException when opcache.restrict_api is not
empty https://github.com/smarty-php/smarty/pull/244 - bugfix multiple
{include} with relative filepath within {block}{/block} could fail
https://github.com/smarty-php/smarty/issues/246 14.07.2016 - bugfix wrong
parameter on compileAllTemplates() and compileAllConfig()
https://github.com/smarty-php/smarty/issues/231 13.07.2016 - bugfix PHP 7
compatibility on registered compiler plugins https://github.com/smarty-
php/smarty/issues/241 - update testInstall() https://github.com/smarty-
php/smarty/issues/248https://github.com/smarty-php/smarty/issues/248 - bugfix
enable debugging could fail when template objects did already exists
https://github.com/smarty-php/smarty/issues/237 - bugfix template function
data should be merged when loading subtemplate https://github.com/smarty-
php/smarty/issues/240 - bugfix wrong parameter on compileAllTemplates()
https://github.com/smarty-php/smarty/issues/231 12.07.2016 - bugfix
{foreach} item variable must be created also on empty from array
https://github.com/smarty-php/smarty/issues/238 and https://github.com/smarty-
php/smarty/issues/239 - bugfix enableSecurity() must init cache flags
https://github.com/smarty-php/smarty/issues/247 27.05.2016 -
bugfix/improvement of compileAlltemplates() follow symlinks in template folder
(PHP >= 5.3.1) https://github.com/smarty-php/smarty/issues/224 clear
internal cache and expension handler for each template to avoid possible
conflicts https://github.com/smarty-php/smarty/issues/231 16.05.2016 -
optimization {foreach} compiler and processing - broken PHP 5.3 and 5.4
compatibility 15.05.2016 - optimization and cleanup of resource code
10.05.2016 - optimization of inheritance processing 07.05.2016 -bugfix
Only variables should be assigned by reference https://github.com/smarty-
php/smarty/issues/227 02.05.2016 - enhancement {block} tag names can now
be
variable https://github.com/smarty-php/smarty/issues/221 01.05.2016 -
bugfix same relative filepath at {include} called from template in different
folders could display wrong sub-template 29.04.2016 - bugfix {strip}
remove
space on linebreak between html tags https://github.com/smarty-
php/smarty/issues/213 24.04.2016 - bugfix nested {include} with relative
file path could fail when called in {block} ... {/block}
https://github.com/smarty-php/smarty/issues/218 14.04.2016 - bugfix special
variable {$smarty.capture.name} was not case sensitive on name
https://github.com/smarty-php/smarty/issues/210 - bugfix the default template
handler must calculate the source uid https://github.com/smarty-
php/smarty/issues/205 13.04.2016 - bugfix template inheritance status must
be saved when calling sub-templates https://github.com/smarty-
php/smarty/issues/215 27.03.2016 - bugfix change of 11.03.2016 cause again
{capture} data could not been seen in other templates with
{$smarty.capture.name} https://github.com/smarty-php/smarty/issues/153
11.03.2016 - optimization of capture and security handling - improvement
$smarty->clearCompiledTemplate() should return on recompiled or uncompiled
resources 10.03.2016 - optimization of resource processing 09.03.2016
- improvement rework of 'scope' attribute handling see see
NEW_FEATURES.txt
https://github.com/smarty-php/smarty/issues/194 https://github.com/smarty-
php/smarty/issues/186 https://github.com/smarty-php/smarty/issues/179 - bugfix
correct Autoloader update of 2.3.2014 https://github.com/smarty-
php/smarty/issues/199 04.03.2016 - bugfix change from 01.03.2016 will
cause
$smarty->isCached(..) failure if called multiple time for same template
(forum topic 25935) 02.03.2016 - revert autoloader optimizations because
of
unexplainable warning when using plugins https://github.com/smarty-
php/smarty/issues/199 01.03.2016 - bugfix template objects must be cached
on $smarty->fetch('foo.tpl) calls incase the template is fetched
multiple
times (forum topic 25909) 25.02.2016 - bugfix wrong _realpath with 4 or
more parent-directories https://github.com/smarty-php/smarty/issues/190 -
optimization of _realpath - bugfix instanceof expression in template code
must
be treated as value https://github.com/smarty-php/smarty/issues/191 20.02.2016
- bugfix {strip} must keep space between hmtl tags. Broken by changes of
10.2.2016 https://github.com/smarty-php/smarty/issues/184 - new feature/bugfix
{foreach}{section} add 'properties' attribute to force compilation of
loop
properties see NEW_FEATURES.txt https://github.com/smarty-
php/smarty/issues/189 19.02.2016 - revert output buffer flushing on
display, echo content again because possible problems when PHP files had
characters (newline} after ?> at file end https://github.com/smarty-
php/smarty/issues/187 14.02.2016 - new tag {make_nocache} read
NEW_FEATURES.txt https://github.com/smarty-php/smarty/issues/110 -
optimization of sub-template processing - bugfix using extendsall as default
resource and {include} inside {block} tags could produce unexpected results
https://github.com/smarty-php/smarty/issues/183 - optimization of tag
attribute compiling - optimization make compiler tag object cache static for
higher compilation speed 11.02.2016 - improvement added KnockoutJS
comments
to trimwhitespace outputfilter https://github.com/smarty-php/smarty/issues/82
https://github.com/smarty-php/smarty/pull/181 10.02.2016 - bugfix {strip}
must keep space on output creating smarty tags within html tags
https://github.com/smarty-php/smarty/issues/177 - bugfix wrong precedence on
special if conditions like '$foo is ... by $bar' could cause wrong code
https://github.com/smarty-php/smarty/issues/178 - improvement because of
ambiguities the inline constant support has been removed from the $foo.bar
syntax https://github.com/smarty-php/smarty/issues/149 - bugfix other {strip}
error with output tags between hmtl https://github.com/smarty-
php/smarty/issues/180 09.02.2016 - move some code from parser into
compiler
- reformat all code for unique style - update/bugfix scope attribute handling
reworked. Read the newfeatures.txt file 05.02.2016 - improvement internal
compiler changes 01.02.2016 - bugfix {foreach} compilation failed when
$smarty->merge_compiled_includes = true and pre-filters are used.
29.01.2016
- bugfix implement replacement code for _tag_stack property
https://github.com/smarty-php/smarty/issues/151 28.01.2016 - bugfix allow
windows network filepath or wrapper (forum topic 25876)
https://github.com/smarty-php/smarty/issues/170 - bugfix if fetch('foo.tpl')
is called on a template object the $parent parameter should default to the
calling template object https://github.com/smarty-php/smarty/issues/152
27.01.2016 - revert bugfix compiling {section} did create warning - bugfix
{$smarty.section.customer.loop} did throw compiler error
https://github.com/smarty-php/smarty/issues/161 update of yesterdays fix -
bugfix string resource could inject code at {block} or inline subtemplates
through PHP comments https://github.com/smarty-php/smarty/issues/157
- bugfix output filters did not observe nocache code
flhttps://github.com/smarty-php/smarty/issues/154g https://github.com/smarty-
php/smarty/issues/160 - bugfix {extends} with relative file path did not work
https://github.com/smarty-php/smarty/issues/154 https://github.com/smarty-
php/smarty/issues/158 - bugfix {capture} data could not been seen in other
templates with {$smarty.capture.name} https://github.com/smarty-
php/smarty/issues/153 26.01.2016 - improvement observe Smarty::$_CHARSET
in
debugging console https://github.com/smarty-php/smarty/issues/169 - bugfix
compiling {section} did create warning - bugfix
{$smarty.section.customer.loop} did throw compiler error
https://github.com/smarty-php/smarty/issues/161 02.01.2016 - update scope
handling - optimize block plugin compiler - improvement runtime checks if
registered block plugins are callable 01.01.2016 - remove
Smarty::$resource_cache_mode property 31.12.2015 - optimization of
{assign}, {if} and {while} compiled code 30.12.2015 - bugfix plugin names
starting with "php" did not compile https://github.com/smarty-
php/smarty/issues/147 29.12.2015 - bugfix Smarty::error_reporting was not
observed when display() or fetch() was called on template objects
https://github.com/smarty-php/smarty/issues/145 28.12.2015 - optimization
of {foreach} code size and processing 27.12.2015 - improve inheritance
code
- update external methods - code fixes - PHPdoc updates 25.12.2015 -
compile {block} tag code and its processing into classes - optimization
replace hhvm extension by inline code - new feature If ACP is enabled force
an
apc_compile_file() when compiled or cached template was updated 24.12.2015
- new feature Compiler does now observe the template_dir setting and will
create
separate compiled files if required - bugfix post filter did fail on template
inheritance https://github.com/smarty-php/smarty/issues/144 23.12.2015 -
optimization move internal method decodeProperties back into template object
-
optimization move subtemplate processing back into template object - new
feature Caching does now observe the template_dir setting and will create
separate cache files if required 22.12.2015 - change $xxx_dir properties
from private to protected in case Smarty class gets extended - code
optimizations 21.12.2015 - bugfix a filepath starting with '/' or
'\' on
windows should normalize to the root dir of current working drive
https://github.com/smarty-php/smarty/issues/134 - optimization of filepath
normalization - bugfix {strip} must remove all blanks between html tags
https://github.com/smarty-php/smarty/issues/136 ===== 3.1.29 =====
(21.12.2015) 21.12.2015 - optimization improve speed of filetime checks on
extends and extendsall resource 20.12.2015 - bugfix failure when the
default resource type was set to 'extendsall' https://github.com/smarty-
php/smarty/issues/123 - update compilation of Smarty special variables -
bugfix add addition check for OS type on normalization of file path
https://github.com/smarty-php/smarty/issues/134 - bugfix the source uid of the
extendsall resource must contain $template_dir settings
https://github.com/smarty-php/smarty/issues/123 19.12.2015 - bugfix using
$smarty.capture.foo in expressions could fail https://github.com/smarty-
php/smarty/pull/138 - bugfix broken PHP 5.2 compatibility
https://github.com/smarty-php/smarty/issues/139 - remove no longer used code
- improvement make sure that compiled and cache templates never can contain a
trailing '?>? 18.12.2015 - bugfix regression when modifier
parameter was
followed by math https://github.com/smarty-php/smarty/issues/132 17.12.2015
- bugfix {$smarty.capture.nameFail} did lowercase capture name
https://github.com/smarty-php/smarty/issues/135 - bugfix using {block
append/prepend} on same block in multiple levels of inheritance templates could
fail (forum topic 25827) - bugfix text content consisting of just a single
'0'
like in {if true}0{/if} was suppressed (forum topic 25834) 16.12.2015 -
bugfix {foreach} did fail if from atrribute is a Generator class
https://github.com/smarty-php/smarty/issues/128 - bugfix direct access
$smarty->template_dir = 'foo'; should call Smarty::setTemplateDir()
https://github.com/smarty-php/smarty/issues/121 15.12.2015 - bugfix
{$smarty.cookies.foo} did return the $_COOKIE array not the 'foo' value
https://github.com/smarty-php/smarty/issues/122 - bugfix a call to
clearAllCache() and other should clear all internal template object caches
(forum topic 25828) 14.12.2015 - bugfix {$smarty.config.foo} broken in
3.1.28 https://github.com/smarty-php/smarty/issues/120 - bugfix multiple
calls of {section} with same name droped E_NOTICE error
https://github.com/smarty-php/smarty/issues/118 ===== 3.1.28 =====
(13.12.2015) 13.12.2015 - bugfix {foreach} and {section} with uppercase
characters in name attribute did not work (forum topic 25819) - bugfix
$smarty->debugging_ctrl = 'URL' did not work (forum topic 25811) -
bugfix
Debug Console could display incorrect data when using subtemplates 09.12.2015
- bugfix Smarty did fail under PHP 7.0.0 with use_include_path = true;
09.12.2015 - bugfix {strip} should exclude some html tags from stripping,
related to fix for https://github.com/smarty-php/smarty/issues/111 08.12.2015
- bugfix internal template function data got stored in wrong compiled file
https://github.com/smarty-php/smarty/issues/114 05.12.2015 -bugfix {strip}
should insert a single space https://github.com/smarty-php/smarty/issues/111
25.11.2015 -bugfix a left delimter like '[%' did fail on
[%$var_[%$variable%]%] (forum topic 25798) 02.11.2015 - bugfix {include}
with variable file name like {include file="foo_`$bar`.tpl"} did fail
in
3.1.28-dev https://github.com/smarty-php/smarty/issues/102 01.11.2015 -
update config file processing 31.10.2015 - bugfix add missing $trusted_dir
property to SmartyBC class (forum topic 25751) 29.10.2015 - improve
template scope handling 24.10.2015 - more optimizations of template
processing - bugfix Error when using {include} within {capture}
https://github.com/smarty-php/smarty/issues/100 21.10.2015 - move some code
into runtime extensions 18.10.2015 - optimize filepath normalization -
rework of template inheritance - speed and size optimizations - bugfix
under
HHVM temporary cache file must only be created when caches template was updated
- fix compiled code for new {block} assign attribute - update code generated
by template function call handler 18.09.2015 - bugfix {if $foo instanceof
$bar} failed to compile if 2nd value is a variable https://github.com/smarty-
php/smarty/issues/92 17.09.2015 - bugfix {foreach} first attribute was not
correctly reset since commit 05a8fa2 of 02.08.2015 https://github.com/smarty-
php/smarty/issues/90 16.09.2015 - update compiler by moving no longer
needed properties, code optimizations and other 14.09.2015 - optimize
autoloader - optimize subtemplate handling - update template inheritance
processing - move code of {call} processing back into
Smarty_Internal_Template
class - improvement invalidate OPCACHE for cleared compiled and cached
template files (forum topic 25557) - bugfix unintended multiple debug windows
(forum topic 25699) 30.08.2015 - size optimization move some runtime
functions into extension - optimize inline template processing -
optimization merge inheritance child and parent templates into one compiled
template file 29.08.2015 - improvement convert template inheritance into
runtime processing - bugfix {$smarty.block.parent} did always reference the
root parent block https://github.com/smarty-php/smarty/issues/68 23.08.2015
- introduce Smarty::$resource_cache_mode and cache template object of {include}
inside loop - load seldom used Smarty API methods dynamically to reduce
memory
footprint - cache template object of {include} if same template is included
several times - convert debug console processing to object - use output
buffers for better performance and less memory usage - optimize nocache hash
processing - remove not really needed properties - optimize rendering -
move caching to Smarty::_cache - remove properties with redundant content -
optimize Smarty::templateExists() - optimize use_include_path processing -
relocate properties for size optimization - remove redundant code - bugfix
compiling super globals like {$smarty.get.foo} did fail in the master branch
https://github.com/smarty-php/smarty/issues/77 06.08.2015 - avoid possible
circular object references caused by parser/lexer objects - rewrite
compileAll... utility methods - commit several internal improvements -
bugfix Smarty failed when compile_id did contain "|" 03.08.2015 -
rework
clear cache methods - bugfix compileAllConfig() was broken since 3.1.22
because of the changes in config file processing - improve getIncludePath()
to
return directory if no file was given 02.08.2015 - optimization and code
cleanup of {foreach} and {section} compiler - rework {capture} compiler
01.08.2015 - update DateTime object can be instance of DateTimeImmutable
since PHP5.5 https://github.com/smarty-php/smarty/pull/75 - improvement show
resource type and start of template source instead of uid on eval: and string:
resource (forum topic 25630) 31.07.2015 - optimize {foreach} and {section}
compiler 29.07.2015 - optimize {section} compiler for speed and size of
compiled code 28.07.2015 - update for PHP 7 compatibility 26.07.2015
-
improvement impement workaround for HHVM PHP incompatibillity
https://github.com/facebook/hhvm/issues/4797 25.07.2015 - bugfix parser did
hang on text starting <?something https://github.com/smarty-php/smarty/issues/74
20.07.2015 - bugfix config files got recompiled on each request -
improvement invalidate PHP 5.5 opcache for recompiled and cached templates
https://github.com/smarty-php/smarty/issues/72 12.07.2015 - optimize
{extends} compilation 10.07.2015 - bugfix force file: resource in demo
resource.extendsall.php 08.07.2015 - bugfix convert each word of class
names to ucfirst in in compiler. (forum topic 25588) 07.07.2015 -
improvement allow fetch() or display() called on a template object to get
output
from other template like $template->fetch('foo.tpl')
https://github.com/smarty-php/smarty/issues/70 - improvement Added $limit
parameter to regex_replace modifier #71 - new feature multiple indices on
file: resource 06.07.2015 - optimize {block} compilation - optimization
get rid of __get and __set in source object 01.07.2015 - optimize compile
check handling - update {foreach} compiler - bugfix debugging console did
not display string values containing \n, \r or \t correctly
https://github.com/smarty-php/smarty/issues/66 - optimize source resources
28.06.2015 - move $smarty->enableSecurity() into Smarty_Security class
-
optimize security isTrustedResourceDir() - move auto load filter methods into
extension - move $smarty->getTemplateVars() into extension - move
getStreamVariable() into extension - move $smarty->append() and
$smarty->appendByRef() into extension - optimize autoloader - optimize
file
path normalization - bugfix PATH_SEPARATOR was replaced by mistake in
autoloader - remove redundant code 27.06.2015 - bugfix resolve naming
conflict between custom Smarty delimiter '<%' and PHP ASP tags
https://github.com/smarty-php/smarty/issues/64 - update $smarty->_realpath for
relative path not starting with './' - update Smarty security with
new
realpath handling - update {include_php} with new realpath handling - move
$smarty->loadPlugin() into extension - minor compiler optimizations -
bugfix
allow function plugins with name ending with 'close' https://github.com/smarty-
php/smarty/issues/52 - rework of $smarty->clearCompiledTemplate() and move
it
to its own extension 19.06.2015 - improvement allow closures as callback
at
$smarty->registerFilter() https://github.com/smarty-php/smarty/issues/59 =====
3.1.27===== (18.06.2015) 18.06.2015 - bugfix another update on file path
normalization failed on path containing something like "/.foo/"
https://github.com/smarty-php/smarty/issues/56 ===== 3.1.26===== (18.06.2015)
18.06.2015 - bugfix file path normalization failed on path containing
something like "/.foo/" https://github.com/smarty-php/smarty/issues/56
17.06.2015 - bugfix calling a plugin with nocache option but no other
attributes like {foo nocache} caused call to undefined function
https://github.com/smarty-php/smarty/issues/55 ===== 3.1.25===== (15.06.2015)
15.06.2015 - optimization of smarty_cachereource_keyvaluestore.php code
14.06.2015 - bugfix a relative sub template path could fail if template_dir
path did contain /../ https://github.com/smarty-php/smarty/issues/50 -
optimization rework of path normalization - bugfix an output tag with
variable, modifier followed by an operator like {$foo|modifier+1} did fail
https://github.com/smarty-php/smarty/issues/53 13.06.2015 - bugfix a custom
cache resource using smarty_cachereource_keyvaluestore.php did fail if php.ini
mbstring.func_overload = 2 (forum topic 25568) 11.06.2015 - bugfix the
lexer could hang on very large quoted strings (forum topic 25570) 08.06.2015
- bugfix using {$foo} as array index like $bar.{$foo} or in double quoted
string
like "some {$foo} thing" failed https://github.com/smarty-php/smarty/issues/49
04.06.2015 - bugfix possible error message on unset() while compiling
{block}
tags https://github.com/smarty-php/smarty/issues/46 01.06.2015 - bugfix
<?xml ... ?> including template variables broken since 3.1.22
https://github.com/smarty-php/smarty/issues/47 27.05.2015 - bugfix
{include} with variable file name must not create by default individual cache
file (since 3.1.22) https://github.com/smarty-php/smarty/issues/43 24.05.2015
- bugfix if condition string 'neq' broken due to a typo
https://github.com/smarty-php/smarty/issues/42 ===== 3.1.24===== (23.05.2015)
23.05.2015 - improvement on php_handling to allow very large PHP sections,
better error handling - improvement allow extreme large comment sections
(forum 25538) 21.05.2015 - bugfix broken PHP 5.2 compatibility when
compiling <?php tags https://github.com/smarty-php/smarty/issues/40 - bugfix
named {foreach} comparison like $smarty.foreach.foobar.index > 1 did compile
into wrong code https://github.com/smarty-php/smarty/issues/41 19.05.2015 -
bugfix compiler did overwrite existing variable value when setting the nocache
attribute https://github.com/smarty-php/smarty/issues/39 - bugfix output
filter trimwhitespace could run into the pcre.backtrack_limit on large output
(code.google issue 220) - bugfix compiler could run into the
pcre.backtrack_limit on larger comment or {php} tag sections (forum 25538)
18.05.2015 - improvement introduce shortcuts in lexer/parser rules for most
frequent terms for higher compilation speed 16.05.2015 - bugfix
{php}{/php} did work just for single lines https://github.com/smarty-
php/smarty/issues/33 - improvement remove not needed ?><?php
transitions from
compiled code - improvement reduce number of lexer tokens on operators and if
conditions - improvement higher compilation speed by modified lexer/parser
generator at "smarty/smarty-lexer" 13.05.2015 - improvement remove
not
needed ?><?php transitions from compiled code - improvement of
debugging:
- use fresh Smarty object to display the debug console because of possible
problems when the Smarty was extended or Smarty properties had been
modified in the class source - display Smarty version number -
Truncate lenght of Origin display and extend strin value display to 80
character
- bugfix in Smarty_Security 'nl2br' should be a trusted modifier, not
PHP
function (code.google issue 223) 12.05.2015 - bugfix
{$smarty.constant.TEST} did fail on undefined constant
https://github.com/smarty-php/smarty/issues/28 - bugfix access to undefined
config variable like {#undef#} did fail https://github.com/smarty-
php/smarty/issues/29 - bugfix in nested {foreach} saved item attributes got
overwritten https://github.com/smarty-php/smarty/issues/33 ===== 3.1.23 =====
(12.05.2015) 12.05.2015 - bugfix of smaller performance issue introduce in
3.1.22 when caching is enabled - bugfix missig entry for smarty-temmplate-
config in autoloader ===== 3.1.22 ===== tag was deleted because 3.1.22 did
fail caused by the missing entry for smarty-temmplate-config in autoloader
10.05.2015 - bugfix custom cache resource did not observe compile_id and
cache_id when $cache_locking == true - bugfix cache lock was not handled
correctly after timeout when $cache_locking == true - improvement added
constants for $debugging 07.05.2015 - improvement of the debugging
console.
Read NEW_FEATURES.txt - optimization of resource class loading 06.05.2015
- bugfix in 3.1.22-dev cache resource must not be loaded for subtemplates -
bugfix/improvement in 3.1.22-dev cache locking did not work as expected
05.05.2015 - optimization on cache update when main template is modified -
optimization move <?php ?> handling from parser to new compiler module
05.05.2015 - bugfix code could be messed up when {tags} are used in multiple
attributes https://github.com/smarty-php/smarty/issues/23 04.05.2015 -
bugfix Smarty_Resource::parseResourceName incompatible with Google AppEngine
(https://github.com/smarty-php/smarty/issues/22) - improvement use is_file()
checks to avoid errors suppressed by @ which could still cause problems
(https://github.com/smarty-php/smarty/issues/24) 28.04.2015 - bugfix
plugins of merged subtemplates not loaded in 3.1.22-dev (forum topic 25508) 2nd
fix 28.04.2015 - bugfix plugins of merged subtemplates not loaded in
3.1.22-dev (forum topic 25508) 23.04.2015 - bugfix a nocache template
variable used as parameter at {insert} was by mistake cached 20.04.2015 -
bugfix at a template function containing nocache code a parmeter could
overwrite
a template variable of same name 27.03.2015 - bugfix
Smarty_Security->allow_constants=false; did also disable true, false and
null
(change of 16.03.2015) - improvement added a whitelist for trusted constants
to security Smarty_Security::$trusted_constants (forum topic 25471)
20.03.2015
- bugfix make sure that function properties get saved only in compiled files
containing the fuction definition {forum topic 25452} - bugfix correct update
of global variable values on exit of template functions. (reported under Smarty
Developers) 16.03.2015 - bugfix problems with {function}{/function} and
{call} tags in different subtemplate cache files {forum topic 25452} - bugfix
Smarty_Security->allow_constants=false; did not disallow direct usage of
defined
constants like {SMARTY_DIR} {forum topic 25457} - bugfix {block}{/block} tags
did not work inside double quoted strings https://github.com/smarty-
php/smarty/issues/18 15.03.2015 - bugfix $smarty->compile_check must
be
restored before rendering of a just updated cache file {forum 25452}
14.03.2015 - bugfix {nocache} {/nocache} tags corrupted code when used
within a nocache section caused by a nocache template variable. - bugfix
template functions defined with {function} in an included subtemplate could not
be called in nocache mode with {call... nocache} if the subtemplate
had it's own cache file {forum 25452} 10.03.2015 - bugfix {include ...
nocache} whith variable file or compile_id attribute was not executed in
nocache
mode. 12.02.2015 - bugfix multiple Smarty::fetch() of same template when
$smarty->merge_compiled_includes = true; could cause function already
defined
error 11.02.2015 - bugfix recursive {includes} did create E_NOTICE message
when $smarty->merge_compiled_includes = true; (github issue #16)
22.01.2015
- new feature security can now control access to static methods and properties
see also NEW_FEATURES.txt 21.01.2015 - bugfix clearCompiledTemplates(),
clearAll() and clear() could try to delete whole drive at wrong path
permissions
because realpath() fail (forum 25397) - bugfix 'self::' and
'parent::' was
interpreted in template syntax as static class 04.01.2015 - push last weeks
changes to github - different optimizations - improvement automatically
create
different versions of compiled templates and config files depending on
property settings. - optimization restructure template processing by moving
code into classes it better belongs to - optimization restructure config file
processing 31.12.2014 - bugfix use function_exists('mb_get_info')
for setting
Smarty::$_MBSTRING. Function mb_split could be overloaded depending on
php.ini mbstring.func_overload 29.12.2014 - new feature security can now
limit the template nesting level by property $max_template_nesting
see also NEW_FEATURES.txt (forum 25370) 29.12.2014 - new feature security
can now disable special $smarty variables listed in property
$disabled_special_smarty_vars see also NEW_FEATURES.txt (forum
25370) 27.12.2014 - bugfix clear internal _is_file_cache when plugins_dir
was modified 13.12.2014 - improvement optimization of lexer and parser
resulting in a up to 30% higher compiling speed 11.12.2014 - bugfix
resolve
parser ambiguity between constant print tag {CONST} and other smarty tags after
change of 09.12.2014 09.12.2014 - bugfix variables $null, $true and $false
did not work after the change of 12.11.2014 (forum 25342) - bugfix call of
template function by a variable name did not work after latest changes (forum
25342) 23.11.2014 - bugfix a plugin with attached modifier could fail if
the tag was immediately followed by another Smarty tag (since 3.1.21) (forum
25326) 13.11.2014 - improvement move autoload code into Autoloader.php.
Use
Composer autoloader when possible 12.11.2014 - new feature added support of
namespaces to template code 08.11.2014 - 10.11.2014 - bugfix subtemplate
called in nocache mode could be called with wrong compile_id when it did change
on one of the calling templates - improvement add code of template functions
called in nocache mode dynamically to cache file (related to bugfix of
01.11.2014) - bugfix Debug Console did not include all data from merged
compiled subtemplates 04.11.2014 - new feature $smarty->debugging =
true; =>
overwrite existing Debug Console window (old behaviour)
$smarty->debugging = 2; => individual Debug Console window by template
name
03.11.2014 - bugfix Debug Console did not show included subtemplates since
3.1.17 (forum 25301) - bugfix Modifier debug_print_var did not limit recursion
or prevent recursive object display at Debug Console (ATTENTION: parameter
order has changed to be able to specify maximum recursion) - bugfix Debug
consol did not include subtemplate information with
$smarty->merge_compiled_includes = true - improvement The template
variables
are no longer displayed as objects on the Debug Console - improvement
$smarty->createData($parent = null, $name = null) new optional name
parameter
for display at Debug Console - addition of some hooks for future extension of
Debug Console 01.11.2014 - bugfix and enhancement on subtemplate {include}
and template {function} tags. * Calling a template which has a nocache
section could fail if it was called from a cached and a not cached subtemplate.
* Calling the same subtemplate cached and not cached with the
$smarty->merge_compiled_includes enabled could cause problems * Many
smaller
related changes 30.10.2014 - bugfix access to class constant by object like
{$object::CONST} or variable class name {$class::CONST} did not work (forum
25301) 26.10.2014 - bugfix E_NOTICE message was created during compilation
when ASP tags '<%' or '%>' are in template source text -
bugfix
merge_compiled_includes option failed when caching enables and same
subtemplate
was included cached and not cached
-------------------------------------------------------------------------------
-
ChangeLog:

* Fri Feb 22 2019 Shawn Iwinski <shawn@iwin.ski> - 3.1.33-1
- Update to 3.1.33
- RHBZ #s: 1532492, 1532493, 1532494, 1628739, 1628740, 1628741, 1631095,
1631096, 1631098
- CVEs: CVE-2017-1000480, CVE-2018-13982, CVE-2018-16831
- License LGPLv2+ => LGPLv3
* Sat Feb 2 2019 Fedora Release Engineering <releng@fedoraproject.org> -
3.1.21-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1631098 - CVE-2018-13982 php-Smarty: Path traversal vulnerability
in Smarty_Security::isTrustedResourceDir() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1631098
[ 2 ] Bug #1628740 - CVE-2018-16831 php-Smarty: trusted_dir protection
mechanism bypass [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1628740
[ 3 ] Bug #1532493 - CVE-2017-1000480 php-Smarty: Code injection when calling
fetch() or display() on unsanitized template names [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1532493
[ 4 ] Bug #1631096 - CVE-2018-13982 php-Smarty: Path traversal vulnerability
in Smarty_Security::isTrustedResourceDir() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1631096
[ 5 ] Bug #1628741 - CVE-2018-16831 php-Smarty: trusted_dir protection
mechanism bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1628741
[ 6 ] Bug #1532494 - CVE-2017-1000480 php-Smarty: Code injection when calling
fetch() or display() on unsanitized template names [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1532494
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-e595e8a7d7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung