smarty: patch CVE-2018-25047

Details: https://nvd.nist.gov/vuln/detail/CVE-2018-25047 Pick the patch that resolved the issue referenced in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-25 15:02:19 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-08 22:02:57 +0100
commit: a5ac9b82bd5c24b9f85e1ba819f3ad42b4719879 (patch)
tree: 57b9b007cab658d168f5ca474b0ea2a5f4448b5d
parent: f642e61588a4ec89d17ef24964538f2794deaeb5 (diff)
download: meta-openembedded-a5ac9b82bd5c24b9f85e1ba819f3ad42b4719879.tar.gz
2 files changed, 143 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch
new file mode 100644
index 0000000000..caa48f8a4a
--- /dev/null
+++ b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch
@@ -0,0 +1,140 @@
+From 5f26e728152007aa57e415a5e3dd77542739aa13 Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Wed, 14 Sep 2022 11:38:18 +0200
+Subject: [PATCH] Applied appropriate javascript and html escaping in mailto
+ plugin to counter injection attacks Fixes #454
+CVE: CVE-2018-25047
+Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libs/plugins/function.mailto.php              | 28 ++++++++++++-------
+ .../PluginFunctionMailtoTest.php              | 21 ++++++++++++--
+ 2 files changed, 37 insertions(+), 12 deletions(-)
+diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php
+index 834d0535..671ac069 100644
+--- a/libs/plugins/function.mailto.php
+++ b/libs/plugins/function.mailto.php
+@@ -48,8 +48,13 @@
+  */
+ function smarty_function_mailto($params)
+ {
+-    static $_allowed_encoding =
+-        array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
+    static $_allowed_encoding = [
+        'javascript' => true,
+        'javascript_charcode' => true,
+        'hex' => true,
+        'none' => true
+    ];
+
+     $extra = '';
+     if (empty($params[ 'address' ])) {
+         trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
+@@ -57,19 +62,19 @@ function smarty_function_mailto($params)
+     } else {
+         $address = $params[ 'address' ];
+     }
+
+     $text = $address;
+
+     // netscape and mozilla do not decode %40 (@) in BCC field (bug?)
+     // so, don't encode it.
+-    $search = array('%40', '%2C');
+-    $replace = array('@', ',');
+-    $mail_parms = array();
+    $mail_parms = [];
+     foreach ($params as $var => $value) {
+         switch ($var) {
+             case 'cc':
+             case 'bcc':
+             case 'followupto':
+                 if (!empty($value)) {
+-                    $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
+                    $mail_parms[] = $var . '=' . str_replace(['%40', '%2C'], ['@', ','], rawurlencode($value));
+                 }
+                 break;
+             case 'subject':
+@@ -83,6 +88,7 @@ function smarty_function_mailto($params)
+             default:
+         }
+     }
+
+     if ($mail_parms) {
+         $address .= '?' . join('&', $mail_parms);
+     }
+@@ -94,19 +100,21 @@ function smarty_function_mailto($params)
+         );
+         return;
+     }
+
+    $string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) .
+        '" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . '</a>';
+
+     if ($encode === 'javascript') {
+-           $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+         $js_encode = '';
+         for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
+             $js_encode .= '%' . bin2hex($string[ $x ]);
+         }
+         return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
+     } elseif ($encode === 'javascript_charcode') {
+-        $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+         for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
+             $ord[] = ord($string[ $x ]);
+         }
+-           return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
+        return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
+     } elseif ($encode === 'hex') {
+         preg_match('!^(.*)(\?.*)$!', $address, $match);
+         if (!empty($match[ 2 ])) {
+@@ -129,6 +137,6 @@ function smarty_function_mailto($params)
+         return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
+     } else {
+         // no encoding
+-        return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+        return $string;
+     }
+ }
+diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+index bc5152a2..52b18ecc 100644
+--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+@@ -150,7 +150,7 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
+ 
+     public function testUmlauts()
+     {
+-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+         $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
+         $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+     }
+@@ -158,9 +158,26 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
+     public function testUmlautsWithoutMbstring()
+     {
+         Smarty::$_MBSTRING = false;
+-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+         $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
+         $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+         Smarty::$_MBSTRING = true;
+     }
+
+       public function testJavascriptChars()
+       {
+               $result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
+               $this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //');
+               $tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
+               $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+       }
+
+       public function testHtmlChars()
+       {
+               $result = '<a href="mailto:me@example.com&quot;&gt;&lt;h1&gt;" class="email">me@example.com&quot;&gt;&lt;h1&gt;</a>';
+               $this->smarty->assign('address', 'me@example.com"><h1>');
+               $tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
+               $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+       }
+
+ }
diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
index df441e8db2..382f0f415c 100644
--- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
+++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c0f216b2120ffc367e20f2b56df51b3"
 DEPENDS += "php"
-SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master"
+SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \
+           file://CVE-2018-25047.patch \
+           "
 SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-25 15:02:19 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-08 22:02:57 +0100
commit	a5ac9b82bd5c24b9f85e1ba819f3ad42b4719879 (patch)
tree	57b9b007cab658d168f5ca474b0ea2a5f4448b5d
parent	f642e61588a4ec89d17ef24964538f2794deaeb5 (diff)
download	meta-openembedded-a5ac9b82bd5c24b9f85e1ba819f3ad42b4719879.tar.gz

diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch new file mode 100644 index 0000000000..caa48f8a4a --- /dev/null +++ b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch
@@ -0,0 +1,140 @@
		1	From 5f26e728152007aa57e415a5e3dd77542739aa13 Mon Sep 17 00:00:00 2001
		2	From: Simon Wisselink <s.wisselink@iwink.nl>
		3	Date: Wed, 14 Sep 2022 11:38:18 +0200
		4	Subject: [PATCH] Applied appropriate javascript and html escaping in mailto
		5	plugin to counter injection attacks Fixes #454
		6
		7	CVE: CVE-2018-25047
		8	Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9]
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	libs/plugins/function.mailto.php \| 28 ++++++++++++-------
		12	.../PluginFunctionMailtoTest.php \| 21 ++++++++++++--
		13	2 files changed, 37 insertions(+), 12 deletions(-)
		14
		15	diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php
		16	index 834d0535..671ac069 100644
		17	--- a/libs/plugins/function.mailto.php
		18	+++ b/libs/plugins/function.mailto.php
		19	@@ -48,8 +48,13 @@
		20	*/
		21	function smarty_function_mailto($params)
		22	{
		23	- static $_allowed_encoding =
		24	- array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
		25	+ static $_allowed_encoding = [
		26	+ 'javascript' => true,
		27	+ 'javascript_charcode' => true,
		28	+ 'hex' => true,
		29	+ 'none' => true
		30	+ ];
		31	+
		32	$extra = '';
		33	if (empty($params[ 'address' ])) {
		34	trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
		35	@@ -57,19 +62,19 @@ function smarty_function_mailto($params)
		36	} else {
		37	$address = $params[ 'address' ];
		38	}
		39	+
		40	$text = $address;
		41	+
		42	// netscape and mozilla do not decode %40 (@) in BCC field (bug?)
		43	// so, don't encode it.
		44	- $search = array('%40', '%2C');
		45	- $replace = array('@', ',');
		46	- $mail_parms = array();
		47	+ $mail_parms = [];
		48	foreach ($params as $var => $value) {
		49	switch ($var) {
		50	case 'cc':
		51	case 'bcc':
		52	case 'followupto':
		53	if (!empty($value)) {
		54	- $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
		55	+ $mail_parms[] = $var . '=' . str_replace(['%40', '%2C'], ['@', ','], rawurlencode($value));
		56	}
		57	break;
		58	case 'subject':
		59	@@ -83,6 +88,7 @@ function smarty_function_mailto($params)
		60	default:
		61	}
		62	}
		63	+
		64	if ($mail_parms) {
		65	$address .= '?' . join('&', $mail_parms);
		66	}
		67	@@ -94,19 +100,21 @@ function smarty_function_mailto($params)
		68	);
		69	return;
		70	}
		71	+
		72	+ $string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES \| ENT_SUBSTITUTE \| ENT_HTML401, Smarty::$_CHARSET) .
		73	+ '" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES \| ENT_SUBSTITUTE \| ENT_HTML401, Smarty::$_CHARSET) . '</a>';
		74	+
		75	if ($encode === 'javascript') {
		76	- $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
		77	$js_encode = '';
		78	for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
		79	$js_encode .= '%' . bin2hex($string[ $x ]);
		80	}
		81	return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
		82	} elseif ($encode === 'javascript_charcode') {
		83	- $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
		84	for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
		85	$ord[] = ord($string[ $x ]);
		86	}
		87	- return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
		88	+ return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
		89	} elseif ($encode === 'hex') {
		90	preg_match('!^(.)(\?.)$!', $address, $match);
		91	if (!empty($match[ 2 ])) {
		92	@@ -129,6 +137,6 @@ function smarty_function_mailto($params)
		93	return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
		94	} else {
		95	// no encoding
		96	- return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
		97	+ return $string;
		98	}
		99	}
		100	diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
		101	index bc5152a2..52b18ecc 100644
		102	--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
		103	+++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
		104	@@ -150,7 +150,7 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
		105
		106	public function testUmlauts()
		107	{
		108	- $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
		109	+ $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
		110	$tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
		111	$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
		112	}
		113	@@ -158,9 +158,26 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
		114	public function testUmlautsWithoutMbstring()
		115	{
		116	Smarty::$_MBSTRING = false;
		117	- $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
		118	+ $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
		119	$tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
		120	$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
		121	Smarty::$_MBSTRING = true;
		122	}
		123	+
		124	+ public function testJavascriptChars()
		125	+ {
		126	+ $result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
		127	+ $this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //');
		128	+ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
		129	+ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
		130	+ }
		131	+
		132	+ public function testHtmlChars()
		133	+ {
		134	+ $result = '<a href="mailto:me@example.com"><h1>" class="email">me@example.com"><h1></a>';
		135	+ $this->smarty->assign('address', 'me@example.com"><h1>');
		136	+ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
		137	+ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
		138	+ }
		139	+
		140	}


diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb index df441e8db2..382f0f415c 100644 --- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb +++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c0f216b2120ffc367e20f2b56df51b3"
7		7
8	DEPENDS += "php"	8	DEPENDS += "php"
9		9
10	SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master"	10	SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \
		11	file://CVE-2018-25047.patch \
		12	"
11		13
12	SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"	14	SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"
13		15