bump smarty to 4.5.3 (the smarty release is regarded as a security fix ( CVE-2024-35226 ). PostfixAdmin should not be vulnerable as it does not use the extends tag.

2025-08-09 05:02:44 +03:00 · 2024-06-09 10:20:44 +01:00
parent 37fe4d993a
commit 2694adbc27
27 changed files with 145 additions and 105 deletions
--- a/lib/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php
+++ b/lib/smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php
@@ -455,15 +455,29 @@ abstract class Smarty_Internal_TemplateCompilerBase
            $this->smarty->_current_file = $this->template->source->filepath;
            // get template source
            if (!empty($this->template->source->components)) {
-                // we have array of inheritance templates by extends: resource
-                // generate corresponding source code sequence
-                $_content =
-                    Smarty_Internal_Compile_Extends::extendsSourceArrayCode($this->template);
+				$_compiled_code = '<?php $_smarty_tpl->_loadInheritance(); $_smarty_tpl->inheritance->init($_smarty_tpl, true); ?>';
+
+				$i = 0;
+				$reversed_components = array_reverse($this->template->getSource()->components);
+				foreach ($reversed_components as $source) {
+					$i++;
+					if ($i === count($reversed_components)) {
+						$_compiled_code .= '<?php $_smarty_tpl->inheritance->endChild($_smarty_tpl); ?>';
+					}
+					$_compiled_code .= $this->compileTag(
+						'include',
+						[
+							var_export($source->resource, true),
+							['scope' => 'parent'],
+						]
+					);
+				}
+				$_compiled_code = $this->postFilter($_compiled_code, $this->template);
            } else {
                // get template source
                $_content = $this->template->source->getContent();
+				$_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
            }
-            $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
            if (!empty($this->required_plugins[ 'compiled' ]) || !empty($this->required_plugins[ 'nocache' ])) {
                $_compiled_code = '<?php ' . $this->compileRequiredPlugins() . "?>\n" . $_compiled_code;
            }
@@ -640,7 +654,18 @@ abstract class Smarty_Internal_TemplateCompilerBase
                        return $func_name . '(' . $parameter[ 0 ] . ')';
                    }
                } else {
-                    return $name . '(' . implode(',', $parameter) . ')';
+
+					if (
+						!$this->smarty->loadPlugin('smarty_modifiercompiler_' . $name)
+						&& !isset($this->smarty->registered_plugins[Smarty::PLUGIN_MODIFIER][$name])
+						&& !in_array($name, ['time', 'join', 'is_array', 'in_array'])
+					) {
+						trigger_error('Using unregistered function "' . $name . '" in a template is deprecated and will be ' .
+							'removed in a future release. Use Smarty::registerPlugin to explicitly register ' .
+							'a custom modifier.', E_USER_DEPRECATED);
+					}
+
+					return $name . '(' . implode(',', $parameter) . ')';
                }
            } else {
                $this->trigger_template_error("unknown function '{$name}'");