Bug with block commenting in compiled template via string resource

[talisto]

As of Smarty v3.1.28, a block in a compiled template has a PHP comment wrapped around it that indicates the resource and name of the template that the block is contained in. The problem is that the "name" of a string resource's template is actually the entire template contents. This can allow for exploitable code in some situations. Consider this example:

$smarty = new Smarty;
$smarty->display('string:{block name="test"} */ echo date("Y"); /* {/block}');

this will output:

2016 */ echo date("Y"); /*

Note the "2016". Because the template content is embedded to the compiled template as-is, the PHP comment can be closed and re-opened, and anything in between will be executed as raw PHP code. Obviously the echo command could be replaced with an exec or otherwise to do "bad things".

If there are other internal compiler plugins that add comments like the block plugin, those should probably be checked for similar exploits.

[uwetews]

Thanks for bringing this up.
The fix is now in the master branch and will later be included in 3.1.30