smarty: patch CVE-2023-28447

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447

Pick the patch that is referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

2 files changed, 75 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch
new file mode 100644
index 0000000000..837019d88a
--- /dev/null
+++ b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch
@@ -0,0 +1,74 @@
+From 456aad251e7dd399fef136f652a1684c05fefa5a Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Fri, 24 Mar 2023 12:19:34 +0100
+Subject: [PATCH] Implement fix and tests
+
+CVE: CVE-2023-28447
+Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libs/plugins/modifier.escape.php              |  4 +++-
+ libs/plugins/modifiercompiler.escape.php      |  4 +++-
+ .../PluginModifierEscapeTest.php              | 21 +++++++++++++++++++
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
+index 3ce48382..70d2db92 100644
+--- a/libs/plugins/modifier.escape.php
++++ b/libs/plugins/modifier.escape.php
+@@ -188,7 +188,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
+                     // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                     '<!--' => '<\!--',
+                     '<s'   => '<\s',
+-                    '<S'   => '<\S'
++                    '<S'   => '<\S',
++                       "`" => "\\\\`",
++                       "\${" => "\\\\\\$\\{"
+                 )
+             );
+         case 'mail':
+diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
+index 1fc5e781..0e13c829 100644
+--- a/libs/plugins/modifiercompiler.escape.php
++++ b/libs/plugins/modifiercompiler.escape.php
+@@ -89,7 +89,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
+                 // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                 return 'strtr((string)' .
+                        $params[ 0 ] .
+-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
++                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", 
++                       "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
++                       "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
+         }
+     } catch (SmartyException $e) {
+         // pass through to regular plugin fallback
+diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+index 46a8297f..752e1bfe 100644
+--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
++++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+@@ -207,4 +207,25 @@ class PluginModifierEscapeTest extends PHPUnit_Smarty
+         $this->assertEquals("sma'rty@&#187;example&#171;.com", $this->smarty->fetch($tpl));
+         Smarty::$_MBSTRING = true;
+     }
++
++       public function testTemplateLiteralBackticks()
++       {
++               $tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
++               $this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
++       }
++
++       public function testTemplateLiteralInterpolation()
++       {
++               $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
++               $this->smarty->assign('vector', "`Hello, \${name}!`");
++               $this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
++       }
++
++       public function testTemplateLiteralBackticksAndInterpolation()
++       {
++               $this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
++               $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
++               $this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
++       }
++
+ }
diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
index 1d044e18ce..014a449b30 100644
--- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
+++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb
@@ -9,6 +9,7 @@ DEPENDS += "php"
 
 SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \
            file://CVE-2018-25047.patch \
+           file://CVE-2023-28447.patch \
            "
 
 SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f"