You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa php-Smarty

Sigurnosni nedostaci programskog paketa php-Smarty

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

Fedora Update Notification
2019-03-06 06:57:11.060955

Name : php-Smarty
Product : Fedora 29
Version : 3.1.33
Release : 1.fc29
Summary : Smarty – the compiling PHP template engine
Description :
Smarty is a template engine for PHP, facilitating the separation of
presentation (HTML/CSS) from application logic. This implies that PHP
code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

Update Information:

===== 3.1.33 release ===== 12.09.2018 ===== 3.1.33-dev-12 ===== 03.09.2018
– bugfix {foreach} using new style property access like {$item@property} on
Smarty 2 style named foreach loop could produce errors 31.08.2018 – bugfix some
custom left and right delimiters like ‘{^’ ‘^}’ did not work
php/smarty/pull/482 – reformating for PSR-2 coding standards – bugfix on Windows absolute
filepathes did fail if the drive letter was followed by a linux
DIRECTORY_SEPARATOR like C:/ at Smarty > 3.1.33-dev-5 – PSR-2 code style fixes for
config and template file Lexer/Parser generated with the Smarty Lexer/Parser
generator from 26.08.2018 –
bugfix/enhancement {capture} allow variable as capture block name in Smarty
special variable like $smarty.capture.$foo
php/smarty/issues/478 =====
3.1.33-dev-6 ===== 19.08.2018 – fix PSR-2 coding standards and PHPDoc blocks
php/smarty/pull/475 – bugfix
PHP5.2 compatibility =====
3.1.33-dev-4 ===== 17.05.2018 – bugfix strip-block produces different output
in Smarty v3.1.32 – bugfix
Smarty::compileAllTemplates ignores `$extension` parameter
php/smarty/pull/438 – improvement do not compute total property in {foreach} if
not needed – bugfix plugins
may not be loaded when setMergeCompiledIncludes is true 26.04.2018 – bugfix
regarding Security Vulnerability did not solve the problem under Linux.
Security issue CVE-2018-16831 ===== 3.1.32 ===== (24.04.2018) 24.04.2018 –
bugfix possible Security Vulnerability in Smarty_Security class. 26.03.2018
– bugfix plugins may not be loaded if {function} or {block} tags are executed in
nocache mode 26.03.2018 –
new feature {parent} = {$smarty.block.parent} {child} = {$smarty.block.child}
23.03.2018 – bugfix preg_replace could fail on large content resulting in a
blank page 21.03.2018 –
bugfix {$smarty.section…} used outside {section}{/section} showed incorrect
values if {section}{/section} was called inside another loop – bugfix short form of
{section} attributes did not work
php/smarty/issues/428 17.03.2018 – improvement Smarty::compileAllTemplates()
exit with a non-zero status code if max errors is reached 16.03.2018 – bugfix extends
resource did not work with user defined left/right delimiter 22.11.2017 – bugfix {break}
and {continue} could fail if {foreach}{/foreach} did contain other looping
tags like {for}, {section} and {while}
php/smarty/issues/323 20.11.2017 – bugfix rework of newline spacing between
tag code and template text. now again identical with Smarty2 (forum topic
26878) – replacement of ” by ‘ 05.11.2017 – lexer/parser optimization –
code cleanup and optimizations – bugfix {$} used
together with {$} could produce wrong results
(forum topic 27041) 26.10.2017 – bugfix Smarty version was not filled in
header comment of compiled and cached files – optimization replace internal
Smarty::$ds property by DIRECTORY_SEPARATOR – deprecate functions
Smarty::muteExpectedErrors() and Smarty::unmuteExpectedErrors() as Smarty
does no longer use error suppression like @filemtime(). for backward
compatibility code is moved from Smarty class to an external class and still can
be called. – correction of PHPDoc blocks – minor code cleanup
21.10.2017 – bugfix custom delimiters could fail since modification of
version 3.1.32-dev-23
18.10.2017 – bugfix fix implementation of unclosed block tag in double quoted
string of 12.10.2017
12.10.2017 – bugfix $smarty.block.child and $smarty.block.parent could not be
used like any $smarty special variable
php/smarty/issues/393 – unclosed block tag in double quoted string must throw
compiler exception. 07.10.2017 – bugfix
modification of 9.8.2017 did fail on some recursive tag nesting. 26.8.2017 – bugfix chained
modifier failed when last modifier parameter is a signed value – bugfix templates filepath
with multibyte characters did not work
php/smarty/issues/385 – bugfix {make_nocache} did display code if the template
did not contain other nocache code
php/smarty/issues/369 09.8.2017 – improvement repeated delimiter like {{ and
}} will be treated as literal!topic/smarty-developers/h9r82Bx4KZw 05.8.2017
– bugfix wordwrap modifier could fail if used in nocache code. converted
plugin file shared.mb_wordwrap.php into modifier.mb_wordwrap.php – cleanup of
_getSmartyObj() 31.7.2017 – Call clearstatcache() after mkdir() failure 30.7.2017 – rewrite mkdir()
bugfix to retry automatically see 21.7.2017 – security possible
PHP code injection on custom resources at display() or fetch() calls if the
resource does not sanitize the template name – bugfix fix ‘mkdir(): File
exists’ error on create directory from parallel processes – bugfix solve preg_match() hhvm
parameter problem 27.5.2017 –
bugfix change compiled code for registered function and modifiers to called as
callable to allow closures, – bugfix did break the default plugin
handler – improvement replace phpversion() by PHP_VERSION constant. 21.5.2017 – performance store
flag for already required shared plugin functions in static variable or
Smarty’s $_cache to improve performance when plugins are often called
4528#commitcomment-22280086 – bugfix remove special treatment of classes
implementing ArrayAccess in {foreach}
php/smarty/issues/332 – bugfix remove deleted files by clear_cache() and
clear_compiled_template() from ACP cache if present, add some is_file()
checks to avoid possible warnings on filemtime() caused by above functions. – bugfix version 3.1.31 did
fail under PHP 5.2
19.5.2017 – change properties $accessMap and $obsoleteProperties from private
to protected – new feature
The named capture buffers can now be accessed also as array See
improvement check if ini_get() and ini_set() not disabled 24.4.2017 – fix spelling
b1b4#commitcomment-21803095 17.4.2017 – correct generated code on empty()
and isset() call, observe change PHP behaviour since PHP 5.5 14.4.2017 – merge pull
requests, and
php/smarty/pull/337 to fix spelling and annotation 13.4.2017 – bugfix
array_merge() parameter should be checked
php/smarty/issues/350 ===== 3.1.31 ===== (14.12.2016) 23.11.2016 – move
template object cache into static variables 19.11.2016 – bugfix
inheritance root child templates containing nested {block}{/block} could call
sub-bock content from parent template
php/smarty/issues/317 – change version checking 11.11.2016 – bugfix when
Smarty is using a cached template object on Smarty::fetch() or
Smarty::isCached() the inheritance data must be removed – smaller speed optimization
08.11.2016 – add bootstrap file to load and register Smarty_Autoloader.
Change composer.json to make it known to composer 07.11.2016 – optimization
of lexer speed 27.10.2016 –
bugfix template function definitions array has not been cached between
Smarty::fetch() and Smarty::display() calls
php/smarty/issues/301 23.10.2016 – improvement/bugfix when Smarty::fetch()
is called on a template object the inheritance and tplFunctions property
should be copied to the called template object 21.10.2016 – bugfix for
compile locking touched timestamp of old compiled file was not restored on
compilation error 20.10.2016
– bugfix nocache code was not removed in cache file when subtemplate did contain
PHP short tags in text but no other nocache code
php/smarty/issues/300 19.10.2016 – bugfix {make_nocache $var} did fail when
variable value did contain ‘\’
– bugfix {make_nocache $var} remove spaces from variable value 12.10.2016 – bugfix
{include} with template names including variable or constants could fail after
bugfix from 28.09.2016
08.10.2016 – optimization move runtime extension for template functions into
Smarty objects 29.09.2016 – improvement new Smarty::$extends_recursion
property to disable execution of {extends} in templates called by extends
resource 28.09.2016 –
bugfix the generated code for calling a subtemplate must pass the template
resource name in single quotes
– bugfix nocache hash was not removed for <?xml ?> tags in subtemplates 27.09.2016 – bugfix when
Smarty does use an internally cached template object on Smarty::fetch() calls
the template and config variables must be cleared
php/smarty/issues/297 20.09.2016 – bugfix some $smarty special template
variables are no longer accessed as real variable. using them on calls like
{if isset($} or {if empty($} will fail – temporary fix for main reason still under
investigation – improvement new tags {block_parent} {block_child} in template
inheritance 19.09.2016 – optimization clear compiled and cached folder
completely on detected version change – cleanup convert cache resource file
method clear into runtime extension 15.09.2016 – bugfix assigning a
variable in if condition by function like {if $value = array_shift($array)} the
function got called twice –
bugfix function plugins called with assign attribute like {foo assign=’bar’} did
not output returned content because because assumption was made that
it was assigned to a variable
– bugfix calling $smarty->isCached() on a not existing cache file with
$smarty->cache_locking = true; could cause a 10 second delay – improvement make
Smarty::clearCompiledTemplate() on custom resource independent from changes of
templateId computation 11.09.2016 – improvement {math} misleading
E_USER_WARNING messages when parameter value = null
php/smarty/issues/288 – improvement move often used code snippets into methods
– performance Smarty::configLoad() did load unneeded template source object
09.09.2016 – bugfix/optimization {foreach} did not execute the {foreachelse}
when iterating empty objects –
bugfix {foreach} must keep the @properties when restoring a saved $item variable
as the properties might be used outside {foreach}
php/smarty/issues/267 – improvement {foreach} observe {break n} and {continue
n} nesting levels when restoring saved $item and $key variables 08.09.2016
– bugfix implement wrapper for removed method getConfigVariable() 07.09.2016 – bugfix using
nocache like attribute with value true like {plugin nocache=true} did not work – bugfix uppercase TRUE, FALSE
and NULL did not work when security was enabled
php/smarty/issues/282 – bugfix when {foreach} was looping over an object the
total property like {$item@total} did always return 1
php/smarty/issues/281 – bugfix {capture}{/capture} did add in 3.1.30
unintended additional blank lines
php/smarty/issues/268 01.09.2016 – performance require_once should be
called only once for shared plugins
php/smarty/issues/280 26.08.2016 – bugfix change of 23.08.2016 failed on
linux when use_include_path = true 23.08.2016 – bugfix remove constant DS
as shortcut for DIRECTORY_SEPARATOR as the user may have defined it to something
else 20.08-2016 – bugfix
{config_load … scope=”global”} shall not throw an arror but fallback to
scope=”smarty” – bugfix
{make_nocache} failed when using composer autoloader
php/smarty/issues/275 14.08.2016 – bugfix $smarty_>debugging = true; did
E_NOTICE messages when {eval} tag was used
php/smarty/issues/266 – bugfix Class
‘Smarty_Internal_Runtime_ValidateCompiled’ not found when upgrading from some
older Smarty versions with existing compiled or cached template files – optimization remove unneeded
call to update acopes when {assign} scope and template scope was local (default)
===== 3.1.30 ===== (07.08.2016) 07.08.2016 – bugfix update of 04.08.2016
was incomplete 05.08.2016 – bugfix compiling of templates failed when the
Smarty delimiter did contain ‘/’
– updated error checking at template and config default handler 04.08.2016
– improvement move template function source parameter into extension
26.07.2016 – optimization unneeded loading of compiled resource 24.07.2016
– regression this->addPluginsDir(‘/abs/path/to/dir’) adding absolute path
without trailing ‘/’ did fail
23.07.2016 – bugfix setTemplateDir(‘/’) and setTemplateDir(”) did create
wrong absolute filepath –
optimization of filepath normalization – improvement remove double function
declaration in plugin shared.escape_special_cars.php
php/smarty/issues/229 19.07.2016 – bugfix multiple {include} with relative
filepath within {block}{/block} could fail
php/smarty/issues/246 – bugfix {math} shell injection vulnerability patch
provided by Tim Weber 18.07.2016 – bugfix {foreach} if key variable and
item@key attribute have been used both the key variable was not updated – bugfix modifier on plugins
like {plugin|modifier … } did fail when the plugin does return an array – bugfix avoid
opcache_invalidate to result in ErrorException when opcache.restrict_api is not
empty – bugfix multiple
{include} with relative filepath within {block}{/block} could fail 14.07.2016 – bugfix wrong
parameter on compileAllTemplates() and compileAllConfig() 13.07.2016 – bugfix PHP 7
compatibility on registered compiler plugins
php/smarty/issues/241 – update testInstall()
php/smarty/issues/248 – bugfix
enable debugging could fail when template objects did already exists – bugfix template function
data should be merged when loading subtemplate
php/smarty/issues/240 – bugfix wrong parameter on compileAllTemplates() 12.07.2016 – bugfix
{foreach} item variable must be created also on empty from array and
php/smarty/issues/239 – bugfix enableSecurity() must init cache flags 27.05.2016 –
bugfix/improvement of compileAlltemplates() follow symlinks in template folder
(PHP >= 5.3.1) clear
internal cache and expension handler for each template to avoid possible
conflicts 16.05.2016 –
optimization {foreach} compiler and processing – broken PHP 5.3 and 5.4
compatibility 15.05.2016 – optimization and cleanup of resource code
10.05.2016 – optimization of inheritance processing 07.05.2016 -bugfix
Only variables should be assigned by reference
php/smarty/issues/227 02.05.2016 – enhancement {block} tag names can now be
variable 01.05.2016 –
bugfix same relative filepath at {include} called from template in different
folders could display wrong sub-template 29.04.2016 – bugfix {strip} remove
space on linebreak between html tags
php/smarty/issues/213 24.04.2016 – bugfix nested {include} with relative
file path could fail when called in {block} … {/block} 14.04.2016 – bugfix special
variable {$} was not case sensitive on name – bugfix the default template
handler must calculate the source uid
php/smarty/issues/205 13.04.2016 – bugfix template inheritance status must
be saved when calling sub-templates
php/smarty/issues/215 27.03.2016 – bugfix change of 11.03.2016 cause again
{capture} data could not been seen in other templates with
11.03.2016 – optimization of capture and security handling – improvement
$smarty->clearCompiledTemplate() should return on recompiled or uncompiled
resources 10.03.2016 – optimization of resource processing 09.03.2016
– improvement rework of ‘scope’ attribute handling see see NEW_FEATURES.txt
php/smarty/issues/186 – bugfix
correct Autoloader update of 2.3.2014
php/smarty/issues/199 04.03.2016 – bugfix change from 01.03.2016 will cause
$smarty->isCached(..) failure if called multiple time for same template
(forum topic 25935) 02.03.2016 – revert autoloader optimizations because of
unexplainable warning when using plugins
php/smarty/issues/199 01.03.2016 – bugfix template objects must be cached
on $smarty->fetch(‘foo.tpl) calls incase the template is fetched multiple
times (forum topic 25909) 25.02.2016 – bugfix wrong _realpath with 4 or
more parent-directories –
optimization of _realpath – bugfix instanceof expression in template code must
be treated as value 20.02.2016
– bugfix {strip} must keep space between hmtl tags. Broken by changes of
10.2.2016 – new feature/bugfix
{foreach}{section} add ‘properties’ attribute to force compilation of loop
properties see NEW_FEATURES.txt
php/smarty/issues/189 19.02.2016 – revert output buffer flushing on
display, echo content again because possible problems when PHP files had
characters (newline} after ?> at file end
php/smarty/issues/187 14.02.2016 – new tag {make_nocache} read
optimization of sub-template processing – bugfix using extendsall as default
resource and {include} inside {block} tags could produce unexpected results – optimization of tag
attribute compiling – optimization make compiler tag object cache static for
higher compilation speed 11.02.2016 – improvement added KnockoutJS comments
to trimwhitespace outputfilter 10.02.2016 – bugfix {strip}
must keep space on output creating smarty tags within html tags – bugfix wrong precedence on
special if conditions like ‘$foo is … by $bar’ could cause wrong code – improvement because of
ambiguities the inline constant support has been removed from the $
syntax – bugfix other {strip}
error with output tags between hmtl
php/smarty/issues/180 09.02.2016 – move some code from parser into compiler
– reformat all code for unique style – update/bugfix scope attribute handling
reworked. Read the newfeatures.txt file 05.02.2016 – improvement internal
compiler changes 01.02.2016 – bugfix {foreach} compilation failed when
$smarty->merge_compiled_includes = true and pre-filters are used. 29.01.2016
– bugfix implement replacement code for _tag_stack property 28.01.2016 – bugfix allow
windows network filepath or wrapper (forum topic 25876) – bugfix if fetch(‘foo.tpl’)
is called on a template object the $parent parameter should default to the
calling template object
27.01.2016 – revert bugfix compiling {section} did create warning – bugfix
{$smarty.section.customer.loop} did throw compiler error update of yesterdays fix –
bugfix string resource could inject code at {block} or inline subtemplates
through PHP comments
– bugfix output filters did not observe nocache code
php/smarty/issues/160 – bugfix {extends} with relative file path did not work
php/smarty/issues/158 – bugfix {capture} data could not been seen in other
templates with {$}
php/smarty/issues/153 26.01.2016 – improvement observe Smarty::$_CHARSET in
debugging console – bugfix
compiling {section} did create warning – bugfix
{$smarty.section.customer.loop} did throw compiler error 02.01.2016 – update scope
handling – optimize block plugin compiler – improvement runtime checks if
registered block plugins are callable 01.01.2016 – remove
Smarty::$resource_cache_mode property 31.12.2015 – optimization of
{assign}, {if} and {while} compiled code 30.12.2015 – bugfix plugin names
starting with “php” did not compile
php/smarty/issues/147 29.12.2015 – bugfix Smarty::error_reporting was not
observed when display() or fetch() was called on template objects 28.12.2015 – optimization
of {foreach} code size and processing 27.12.2015 – improve inheritance code
– update external methods – code fixes – PHPdoc updates 25.12.2015 –
compile {block} tag code and its processing into classes – optimization
replace hhvm extension by inline code – new feature If ACP is enabled force an
apc_compile_file() when compiled or cached template was updated 24.12.2015
– new feature Compiler does now observe the template_dir setting and will create
separate compiled files if required – bugfix post filter did fail on template
inheritance 23.12.2015 –
optimization move internal method decodeProperties back into template object –
optimization move subtemplate processing back into template object – new
feature Caching does now observe the template_dir setting and will create
separate cache files if required 22.12.2015 – change $xxx_dir properties
from private to protected in case Smarty class gets extended – code
optimizations 21.12.2015 – bugfix a filepath starting with ‘/’ or ‘\’ on
windows should normalize to the root dir of current working drive – optimization of filepath
normalization – bugfix {strip} must remove all blanks between html tags ===== 3.1.29 =====
(21.12.2015) 21.12.2015 – optimization improve speed of filetime checks on
extends and extendsall resource 20.12.2015 – bugfix failure when the
default resource type was set to ‘extendsall’
php/smarty/issues/123 – update compilation of Smarty special variables –
bugfix add addition check for OS type on normalization of file path – bugfix the source uid of the
extendsall resource must contain $template_dir settings 19.12.2015 – bugfix using
$ in expressions could fail
php/smarty/pull/138 – bugfix broken PHP 5.2 compatibility – remove no longer used code
– improvement make sure that compiled and cache templates never can contain a
trailing ‘?>? 18.12.2015 – bugfix regression when modifier parameter was
followed by math 17.12.2015
– bugfix {$smarty.capture.nameFail} did lowercase capture name – bugfix using {block
append/prepend} on same block in multiple levels of inheritance templates could
fail (forum topic 25827) – bugfix text content consisting of just a single ‘0’
like in {if true}0{/if} was suppressed (forum topic 25834) 16.12.2015 –
bugfix {foreach} did fail if from atrribute is a Generator class – bugfix direct access
$smarty->template_dir = ‘foo’; should call Smarty::setTemplateDir() 15.12.2015 – bugfix
{$} did return the $_COOKIE array not the ‘foo’ value – bugfix a call to
clearAllCache() and other should clear all internal template object caches
(forum topic 25828) 14.12.2015 – bugfix {$} broken in
3.1.28 – bugfix multiple
calls of {section} with same name droped E_NOTICE error ===== 3.1.28 =====
(13.12.2015) 13.12.2015 – bugfix {foreach} and {section} with uppercase
characters in name attribute did not work (forum topic 25819) – bugfix
$smarty->debugging_ctrl = ‘URL’ did not work (forum topic 25811) – bugfix
Debug Console could display incorrect data when using subtemplates 09.12.2015
– bugfix Smarty did fail under PHP 7.0.0 with use_include_path = true;
09.12.2015 – bugfix {strip} should exclude some html tags from stripping,
related to fix for 08.12.2015
– bugfix internal template function data got stored in wrong compiled file 05.12.2015 -bugfix {strip}
should insert a single space
25.11.2015 -bugfix a left delimter like ‘[%’ did fail on
[%$var_[%$variable%]%] (forum topic 25798) 02.11.2015 – bugfix {include}
with variable file name like {include file=”foo_`$bar`.tpl”} did fail in
3.1.28-dev 01.11.2015 –
update config file processing 31.10.2015 – bugfix add missing $trusted_dir
property to SmartyBC class (forum topic 25751) 29.10.2015 – improve
template scope handling 24.10.2015 – more optimizations of template
processing – bugfix Error when using {include} within {capture} 21.10.2015 – move some code
into runtime extensions 18.10.2015 – optimize filepath normalization –
rework of template inheritance – speed and size optimizations – bugfix under
HHVM temporary cache file must only be created when caches template was updated
– fix compiled code for new {block} assign attribute – update code generated
by template function call handler 18.09.2015 – bugfix {if $foo instanceof
$bar} failed to compile if 2nd value is a variable
php/smarty/issues/92 17.09.2015 – bugfix {foreach} first attribute was not
correctly reset since commit 05a8fa2 of 02.08.2015
php/smarty/issues/90 16.09.2015 – update compiler by moving no longer
needed properties, code optimizations and other 14.09.2015 – optimize
autoloader – optimize subtemplate handling – update template inheritance
processing – move code of {call} processing back into Smarty_Internal_Template
class – improvement invalidate OPCACHE for cleared compiled and cached
template files (forum topic 25557) – bugfix unintended multiple debug windows
(forum topic 25699) 30.08.2015 – size optimization move some runtime
functions into extension – optimize inline template processing –
optimization merge inheritance child and parent templates into one compiled
template file 29.08.2015 – improvement convert template inheritance into
runtime processing – bugfix {$smarty.block.parent} did always reference the
root parent block 23.08.2015
– introduce Smarty::$resource_cache_mode and cache template object of {include}
inside loop – load seldom used Smarty API methods dynamically to reduce memory
footprint – cache template object of {include} if same template is included
several times – convert debug console processing to object – use output
buffers for better performance and less memory usage – optimize nocache hash
processing – remove not really needed properties – optimize rendering –
move caching to Smarty::_cache – remove properties with redundant content –
optimize Smarty::templateExists() – optimize use_include_path processing –
relocate properties for size optimization – remove redundant code – bugfix
compiling super globals like {$} did fail in the master branch 06.08.2015 – avoid possible
circular object references caused by parser/lexer objects – rewrite
compileAll… utility methods – commit several internal improvements –
bugfix Smarty failed when compile_id did contain “|” 03.08.2015 – rework
clear cache methods – bugfix compileAllConfig() was broken since 3.1.22
because of the changes in config file processing – improve getIncludePath() to
return directory if no file was given 02.08.2015 – optimization and code
cleanup of {foreach} and {section} compiler – rework {capture} compiler
01.08.2015 – update DateTime object can be instance of DateTimeImmutable
since PHP5.5 – improvement show
resource type and start of template source instead of uid on eval: and string:
resource (forum topic 25630) 31.07.2015 – optimize {foreach} and {section}
compiler 29.07.2015 – optimize {section} compiler for speed and size of
compiled code 28.07.2015 – update for PHP 7 compatibility 26.07.2015 –
improvement impement workaround for HHVM PHP incompatibillity 25.07.2015 – bugfix parser did
hang on text starting <?something
20.07.2015 – bugfix config files got recompiled on each request –
improvement invalidate PHP 5.5 opcache for recompiled and cached templates 12.07.2015 – optimize
{extends} compilation 10.07.2015 – bugfix force file: resource in demo
resource.extendsall.php 08.07.2015 – bugfix convert each word of class
names to ucfirst in in compiler. (forum topic 25588) 07.07.2015 –
improvement allow fetch() or display() called on a template object to get output
from other template like $template->fetch(‘foo.tpl’) – improvement Added $limit
parameter to regex_replace modifier #71 – new feature multiple indices on
file: resource 06.07.2015 – optimize {block} compilation – optimization
get rid of __get and __set in source object 01.07.2015 – optimize compile
check handling – update {foreach} compiler – bugfix debugging console did
not display string values containing \n, \r or \t correctly – optimize source resources
28.06.2015 – move $smarty->enableSecurity() into Smarty_Security class –
optimize security isTrustedResourceDir() – move auto load filter methods into
extension – move $smarty->getTemplateVars() into extension – move
getStreamVariable() into extension – move $smarty->append() and
$smarty->appendByRef() into extension – optimize autoloader – optimize file
path normalization – bugfix PATH_SEPARATOR was replaced by mistake in
autoloader – remove redundant code 27.06.2015 – bugfix resolve naming
conflict between custom Smarty delimiter ‘<%’ and PHP ASP tags – update $smarty->_realpath for
relative path not starting with ‘./’ – update Smarty security with new
realpath handling – update {include_php} with new realpath handling – move
$smarty->loadPlugin() into extension – minor compiler optimizations – bugfix
allow function plugins with name ending with ‘close’
php/smarty/issues/52 – rework of $smarty->clearCompiledTemplate() and move it
to its own extension 19.06.2015 – improvement allow closures as callback at
$smarty->registerFilter() =====
3.1.27===== (18.06.2015) 18.06.2015 – bugfix another update on file path
normalization failed on path containing something like “/.foo/” ===== 3.1.26===== (18.06.2015)
18.06.2015 – bugfix file path normalization failed on path containing
something like “/.foo/”
17.06.2015 – bugfix calling a plugin with nocache option but no other
attributes like {foo nocache} caused call to undefined function ===== 3.1.25===== (15.06.2015)
15.06.2015 – optimization of smarty_cachereource_keyvaluestore.php code
14.06.2015 – bugfix a relative sub template path could fail if template_dir
path did contain /../ –
optimization rework of path normalization – bugfix an output tag with
variable, modifier followed by an operator like {$foo|modifier+1} did fail 13.06.2015 – bugfix a custom
cache resource using smarty_cachereource_keyvaluestore.php did fail if php.ini
mbstring.func_overload = 2 (forum topic 25568) 11.06.2015 – bugfix the
lexer could hang on very large quoted strings (forum topic 25570) 08.06.2015
– bugfix using {$foo} as array index like $bar.{$foo} or in double quoted string
like “some {$foo} thing” failed
04.06.2015 – bugfix possible error message on unset() while compiling {block}
tags 01.06.2015 – bugfix
<?xml … ?> including template variables broken since 3.1.22 27.05.2015 – bugfix
{include} with variable file name must not create by default individual cache
file (since 3.1.22) 24.05.2015
– bugfix if condition string ‘neq’ broken due to a typo ===== 3.1.24===== (23.05.2015)
23.05.2015 – improvement on php_handling to allow very large PHP sections,
better error handling – improvement allow extreme large comment sections
(forum 25538) 21.05.2015 – bugfix broken PHP 5.2 compatibility when
compiling <?php tags – bugfix
named {foreach} comparison like $smarty.foreach.foobar.index > 1 did compile
into wrong code 19.05.2015 –
bugfix compiler did overwrite existing variable value when setting the nocache
attribute – bugfix output
filter trimwhitespace could run into the pcre.backtrack_limit on large output
( issue 220) – bugfix compiler could run into the
pcre.backtrack_limit on larger comment or {php} tag sections (forum 25538)
18.05.2015 – improvement introduce shortcuts in lexer/parser rules for most
frequent terms for higher compilation speed 16.05.2015 – bugfix
{php}{/php} did work just for single lines
php/smarty/issues/33 – improvement remove not needed ?><?php transitions from
compiled code – improvement reduce number of lexer tokens on operators and if
conditions – improvement higher compilation speed by modified lexer/parser
generator at “smarty/smarty-lexer” 13.05.2015 – improvement remove not
needed ?><?php transitions from compiled code – improvement of debugging:
– use fresh Smarty object to display the debug console because of possible
problems when the Smarty was extended or Smarty properties had been
modified in the class source – display Smarty version number –
Truncate lenght of Origin display and extend strin value display to 80 character
– bugfix in Smarty_Security ‘nl2br’ should be a trusted modifier, not PHP
function ( issue 223) 12.05.2015 – bugfix
{$smarty.constant.TEST} did fail on undefined constant – bugfix access to undefined
config variable like {#undef#} did fail
php/smarty/issues/29 – bugfix in nested {foreach} saved item attributes got
overwritten ===== 3.1.23 =====
(12.05.2015) 12.05.2015 – bugfix of smaller performance issue introduce in
3.1.22 when caching is enabled – bugfix missig entry for smarty-temmplate-
config in autoloader ===== 3.1.22 ===== tag was deleted because 3.1.22 did
fail caused by the missing entry for smarty-temmplate-config in autoloader
10.05.2015 – bugfix custom cache resource did not observe compile_id and
cache_id when $cache_locking == true – bugfix cache lock was not handled
correctly after timeout when $cache_locking == true – improvement added
constants for $debugging 07.05.2015 – improvement of the debugging console.
Read NEW_FEATURES.txt – optimization of resource class loading 06.05.2015
– bugfix in 3.1.22-dev cache resource must not be loaded for subtemplates –
bugfix/improvement in 3.1.22-dev cache locking did not work as expected
05.05.2015 – optimization on cache update when main template is modified –
optimization move <?php ?> handling from parser to new compiler module
05.05.2015 – bugfix code could be messed up when {tags} are used in multiple
attributes 04.05.2015 –
bugfix Smarty_Resource::parseResourceName incompatible with Google AppEngine
( – improvement use is_file()
checks to avoid errors suppressed by @ which could still cause problems
( 28.04.2015 – bugfix
plugins of merged subtemplates not loaded in 3.1.22-dev (forum topic 25508) 2nd
fix 28.04.2015 – bugfix plugins of merged subtemplates not loaded in
3.1.22-dev (forum topic 25508) 23.04.2015 – bugfix a nocache template
variable used as parameter at {insert} was by mistake cached 20.04.2015 –
bugfix at a template function containing nocache code a parmeter could overwrite
a template variable of same name 27.03.2015 – bugfix
Smarty_Security->allow_constants=false; did also disable true, false and null
(change of 16.03.2015) – improvement added a whitelist for trusted constants
to security Smarty_Security::$trusted_constants (forum topic 25471) 20.03.2015
– bugfix make sure that function properties get saved only in compiled files
containing the fuction definition {forum topic 25452} – bugfix correct update
of global variable values on exit of template functions. (reported under Smarty
Developers) 16.03.2015 – bugfix problems with {function}{/function} and
{call} tags in different subtemplate cache files {forum topic 25452} – bugfix
Smarty_Security->allow_constants=false; did not disallow direct usage of defined
constants like {SMARTY_DIR} {forum topic 25457} – bugfix {block}{/block} tags
did not work inside double quoted strings
php/smarty/issues/18 15.03.2015 – bugfix $smarty->compile_check must be
restored before rendering of a just updated cache file {forum 25452}
14.03.2015 – bugfix {nocache} {/nocache} tags corrupted code when used
within a nocache section caused by a nocache template variable. – bugfix
template functions defined with {function} in an included subtemplate could not
be called in nocache mode with {call… nocache} if the subtemplate
had it’s own cache file {forum 25452} 10.03.2015 – bugfix {include …
nocache} whith variable file or compile_id attribute was not executed in nocache
mode. 12.02.2015 – bugfix multiple Smarty::fetch() of same template when
$smarty->merge_compiled_includes = true; could cause function already defined
error 11.02.2015 – bugfix recursive {includes} did create E_NOTICE message
when $smarty->merge_compiled_includes = true; (github issue #16) 22.01.2015
– new feature security can now control access to static methods and properties
see also NEW_FEATURES.txt 21.01.2015 – bugfix clearCompiledTemplates(),
clearAll() and clear() could try to delete whole drive at wrong path permissions
because realpath() fail (forum 25397) – bugfix ‘self::’ and ‘parent::’ was
interpreted in template syntax as static class 04.01.2015 – push last weeks
changes to github – different optimizations – improvement automatically create
different versions of compiled templates and config files depending on
property settings. – optimization restructure template processing by moving
code into classes it better belongs to – optimization restructure config file
processing 31.12.2014 – bugfix use function_exists(‘mb_get_info’) for setting
Smarty::$_MBSTRING. Function mb_split could be overloaded depending on
php.ini mbstring.func_overload 29.12.2014 – new feature security can now
limit the template nesting level by property $max_template_nesting
see also NEW_FEATURES.txt (forum 25370) 29.12.2014 – new feature security
can now disable special $smarty variables listed in property
$disabled_special_smarty_vars see also NEW_FEATURES.txt (forum
25370) 27.12.2014 – bugfix clear internal _is_file_cache when plugins_dir
was modified 13.12.2014 – improvement optimization of lexer and parser
resulting in a up to 30% higher compiling speed 11.12.2014 – bugfix resolve
parser ambiguity between constant print tag {CONST} and other smarty tags after
change of 09.12.2014 09.12.2014 – bugfix variables $null, $true and $false
did not work after the change of 12.11.2014 (forum 25342) – bugfix call of
template function by a variable name did not work after latest changes (forum
25342) 23.11.2014 – bugfix a plugin with attached modifier could fail if
the tag was immediately followed by another Smarty tag (since 3.1.21) (forum
25326) 13.11.2014 – improvement move autoload code into Autoloader.php. Use
Composer autoloader when possible 12.11.2014 – new feature added support of
namespaces to template code 08.11.2014 – 10.11.2014 – bugfix subtemplate
called in nocache mode could be called with wrong compile_id when it did change
on one of the calling templates – improvement add code of template functions
called in nocache mode dynamically to cache file (related to bugfix of
01.11.2014) – bugfix Debug Console did not include all data from merged
compiled subtemplates 04.11.2014 – new feature $smarty->debugging = true; =>
overwrite existing Debug Console window (old behaviour)
$smarty->debugging = 2; => individual Debug Console window by template name
03.11.2014 – bugfix Debug Console did not show included subtemplates since
3.1.17 (forum 25301) – bugfix Modifier debug_print_var did not limit recursion
or prevent recursive object display at Debug Console (ATTENTION: parameter
order has changed to be able to specify maximum recursion) – bugfix Debug
consol did not include subtemplate information with
$smarty->merge_compiled_includes = true – improvement The template variables
are no longer displayed as objects on the Debug Console – improvement
$smarty->createData($parent = null, $name = null) new optional name parameter
for display at Debug Console – addition of some hooks for future extension of
Debug Console 01.11.2014 – bugfix and enhancement on subtemplate {include}
and template {function} tags. * Calling a template which has a nocache
section could fail if it was called from a cached and a not cached subtemplate.
* Calling the same subtemplate cached and not cached with the
$smarty->merge_compiled_includes enabled could cause problems * Many smaller
related changes 30.10.2014 – bugfix access to class constant by object like
{$object::CONST} or variable class name {$class::CONST} did not work (forum
25301) 26.10.2014 – bugfix E_NOTICE message was created during compilation
when ASP tags ‘<%’ or ‘%>’ are in template source text – bugfix
merge_compiled_includes option failed when caching enables and same subtemplate
was included cached and not cached

* Fri Feb 22 2019 Shawn Iwinski <> – 3.1.33-1
– Update to 3.1.33
– RHBZ #s: 1532492, 1532493, 1532494, 1628739, 1628740, 1628741, 1631095, 1631096, 1631098
– CVEs: CVE-2017-1000480, CVE-2018-13982, CVE-2018-16831
– License LGPLv2+ => LGPLv3
* Sat Feb 2 2019 Fedora Release Engineering <> – 3.1.21-9
– Rebuilt for

[ 1 ] Bug #1631098 – CVE-2018-13982 php-Smarty: Path traversal vulnerability in Smarty_Security::isTrustedResourceDir() [epel-all]
[ 2 ] Bug #1628740 – CVE-2018-16831 php-Smarty: trusted_dir protection mechanism bypass [epel-all]
[ 3 ] Bug #1532493 – CVE-2017-1000480 php-Smarty: Code injection when calling fetch() or display() on unsanitized template names [epel-all]
[ 4 ] Bug #1631096 – CVE-2018-13982 php-Smarty: Path traversal vulnerability in Smarty_Security::isTrustedResourceDir() [fedora-all]
[ 5 ] Bug #1628741 – CVE-2018-16831 php-Smarty: trusted_dir protection mechanism bypass [fedora-all]
[ 6 ] Bug #1532494 – CVE-2017-1000480 php-Smarty: Code injection when calling fetch() or display() on unsanitized template names [fedora-all]

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2019-e595e8a7d7’ at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list —
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

AutorJosip Papratovic
Cert idNCERT-REF-2019-03-0001-ADV
More in Preporuke
Sigurnosni nedostatak programskog paketa mumble

Otkriven je sigurnosni nedostatak u programskom paketu mumble za operacijski sustav Debian. Otkriveni nedostatak potencijalnim napadačima omogućuje izazivanje DoS stanja....