Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447
Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../smarty/smarty/CVE-2023-28447.patch | 74 +++++++++++++++++++ .../recipes-support/smarty/smarty_4.1.1.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch new file mode 100644 index 0000000000..837019d88a --- /dev/null +++ b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch @@ -0,0 +1,74 @@ +From 456aad251e7dd399fef136f652a1684c05fefa5a Mon Sep 17 00:00:00 2001 +From: Simon Wisselink <[email protected]> +Date: Fri, 24 Mar 2023 12:19:34 +0100 +Subject: [PATCH] Implement fix and tests + +CVE: CVE-2023-28447 +Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libs/plugins/modifier.escape.php | 4 +++- + libs/plugins/modifiercompiler.escape.php | 4 +++- + .../PluginModifierEscapeTest.php | 21 +++++++++++++++++++ + 3 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php +index 3ce48382..70d2db92 100644 +--- a/libs/plugins/modifier.escape.php ++++ b/libs/plugins/modifier.escape.php +@@ -188,7 +188,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $ + // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements + '<!--' => '<\!--', + '<s' => '<\s', +- '<S' => '<\S' ++ '<S' => '<\S', ++ "`" => "\\\\`", ++ "\${" => "\\\\\\$\\{" + ) + ); + case 'mail': +diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php +index 1fc5e781..0e13c829 100644 +--- a/libs/plugins/modifiercompiler.escape.php ++++ b/libs/plugins/modifiercompiler.escape.php +@@ -89,7 +89,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile + // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements + return 'strtr((string)' . + $params[ 0 ] . +- ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))'; ++ ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", ++ "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S", ++ "`" => "\\\\`", "\${" => "\\\\\\$\\{"))'; + } + } catch (SmartyException $e) { + // pass through to regular plugin fallback +diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php +index 46a8297f..752e1bfe 100644 +--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php ++++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php +@@ -207,4 +207,25 @@ class PluginModifierEscapeTest extends PHPUnit_Smarty + $this->assertEquals("sma'rty@»example«.com", $this->smarty->fetch($tpl)); + Smarty::$_MBSTRING = true; + } ++ ++ public function testTemplateLiteralBackticks() ++ { ++ $tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}'); ++ $this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl)); ++ } ++ ++ public function testTemplateLiteralInterpolation() ++ { ++ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}'); ++ $this->smarty->assign('vector', "`Hello, \${name}!`"); ++ $this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl)); ++ } ++ ++ public function testTemplateLiteralBackticksAndInterpolation() ++ { ++ $this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`'); ++ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}'); ++ $this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl)); ++ } ++ + } diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb index 1d044e18ce..014a449b30 100644 --- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb +++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb @@ -9,6 +9,7 @@ DEPENDS += "php" SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \ file://CVE-2018-25047.patch \ + file://CVE-2023-28447.patch \ " SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122925): https://lists.openembedded.org/g/openembedded-devel/message/122925 Mute This Topic: https://lists.openembedded.org/mt/116940540/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
