Smarty no longer accepts TRUE, FALSE, NULL #282

iOvergaard · 2016-09-02T12:27:36Z

Since around version 3.1.23 it seems (this commit) Smarty will no longer accept TRUE, FALSE and NULL as language structures (uppercase), but will instead try and access them like constants, which in turn could be disallowed by the security settings.

sysplugins/smarty_security.php:

public function isTrustedConstant($const, $compiler)
{
    if (in_array($const, array('true', 'false', 'null'))) {
        return true;
    }
    [...]
}

The in_array function in PHP is case sensitive, while PHP in fact allows uppercase structures (even though they are inherently slower), using them in a Smarty template will not work.

I was wondering if this is on purpose to try and enforce a better code style?

The text was updated successfully, but these errors were encountered:

iOvergaard · 2016-09-02T13:09:39Z

I should add that the obvious fix is to validate the constants as lowercase in this particular case, but I do not know if this opens up for invulnerabilities?

if (in_array(strtolower($const), array('true', 'false', 'null'))) {
    return true;
}

…s enabled #282

uwetews · 2016-09-06T22:16:10Z

This bug is now fixed in the master branch

uwetews added a commit that referenced this issue Sep 6, 2016

- bugfix uppercase TRUE, FALSE and NULL did not work when security wa…

e5bbc05

…s enabled #282

uwetews closed this as completed Sep 6, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Smarty no longer accepts TRUE, FALSE, NULL #282

Smarty no longer accepts TRUE, FALSE, NULL #282

iOvergaard commented Sep 2, 2016

iOvergaard commented Sep 2, 2016

uwetews commented Sep 6, 2016

Smarty no longer accepts TRUE, FALSE, NULL #282

Smarty no longer accepts TRUE, FALSE, NULL #282

Comments

iOvergaard commented Sep 2, 2016

iOvergaard commented Sep 2, 2016

uwetews commented Sep 6, 2016