Fedora 28: 2019-d248c5aa39 Critical: php-Smarty Path Traversal

Smarty is a template engine for PHP, facilitating the separation of

presentation (HTML/CSS) from application logic. This implies that PHP

code is application logic, and is separated from the presentation.

Autoloader: /usr/share/php/Smarty/autoload.php

===== 3.1.33 release ===== 12.09.2018 ===== 3.1.33-dev-12 ===== 03.09.2018

- bugfix {foreach} using new style property access like {$item@property} on

Smarty 2 style named foreach loop could produce errors

https://github.com/smarty-php/smarty/issues/484 31.08.2018 - bugfix some

custom left and right delimiters like '{^' '^}' did not work

https://github.com/smarty-php/smarty/issues/450 https://github.com/smarty-php/smarty/pull/482 - reformating for PSR-2 coding standards

https://github.com/smarty-php/smarty/pull/483 - bugfix on Windows absolute

filepathes did fail if the drive letter was followed by a linux

DIRECTORY_SEPARATOR like C:/ at Smarty > 3.1.33-dev-5

https://github.com/smarty-php/smarty/issues/451 - PSR-2 code style fixes for

config and template file Lexer/Parser generated with the Smarty Lexer/Parser

generator from https://github.com/smarty-php/smarty-lexer

https://github.com/smarty-php/smarty/pull/483 26.08.2018 -bugfix/enhancement {capture} allow variable as capture block name in Smarty

special variable like $smarty.capture.$foo https://github.com/smarty-php/smarty/issues/478 https://github.com/smarty-php/smarty/pull/481 ====3.1.33-dev-6 ===== 19.08.2018 - fix PSR-2 coding standards and PHPDoc blocks

https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix

PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 ====3.1.33-dev-4 ===== 17.05.2018 - bugfix strip-block produces different output

in Smarty v3.1.32 https://github.com/smarty-php/smarty/issues/436 - bugfix

Smarty::compileAllTemplates ignores `$extension` parameter

https://github.com/smarty-php/smarty/issues/437 https://github.com/smarty-php/smarty/pull/438 - improvement do not compute total property in {foreach} if

not needed https://github.com/smarty-php/smarty/issues/443 - bugfix plugins

may not be loaded when setMergeCompiledIncludes is true

https://github.com/smarty-php/smarty/issues/435 26.04.2018 - bugfix

regarding Security Vulnerability did not solve the problem under Linux.

Security issue CVE-2018-16831 ===== 3.1.32 ===== (24.04.2018) 24.04.2018 -bugfix possible Security Vulnerability in Smarty_Security class. 26.03.2018

- bugfix plugins may not be loaded if {function} or {block} tags are executed in

nocache mode https://github.com/smarty-php/smarty/issues/371 26.03.2018 -new feature {parent} = {$smarty.block.parent} {child} = {$smarty.block.child}

23.03.2018 - bugfix preg_replace could fail on large content resulting in a

blank page https://github.com/smarty-php/smarty/issues/417 21.03.2018 -bugfix {$smarty.section...} used outside {section}{/section} showed incorrect

values if {section}{/section} was called inside another loop

https://github.com/smarty-php/smarty/issues/422 - bugfix short form of

{section} attributes did not work https://github.com/smarty-php/smarty/issues/428 17.03.2018 - improvement Smarty::compileAllTemplates()

exit with a non-zero status code if max errors is reached

https://github.com/smarty-php/smarty/pull/402 16.03.2018 - bugfix extends

resource did not work with user defined left/right delimiter

https://github.com/smarty-php/smarty/issues/419 22.11.2017 - bugfix {break}

and {continue} could fail if {foreach}{/foreach} did contain other looping

tags like {for}, {section} and {while} https://github.com/smarty-php/smarty/issues/323 20.11.2017 - bugfix rework of newline spacing between

tag code and template text. now again identical with Smarty2 (forum topic

26878) - replacement of " by ' 05.11.2017 - lexer/parser optimization -code cleanup and optimizations - bugfix {$smarty.section.name.loop} used

together with {$smarty.section.name.total} could produce wrong results

(forum topic 27041) 26.10.2017 - bugfix Smarty version was not filled in

header comment of compiled and cached files - optimization replace internal

Smarty::$ds property by DIRECTORY_SEPARATOR - deprecate functions

Smarty::muteExpectedErrors() and Smarty::unmuteExpectedErrors() as Smarty

does no longer use error suppression like @filemtime(). for backward

compatibility code is moved from Smarty class to an external class and still can

be called. - correction of PHPDoc blocks - minor code cleanup

21.10.2017 - bugfix custom delimiters could fail since modification of

version 3.1.32-dev-23 https://github.com/smarty-php/smarty/issues/394

18.10.2017 - bugfix fix implementation of unclosed block tag in double quoted

string of 12.10.2017 https://github.com/smarty-php/smarty/issues/396

https://github.com/smarty-php/smarty/issues/397 https://github.com/smarty-php/smarty/issues/391 https://github.com/smarty-php/smarty/issues/392

12.10.2017 - bugfix $smarty.block.child and $smarty.block.parent could not be

used like any $smarty special variable https://github.com/smarty-php/smarty/issues/393 - unclosed block tag in double quoted string must throw

compiler exception. https://github.com/smarty-php/smarty/issues/391

https://github.com/smarty-php/smarty/issues/392 07.10.2017 - bugfix

modification of 9.8.2017 did fail on some recursive tag nesting.

https://github.com/smarty-php/smarty/issues/389 26.8.2017 - bugfix chained

modifier failed when last modifier parameter is a signed value

https://github.com/smarty-php/smarty/issues/327 - bugfix templates filepath

with multibyte characters did not work https://github.com/smarty-php/smarty/issues/385 - bugfix {make_nocache} did display code if the template

did not contain other nocache code https://github.com/smarty-php/smarty/issues/369 09.8.2017 - improvement repeated delimiter like {{ and

}} will be treated as literal

https://groups.google.com/forum/#!topic/smarty-developers/h9r82Bx4KZw 05.8.2017

- bugfix wordwrap modifier could fail if used in nocache code. converted

plugin file shared.mb_wordwrap.php into modifier.mb_wordwrap.php - cleanup of

_getSmartyObj() 31.7.2017 - Call clearstatcache() after mkdir() failure

https://github.com/smarty-php/smarty/pull/379 30.7.2017 - rewrite mkdir()

bugfix to retry automatically see https://github.com/smarty-php/smarty/pull/377

https://github.com/smarty-php/smarty/pull/379 21.7.2017 - security possible

PHP code injection on custom resources at display() or fetch() calls if the

resource does not sanitize the template name - bugfix fix 'mkdir(): File

exists' error on create directory from parallel processes

https://github.com/smarty-php/smarty/pull/377 - bugfix solve preg_match() hhvm

parameter problem https://github.com/smarty-php/smarty/pull/372 27.5.2017 -bugfix change compiled code for registered function and modifiers to called as

callable to allow closures https://github.com/smarty-php/smarty/issues/273 - bugfix

https://github.com/smarty-php/smarty/pull/368 did break the default plugin

handler - improvement replace phpversion() by PHP_VERSION constant.

https://github.com/smarty-php/smarty/pull/363 21.5.2017 - performance store

flag for already required shared plugin functions in static variable or

Smarty's $_cache to improve performance when plugins are often called

https://github.com/smarty-php/smarty/commit/51e0d5cd405d764a4ea257d1bac1fb1205f7

4528#commitcomment-22280086 - bugfix remove special treatment of classes

implementing ArrayAccess in {foreach} https://github.com/smarty-php/smarty/issues/332 - bugfix remove deleted files by clear_cache() and

clear_compiled_template() from ACP cache if present, add some is_file()

checks to avoid possible warnings on filemtime() caused by above functions.

https://github.com/smarty-php/smarty/issues/341 - bugfix version 3.1.31 did

fail under PHP 5.2 https://github.com/smarty-php/smarty/issues/365

19.5.2017 - change properties $accessMap and $obsoleteProperties from private

to protected https://github.com/smarty-php/smarty/issues/351 - new feature

The named capture buffers can now be accessed also as array See

NEWS_FEATURES.txt https://github.com/smarty-php/smarty/issues/366 -improvement check if ini_get() and ini_set() not disabled

https://github.com/smarty-php/smarty/pull/362 24.4.2017 - fix spelling

https://github.com/smarty-php/smarty/commit/e3eda8a5f5653d8abb960eb1bc47e3eca679

b1b4#commitcomment-21803095 17.4.2017 - correct generated code on empty()

and isset() call, observe change PHP behaviour since PHP 5.5

https://github.com/smarty-php/smarty/issues/347 14.4.2017 - merge pull

requests https://github.com/smarty-php/smarty/pull/322 and https://github.com/smarty-php/smarty/pull/337 to fix spelling and annotation 13.4.2017 - bugfix

array_merge() parameter should be checked https://github.com/smarty-php/smarty/issues/350 ===== 3.1.31 ===== (14.12.2016) 23.11.2016 - move

template object cache into static variables 19.11.2016 - bugfix

inheritance root child templates containing nested {block}{/block} could call

sub-bock content from parent template https://github.com/smarty-php/smarty/issues/317 - change version checking 11.11.2016 - bugfix when

Smarty is using a cached template object on Smarty::fetch() or

Smarty::isCached() the inheritance data must be removed

https://github.com/smarty-php/smarty/issues/312 - smaller speed optimization

08.11.2016 - add bootstrap file to load and register Smarty_Autoloader.

Change composer.json to make it known to composer 07.11.2016 - optimization

of lexer speed https://github.com/smarty-php/smarty/issues/311 27.10.2016 -bugfix template function definitions array has not been cached between

Smarty::fetch() and Smarty::display() calls https://github.com/smarty-php/smarty/issues/301 23.10.2016 - improvement/bugfix when Smarty::fetch()

is called on a template object the inheritance and tplFunctions property

should be copied to the called template object 21.10.2016 - bugfix for

compile locking touched timestamp of old compiled file was not restored on

compilation error https://github.com/smarty-php/smarty/issues/308 20.10.2016

- bugfix nocache code was not removed in cache file when subtemplate did contain

PHP short tags in text but no other nocache code https://github.com/smarty-php/smarty/issues/300 19.10.2016 - bugfix {make_nocache $var} did fail when

variable value did contain '\' https://github.com/smarty-php/smarty/issues/305

- bugfix {make_nocache $var} remove spaces from variable value

https://github.com/smarty-php/smarty/issues/304 12.10.2016 - bugfix

{include} with template names including variable or constants could fail after

bugfix from 28.09.2016 https://github.com/smarty-php/smarty/issues/302

08.10.2016 - optimization move runtime extension for template functions into

Smarty objects 29.09.2016 - improvement new Smarty::$extends_recursion

property to disable execution of {extends} in templates called by extends

resource https://github.com/smarty-php/smarty/issues/296 28.09.2016 -bugfix the generated code for calling a subtemplate must pass the template

resource name in single quotes https://github.com/smarty-php/smarty/issues/299

- bugfix nocache hash was not removed for tags in subtemplates

https://github.com/smarty-php/smarty/issues/300 27.09.2016 - bugfix when

Smarty does use an internally cached template object on Smarty::fetch() calls

the template and config variables must be cleared https://github.com/smarty-php/smarty/issues/297 20.09.2016 - bugfix some $smarty special template

variables are no longer accessed as real variable. using them on calls like

{if isset($smarty.foo)} or {if empty($smarty.foo)} will fail

https://www.smarty.net/search?q=forums - temporary fix for

https://github.com/smarty-php/smarty/issues/293 main reason still under

investigation - improvement new tags {block_parent} {block_child} in template

inheritance 19.09.2016 - optimization clear compiled and cached folder

completely on detected version change - cleanup convert cache resource file

method clear into runtime extension 15.09.2016 - bugfix assigning a

variable in if condition by function like {if $value = array_shift($array)} the

function got called twice https://github.com/smarty-php/smarty/issues/291 -bugfix function plugins called with assign attribute like {foo assign='bar'} did

not output returned content because because assumption was made that

it was assigned to a variable https://github.com/smarty-php/smarty/issues/292

- bugfix calling $smarty->isCached() on a not existing cache file with

$smarty->cache_locking = true; could cause a 10 second delay

https://www.smarty.net/search?q=forums - improvement make

Smarty::clearCompiledTemplate() on custom resource independent from changes of

templateId computation 11.09.2016 - improvement {math} misleading

E_USER_WARNING messages when parameter value = null https://github.com/smarty-php/smarty/issues/288 - improvement move often used code snippets into methods

- performance Smarty::configLoad() did load unneeded template source object

09.09.2016 - bugfix/optimization {foreach} did not execute the {foreachelse}

when iterating empty objects https://github.com/smarty-php/smarty/pull/287 -bugfix {foreach} must keep the @properties when restoring a saved $item variable

as the properties might be used outside {foreach} https://github.com/smarty-php/smarty/issues/267 - improvement {foreach} observe {break n} and {continue

n} nesting levels when restoring saved $item and $key variables 08.09.2016

- bugfix implement wrapper for removed method getConfigVariable()

https://github.com/smarty-php/smarty/issues/286 07.09.2016 - bugfix using

nocache like attribute with value true like {plugin nocache=true} did not work

https://github.com/smarty-php/smarty/issues/285 - bugfix uppercase TRUE, FALSE

and NULL did not work when security was enabled https://github.com/smarty-php/smarty/issues/282 - bugfix when {foreach} was looping over an object the

total property like {$item@total} did always return 1 https://github.com/smarty-php/smarty/issues/281 - bugfix {capture}{/capture} did add in 3.1.30

unintended additional blank lines https://github.com/smarty-php/smarty/issues/268 01.09.2016 - performance require_once should be

called only once for shared plugins https://github.com/smarty-php/smarty/issues/280 26.08.2016 - bugfix change of 23.08.2016 failed on

linux when use_include_path = true 23.08.2016 - bugfix remove constant DS

as shortcut for DIRECTORY_SEPARATOR as the user may have defined it to something

else https://github.com/smarty-php/smarty/issues/277 20.08-2016 - bugfix

{config_load ... scope="global"} shall not throw an arror but fallback to

scope="smarty" https://github.com/smarty-php/smarty/issues/274 - bugfix

{make_nocache} failed when using composer autoloader https://github.com/smarty-php/smarty/issues/275 14.08.2016 - bugfix $smarty_>debugging = true; did

E_NOTICE messages when {eval} tag was used https://github.com/smarty-php/smarty/issues/266 - bugfix Class

'Smarty_Internal_Runtime_ValidateCompiled' not found when upgrading from some

older Smarty versions with existing compiled or cached template files

https://github.com/smarty-php/smarty/issues/269 - optimization remove unneeded

call to update acopes when {assign} scope and template scope was local (default)

===== 3.1.30 ===== (07.08.2016) 07.08.2016 - bugfix update of 04.08.2016

was incomplete 05.08.2016 - bugfix compiling of templates failed when the

Smarty delimiter did contain '/' https://github.com/smarty-php/smarty/issues/264

- updated error checking at template and config default handler 04.08.2016

- improvement move template function source parameter into extension

26.07.2016 - optimization unneeded loading of compiled resource 24.07.2016

- regression this->addPluginsDir('/abs/path/to/dir') adding absolute path

without trailing '/' did fail https://github.com/smarty-php/smarty/issues/260

23.07.2016 - bugfix setTemplateDir('/') and setTemplateDir(') did create

wrong absolute filepath https://github.com/smarty-php/smarty/issues/245 -optimization of filepath normalization - improvement remove double function

declaration in plugin shared.escape_special_cars.php https://github.com/smarty-php/smarty/issues/229 19.07.2016 - bugfix multiple {include} with relative

filepath within {block}{/block} could fail https://github.com/smarty-php/smarty/issues/246 - bugfix {math} shell injection vulnerability patch

provided by Tim Weber 18.07.2016 - bugfix {foreach} if key variable and

item@key attribute have been used both the key variable was not updated

https://github.com/smarty-php/smarty/issues/254 - bugfix modifier on plugins

like {plugin|modifier ... } did fail when the plugin does return an array

https://github.com/smarty-php/smarty/issues/228 - bugfix avoid

opcache_invalidate to result in ErrorException when opcache.restrict_api is not

empty https://github.com/smarty-php/smarty/pull/244 - bugfix multiple

{include} with relative filepath within {block}{/block} could fail

https://github.com/smarty-php/smarty/issues/246 14.07.2016 - bugfix wrong

parameter on compileAllTemplates() and compileAllConfig()

https://github.com/smarty-php/smarty/issues/231 13.07.2016 - bugfix PHP 7

compatibility on registered compiler plugins https://github.com/smarty-php/smarty/issues/241 - update testInstall() - bugfix

enable debugging could fail when template objects did already exists

https://github.com/smarty-php/smarty/issues/237 - bugfix template function

data should be merged when loading subtemplate https://github.com/smarty-php/smarty/issues/240 - bugfix wrong parameter on compileAllTemplates()

https://github.com/smarty-php/smarty/issues/231 12.07.2016 - bugfix

{foreach} item variable must be created also on empty from array

https://github.com/smarty-php/smarty/issues/238 and https://github.com/smarty-php/smarty/issues/239 - bugfix enableSecurity() must init cache flags

https://github.com/smarty-php/smarty/issues/247 27.05.2016 -bugfix/improvement of compileAlltemplates() follow symlinks in template folder

(PHP >= 5.3.1) https://github.com/smarty-php/smarty/issues/224 clear

internal cache and expension handler for each template to avoid possible

conflicts https://github.com/smarty-php/smarty/issues/231 16.05.2016 -optimization {foreach} compiler and processing - broken PHP 5.3 and 5.4

compatibility 15.05.2016 - optimization and cleanup of resource code

10.05.2016 - optimization of inheritance processing 07.05.2016 -bugfix

Only variables should be assigned by reference https://github.com/smarty-php/smarty/issues/227 02.05.2016 - enhancement {block} tag names can now be

variable https://github.com/smarty-php/smarty/issues/221 01.05.2016 -bugfix same relative filepath at {include} called from template in different

folders could display wrong sub-template 29.04.2016 - bugfix {strip} remove

space on linebreak between html tags https://github.com/smarty-php/smarty/issues/213 24.04.2016 - bugfix nested {include} with relative

file path could fail when called in {block} ... {/block}

https://github.com/smarty-php/smarty/issues/218 14.04.2016 - bugfix special

variable {$smarty.capture.name} was not case sensitive on name

https://github.com/smarty-php/smarty/issues/210 - bugfix the default template

handler must calculate the source uid https://github.com/smarty-php/smarty/issues/205 13.04.2016 - bugfix template inheritance status must

be saved when calling sub-templates https://github.com/smarty-php/smarty/issues/215 27.03.2016 - bugfix change of 11.03.2016 cause again

{capture} data could not been seen in other templates with

{$smarty.capture.name} https://github.com/smarty-php/smarty/issues/153

11.03.2016 - optimization of capture and security handling - improvement

$smarty->clearCompiledTemplate() should return on recompiled or uncompiled

resources 10.03.2016 - optimization of resource processing 09.03.2016

- improvement rework of 'scope' attribute handling see see NEW_FEATURES.txt

https://github.com/smarty-php/smarty/issues/194 https://github.com/smarty-php/smarty/issues/186 https://github.com/smarty-php/smarty/issues/179 - bugfix

correct Autoloader update of 2.3.2014 https://github.com/smarty-php/smarty/issues/199 04.03.2016 - bugfix change from 01.03.2016 will cause

$smarty->isCached(..) failure if called multiple time for same template

(forum topic 25935) 02.03.2016 - revert autoloader optimizations because of

unexplainable warning when using plugins https://github.com/smarty-php/smarty/issues/199 01.03.2016 - bugfix template objects must be cached

on $smarty->fetch('foo.tpl) calls incase the template is fetched multiple

times (forum topic 25909) 25.02.2016 - bugfix wrong _realpath with 4 or

more parent-directories https://github.com/smarty-php/smarty/issues/190 -optimization of _realpath - bugfix instanceof expression in template code must

be treated as value https://github.com/smarty-php/smarty/issues/191 20.02.2016

- bugfix {strip} must keep space between hmtl tags. Broken by changes of

10.2.2016 https://github.com/smarty-php/smarty/issues/184 - new feature/bugfix

{foreach}{section} add 'properties' attribute to force compilation of loop

properties see NEW_FEATURES.txt https://github.com/smarty-php/smarty/issues/189 19.02.2016 - revert output buffer flushing on

display, echo content again because possible problems when PHP files had

characters (newline} after ?> at file end https://github.com/smarty-php/smarty/issues/187 14.02.2016 - new tag {make_nocache} read

NEW_FEATURES.txt https://github.com/smarty-php/smarty/issues/110 -optimization of sub-template processing - bugfix using extendsall as default

resource and {include} inside {block} tags could produce unexpected results

https://github.com/smarty-php/smarty/issues/183 - optimization of tag

attribute compiling - optimization make compiler tag object cache static for

higher compilation speed 11.02.2016 - improvement added KnockoutJS comments

to trimwhitespace outputfilter https://github.com/smarty-php/smarty/issues/82

https://github.com/smarty-php/smarty/pull/181 10.02.2016 - bugfix {strip}

must keep space on output creating smarty tags within html tags

https://github.com/smarty-php/smarty/issues/177 - bugfix wrong precedence on

special if conditions like '$foo is ... by $bar' could cause wrong code

https://github.com/smarty-php/smarty/issues/178 - improvement because of

ambiguities the inline constant support has been removed from the $foo.bar

syntax https://github.com/smarty-php/smarty/issues/149 - bugfix other {strip}

error with output tags between hmtl https://github.com/smarty-php/smarty/issues/180 09.02.2016 - move some code from parser into compiler

- reformat all code for unique style - update/bugfix scope attribute handling

reworked. Read the newfeatures.txt file 05.02.2016 - improvement internal

compiler changes 01.02.2016 - bugfix {foreach} compilation failed when

$smarty->merge_compiled_includes = true and pre-filters are used. 29.01.2016

- bugfix implement replacement code for _tag_stack property

https://github.com/smarty-php/smarty/issues/151 28.01.2016 - bugfix allow

windows network filepath or wrapper (forum topic 25876)

https://github.com/smarty-php/smarty/issues/170 - bugfix if fetch('foo.tpl')

is called on a template object the $parent parameter should default to the

calling template object https://github.com/smarty-php/smarty/issues/152

27.01.2016 - revert bugfix compiling {section} did create warning - bugfix

{$smarty.section.customer.loop} did throw compiler error

https://github.com/smarty-php/smarty/issues/161 update of yesterdays fix -bugfix string resource could inject code at {block} or inline subtemplates

through PHP comments https://github.com/smarty-php/smarty/issues/157

- bugfix output filters did not observe nocache code

flhttps://github.com/smarty-php/smarty/issues/created_by/154g https://github.com/smarty-php/smarty/issues/160 - bugfix {extends} with relative file path did not work

https://github.com/smarty-php/smarty/issues/154 https://github.com/smarty-php/smarty/issues/158 - bugfix {capture} data could not been seen in other

templates with {$smarty.capture.name} https://github.com/smarty-php/smarty/issues/153 26.01.2016 - improvement observe Smarty::$_CHARSET in

debugging console https://github.com/smarty-php/smarty/issues/169 - bugfix

compiling {section} did create warning - bugfix

{$smarty.section.customer.loop} did throw compiler error

https://github.com/smarty-php/smarty/issues/161 02.01.2016 - update scope

handling - optimize block plugin compiler - improvement runtime checks if

registered block plugins are callable 01.01.2016 - remove

Smarty::$resource_cache_mode property 31.12.2015 - optimization of

{assign}, {if} and {while} compiled code 30.12.2015 - bugfix plugin names

starting with "php" did not compile https://github.com/smarty-php/smarty/issues/147 29.12.2015 - bugfix Smarty::error_reporting was not

observed when display() or fetch() was called on template objects

https://github.com/smarty-php/smarty/issues/145 28.12.2015 - optimization

of {foreach} code size and processing 27.12.2015 - improve inheritance code

- update external methods - code fixes - PHPdoc updates 25.12.2015 -compile {block} tag code and its processing into classes - optimization

replace hhvm extension by inline code - new feature If ACP is enabled force an

apc_compile_file() when compiled or cached template was updated 24.12.2015

- new feature Compiler does now observe the template_dir setting and will create

separate compiled files if required - bugfix post filter did fail on template

inheritance https://github.com/smarty-php/smarty/issues/144 23.12.2015 -optimization move internal method decodeProperties back into template object -optimization move subtemplate processing back into template object - new

feature Caching does now observe the template_dir setting and will create

separate cache files if required 22.12.2015 - change $xxx_dir properties

from private to protected in case Smarty class gets extended - code

optimizations 21.12.2015 - bugfix a filepath starting with '/' or '\' on

windows should normalize to the root dir of current working drive

https://github.com/smarty-php/smarty/issues/134 - optimization of filepath

normalization - bugfix {strip} must remove all blanks between html tags

https://github.com/smarty-php/smarty/issues/136 ===== 3.1.29 ====(21.12.2015) 21.12.2015 - optimization improve speed of filetime checks on

extends and extendsall resource 20.12.2015 - bugfix failure when the

default resource type was set to 'extendsall' https://github.com/smarty-php/smarty/issues/123 - update compilation of Smarty special variables -bugfix add addition check for OS type on normalization of file path

https://github.com/smarty-php/smarty/issues/134 - bugfix the source uid of the

extendsall resource must contain $template_dir settings

https://github.com/smarty-php/smarty/issues/123 19.12.2015 - bugfix using

$smarty.capture.foo in expressions could fail https://github.com/smarty-php/smarty/pull/138 - bugfix broken PHP 5.2 compatibility

https://github.com/smarty-php/smarty/issues/139 - remove no longer used code

- improvement make sure that compiled and cache templates never can contain a

trailing '?>? 18.12.2015 - bugfix regression when modifier parameter was

followed by math https://github.com/smarty-php/smarty/issues/132 17.12.2015

- bugfix {$smarty.capture.nameFail} did lowercase capture name

https://github.com/smarty-php/smarty/issues/135 - bugfix using {block

append/prepend} on same block in multiple levels of inheritance templates could

fail (forum topic 25827) - bugfix text content consisting of just a single '0'

like in {if true}0{/if} was suppressed (forum topic 25834) 16.12.2015 -bugfix {foreach} did fail if from atrribute is a Generator class

https://github.com/smarty-php/smarty/issues/128 - bugfix direct access

$smarty->template_dir = 'foo'; should call Smarty::setTemplateDir()

https://github.com/smarty-php/smarty/issues/121 15.12.2015 - bugfix

{$smarty.cookies.foo} did return the $_COOKIE array not the 'foo' value

https://github.com/smarty-php/smarty/issues/122 - bugfix a call to

clearAllCache() and other should clear all internal template object caches

(forum topic 25828) 14.12.2015 - bugfix {$smarty.config.foo} broken in

3.1.28 https://github.com/smarty-php/smarty/issues/120 - bugfix multiple

calls of {section} with same name droped E_NOTICE error

https://github.com/smarty-php/smarty/issues/118 ===== 3.1.28 ====(13.12.2015) 13.12.2015 - bugfix {foreach} and {section} with uppercase

characters in name attribute did not work (forum topic 25819) - bugfix

$smarty->debugging_ctrl = 'URL' did not work (forum topic 25811) - bugfix

Debug Console could display incorrect data when using subtemplates 09.12.2015

- bugfix Smarty did fail under PHP 7.0.0 with use_include_path = true;

09.12.2015 - bugfix {strip} should exclude some html tags from stripping,

related to fix for https://github.com/smarty-php/smarty/issues/111 08.12.2015

- bugfix internal template function data got stored in wrong compiled file

https://github.com/smarty-php/smarty/issues/114 05.12.2015 -bugfix {strip}

should insert a single space https://github.com/smarty-php/smarty/issues/111

25.11.2015 -bugfix a left delimter like '[%' did fail on

[%$var_[%$variable%]%] (forum topic 25798) 02.11.2015 - bugfix {include}

with variable file name like {include file="foo_`$bar`.tpl"} did fail in

3.1.28-dev https://github.com/smarty-php/smarty/issues/102 01.11.2015 -update config file processing 31.10.2015 - bugfix add missing $trusted_dir

property to SmartyBC class (forum topic 25751) 29.10.2015 - improve

template scope handling 24.10.2015 - more optimizations of template

processing - bugfix Error when using {include} within {capture}

https://github.com/smarty-php/smarty/issues/100 21.10.2015 - move some code

into runtime extensions 18.10.2015 - optimize filepath normalization -rework of template inheritance - speed and size optimizations - bugfix under

HHVM temporary cache file must only be created when caches template was updated

- fix compiled code for new {block} assign attribute - update code generated

by template function call handler 18.09.2015 - bugfix {if $foo instanceof

$bar} failed to compile if 2nd value is a variable https://github.com/smarty-php/smarty/issues/92 17.09.2015 - bugfix {foreach} first attribute was not

correctly reset since commit 05a8fa2 of 02.08.2015 https://github.com/smarty-php/smarty/issues/90 16.09.2015 - update compiler by moving no longer

needed properties, code optimizations and other 14.09.2015 - optimize

autoloader - optimize subtemplate handling - update template inheritance

processing - move code of {call} processing back into Smarty_Internal_Template

class - improvement invalidate OPCACHE for cleared compiled and cached

template files (forum topic 25557) - bugfix unintended multiple debug windows

(forum topic 25699) 30.08.2015 - size optimization move some runtime

functions into extension - optimize inline template processing -optimization merge inheritance child and parent templates into one compiled

template file 29.08.2015 - improvement convert template inheritance into

runtime processing - bugfix {$smarty.block.parent} did always reference the

root parent block https://github.com/smarty-php/smarty/issues/68 23.08.2015

- introduce Smarty::$resource_cache_mode and cache template object of {include}

inside loop - load seldom used Smarty API methods dynamically to reduce memory

footprint - cache template object of {include} if same template is included

several times - convert debug console processing to object - use output

buffers for better performance and less memory usage - optimize nocache hash

processing - remove not really needed properties - optimize rendering -move caching to Smarty::_cache - remove properties with redundant content -optimize Smarty::templateExists() - optimize use_include_path processing -relocate properties for size optimization - remove redundant code - bugfix

compiling super globals like {$smarty.get.foo} did fail in the master branch

https://github.com/smarty-php/smarty/issues/77 06.08.2015 - avoid possible

circular object references caused by parser/lexer objects - rewrite

compileAll... utility methods - commit several internal improvements -bugfix Smarty failed when compile_id did contain "|" 03.08.2015 - rework

clear cache methods - bugfix compileAllConfig() was broken since 3.1.22

because of the changes in config file processing - improve getIncludePath() to

return directory if no file was given 02.08.2015 - optimization and code

cleanup of {foreach} and {section} compiler - rework {capture} compiler

01.08.2015 - update DateTime object can be instance of DateTimeImmutable

since PHP5.5 https://github.com/smarty-php/smarty/pull/75 - improvement show

resource type and start of template source instead of uid on eval: and string:

resource (forum topic 25630) 31.07.2015 - optimize {foreach} and {section}

compiler 29.07.2015 - optimize {section} compiler for speed and size of

compiled code 28.07.2015 - update for PHP 7 compatibility 26.07.2015 -improvement impement workaround for HHVM PHP incompatibillity

https://github.com/facebook/hhvm/issues/4797 25.07.2015 - bugfix parser did

hang on text starting

20.07.2015 - bugfix config files got recompiled on each request -improvement invalidate PHP 5.5 opcache for recompiled and cached templates

https://github.com/smarty-php/smarty/issues/72 12.07.2015 - optimize

{extends} compilation 10.07.2015 - bugfix force file: resource in demo

resource.extendsall.php 08.07.2015 - bugfix convert each word of class

names to ucfirst in in compiler. (forum topic 25588) 07.07.2015 -improvement allow fetch() or display() called on a template object to get output

from other template like $template->fetch('foo.tpl')

https://github.com/smarty-php/smarty/issues/70 - improvement Added $limit

parameter to regex_replace modifier #71 - new feature multiple indices on

file: resource 06.07.2015 - optimize {block} compilation - optimization

get rid of __get and __set in source object 01.07.2015 - optimize compile

check handling - update {foreach} compiler - bugfix debugging console did

not display string values containing \n, \r or \t correctly

https://github.com/smarty-php/smarty/issues/66 - optimize source resources

28.06.2015 - move $smarty->enableSecurity() into Smarty_Security class -optimize security isTrustedResourceDir() - move auto load filter methods into

extension - move $smarty->getTemplateVars() into extension - move

getStreamVariable() into extension - move $smarty->append() and

$smarty->appendByRef() into extension - optimize autoloader - optimize file

path normalization - bugfix PATH_SEPARATOR was replaced by mistake in

autoloader - remove redundant code 27.06.2015 - bugfix resolve naming

conflict between custom Smarty delimiter '<%' and PHP ASP tags

https://github.com/smarty-php/smarty/issues/64 - update $smarty->_realpath for

relative path not starting with './' - update Smarty security with new

realpath handling - update {include_php} with new realpath handling - move

$smarty->loadPlugin() into extension - minor compiler optimizations - bugfix

allow function plugins with name ending with 'close' https://github.com/smarty-php/smarty/issues/52 - rework of $smarty->clearCompiledTemplate() and move it

to its own extension 19.06.2015 - improvement allow closures as callback at

$smarty->registerFilter() https://github.com/smarty-php/smarty/issues/59 ====3.1.27===== (18.06.2015) 18.06.2015 - bugfix another update on file path

normalization failed on path containing something like "/.foo/"

https://github.com/smarty-php/smarty/issues/56 ===== 3.1.26===== (18.06.2015)

18.06.2015 - bugfix file path normalization failed on path containing

something like "/.foo/" https://github.com/smarty-php/smarty/issues/56

17.06.2015 - bugfix calling a plugin with nocache option but no other

attributes like {foo nocache} caused call to undefined function

https://github.com/smarty-php/smarty/issues/55 ===== 3.1.25===== (15.06.2015)

15.06.2015 - optimization of smarty_cachereource_keyvaluestore.php code

14.06.2015 - bugfix a relative sub template path could fail if template_dir

path did contain /../ https://github.com/smarty-php/smarty/issues/50 -optimization rework of path normalization - bugfix an output tag with

variable, modifier followed by an operator like {$foo|modifier+1} did fail

https://github.com/smarty-php/smarty/issues/53 13.06.2015 - bugfix a custom

cache resource using smarty_cachereource_keyvaluestore.php did fail if php.ini

mbstring.func_overload = 2 (forum topic 25568) 11.06.2015 - bugfix the

lexer could hang on very large quoted strings (forum topic 25570) 08.06.2015

- bugfix using {$foo} as array index like $bar.{$foo} or in double quoted string

like "some {$foo} thing" failed https://github.com/smarty-php/smarty/issues/49

04.06.2015 - bugfix possible error message on unset() while compiling {block}

tags https://github.com/smarty-php/smarty/issues/46 01.06.2015 - bugfix

including template variables broken since 3.1.22

https://github.com/smarty-php/smarty/issues/47 27.05.2015 - bugfix

{include} with variable file name must not create by default individual cache

file (since 3.1.22) https://github.com/smarty-php/smarty/issues/43 24.05.2015

- bugfix if condition string 'neq' broken due to a typo

https://github.com/smarty-php/smarty/issues/42 ===== 3.1.24===== (23.05.2015)

23.05.2015 - improvement on php_handling to allow very large PHP sections,

better error handling - improvement allow extreme large comment sections

(forum 25538) 21.05.2015 - bugfix broken PHP 5.2 compatibility when

compiling

named {foreach} comparison like $smarty.foreach.foobar.index > 1 did compile

into wrong code https://github.com/smarty-php/smarty/issues/41 19.05.2015 -bugfix compiler did overwrite existing variable value when setting the nocache

attribute https://github.com/smarty-php/smarty/issues/39 - bugfix output

filter trimwhitespace could run into the pcre.backtrack_limit on large output

(code.google issue 220) - bugfix compiler could run into the

pcre.backtrack_limit on larger comment or {php} tag sections (forum 25538)

18.05.2015 - improvement introduce shortcuts in lexer/parser rules for most

frequent terms for higher compilation speed 16.05.2015 - bugfix

{php}{/php} did work just for single lines https://github.com/smarty-php/smarty/issues/33 - improvement remove not needed ?>

compiled code - improvement reduce number of lexer tokens on operators and if

conditions - improvement higher compilation speed by modified lexer/parser

generator at "smarty/smarty-lexer" 13.05.2015 - improvement remove not

needed ?>

- use fresh Smarty object to display the debug console because of possible

problems when the Smarty was extended or Smarty properties had been

modified in the class source - display Smarty version number -Truncate lenght of Origin display and extend strin value display to 80 character

- bugfix in Smarty_Security 'nl2br' should be a trusted modifier, not PHP

function (code.google issue 223) 12.05.2015 - bugfix

{$smarty.constant.TEST} did fail on undefined constant

https://github.com/smarty-php/smarty/issues/28 - bugfix access to undefined

config variable like {#undef#} did fail https://github.com/smarty-php/smarty/issues/29 - bugfix in nested {foreach} saved item attributes got

overwritten https://github.com/smarty-php/smarty/issues/33 ===== 3.1.23 ====(12.05.2015) 12.05.2015 - bugfix of smaller performance issue introduce in

3.1.22 when caching is enabled - bugfix missig entry for smarty-temmplate-config in autoloader ===== 3.1.22 ===== tag was deleted because 3.1.22 did

fail caused by the missing entry for smarty-temmplate-config in autoloader

10.05.2015 - bugfix custom cache resource did not observe compile_id and

cache_id when $cache_locking == true - bugfix cache lock was not handled

correctly after timeout when $cache_locking == true - improvement added

constants for $debugging 07.05.2015 - improvement of the debugging console.

Read NEW_FEATURES.txt - optimization of resource class loading 06.05.2015

- bugfix in 3.1.22-dev cache resource must not be loaded for subtemplates -bugfix/improvement in 3.1.22-dev cache locking did not work as expected

05.05.2015 - optimization on cache update when main template is modified -optimization move handling from parser to new compiler module

05.05.2015 - bugfix code could be messed up when {tags} are used in multiple

attributes https://github.com/smarty-php/smarty/issues/23 04.05.2015 -bugfix Smarty_Resource::parseResourceName incompatible with Google AppEngine

(https://github.com/smarty-php/smarty/issues/22) - improvement use is_file()

checks to avoid errors suppressed by @ which could still cause problems

(https://github.com/smarty-php/smarty/issues/24) 28.04.2015 - bugfix

plugins of merged subtemplates not loaded in 3.1.22-dev (forum topic 25508) 2nd

fix 28.04.2015 - bugfix plugins of merged subtemplates not loaded in

3.1.22-dev (forum topic 25508) 23.04.2015 - bugfix a nocache template

variable used as parameter at {insert} was by mistake cached 20.04.2015 -bugfix at a template function containing nocache code a parmeter could overwrite

a template variable of same name 27.03.2015 - bugfix

Smarty_Security->allow_constants=false; did also disable true, false and null

(change of 16.03.2015) - improvement added a whitelist for trusted constants

to security Smarty_Security::$trusted_constants (forum topic 25471) 20.03.2015

- bugfix make sure that function properties get saved only in compiled files

containing the fuction definition {forum topic 25452} - bugfix correct update

of global variable values on exit of template functions. (reported under Smarty

Developers) 16.03.2015 - bugfix problems with {function}{/function} and

{call} tags in different subtemplate cache files {forum topic 25452} - bugfix

Smarty_Security->allow_constants=false; did not disallow direct usage of defined

constants like {SMARTY_DIR} {forum topic 25457} - bugfix {block}{/block} tags

did not work inside double quoted strings https://github.com/smarty-php/smarty/issues/18 15.03.2015 - bugfix $smarty->compile_check must be

restored before rendering of a just updated cache file {forum 25452}

14.03.2015 - bugfix {nocache} {/nocache} tags corrupted code when used

within a nocache section caused by a nocache template variable. - bugfix

template functions defined with {function} in an included subtemplate could not

be called in nocache mode with {call... nocache} if the subtemplate

had it's own cache file {forum 25452} 10.03.2015 - bugfix {include ...

nocache} whith variable file or compile_id attribute was not executed in nocache

mode. 12.02.2015 - bugfix multiple Smarty::fetch() of same template when

$smarty->merge_compiled_includes = true; could cause function already defined

error 11.02.2015 - bugfix recursive {includes} did create E_NOTICE message

when $smarty->merge_compiled_includes = true; (github issue #16) 22.01.2015

- new feature security can now control access to static methods and properties

see also NEW_FEATURES.txt 21.01.2015 - bugfix clearCompiledTemplates(),

clearAll() and clear() could try to delete whole drive at wrong path permissions

because realpath() fail (forum 25397) - bugfix 'self::' and 'parent::' was

interpreted in template syntax as static class 04.01.2015 - push last weeks

changes to github - different optimizations - improvement automatically create

different versions of compiled templates and config files depending on

property settings. - optimization restructure template processing by moving

code into classes it better belongs to - optimization restructure config file

processing 31.12.2014 - bugfix use function_exists('mb_get_info') for setting

Smarty::$_MBSTRING. Function mb_split could be overloaded depending on

php.ini mbstring.func_overload 29.12.2014 - new feature security can now

limit the template nesting level by property $max_template_nesting

see also NEW_FEATURES.txt (forum 25370) 29.12.2014 - new feature security

can now disable special $smarty variables listed in property

$disabled_special_smarty_vars see also NEW_FEATURES.txt (forum

25370) 27.12.2014 - bugfix clear internal _is_file_cache when plugins_dir

was modified 13.12.2014 - improvement optimization of lexer and parser

resulting in a up to 30% higher compiling speed 11.12.2014 - bugfix resolve

parser ambiguity between constant print tag {CONST} and other smarty tags after

change of 09.12.2014 09.12.2014 - bugfix variables $null, $true and $false

did not work after the change of 12.11.2014 (forum 25342) - bugfix call of

template function by a variable name did not work after latest changes (forum

25342) 23.11.2014 - bugfix a plugin with attached modifier could fail if

the tag was immediately followed by another Smarty tag (since 3.1.21) (forum

25326) 13.11.2014 - improvement move autoload code into Autoloader.php. Use

Composer autoloader when possible 12.11.2014 - new feature added support of

namespaces to template code 08.11.2014 - 10.11.2014 - bugfix subtemplate

called in nocache mode could be called with wrong compile_id when it did change

on one of the calling templates - improvement add code of template functions

called in nocache mode dynamically to cache file (related to bugfix of

01.11.2014) - bugfix Debug Console did not include all data from merged

compiled subtemplates 04.11.2014 - new feature $smarty->debugging = true; =>

overwrite existing Debug Console window (old behaviour)

$smarty->debugging = 2; => individual Debug Console window by template name

03.11.2014 - bugfix Debug Console did not show included subtemplates since

3.1.17 (forum 25301) - bugfix Modifier debug_print_var did not limit recursion

or prevent recursive object display at Debug Console (ATTENTION: parameter

order has changed to be able to specify maximum recursion) - bugfix Debug

consol did not include subtemplate information with

$smarty->merge_compiled_includes = true - improvement The template variables

are no longer displayed as objects on the Debug Console - improvement

$smarty->createData($parent = null, $name = null) new optional name parameter

for display at Debug Console - addition of some hooks for future extension of

Debug Console 01.11.2014 - bugfix and enhancement on subtemplate {include}

and template {function} tags. * Calling a template which has a nocache

section could fail if it was called from a cached and a not cached subtemplate.

* Calling the same subtemplate cached and not cached with the

$smarty->merge_compiled_includes enabled could cause problems * Many smaller

related changes 30.10.2014 - bugfix access to class constant by object like

{$object::CONST} or variable class name {$class::CONST} did not work (forum

25301) 26.10.2014 - bugfix E_NOTICE message was created during compilation

when ASP tags '<%' or '%>' are in template source text - bugfix

merge_compiled_includes option failed when caching enables and same subtemplate

was included cached and not cached

* Fri Feb 22 2019 Shawn Iwinski - 3.1.33-1

- Update to 3.1.33

- RHBZ #s: 1532492, 1532493, 1532494, 1628739, 1628740, 1628741, 1631095, 1631096, 1631098

- CVEs: CVE-2017-1000480, CVE-2018-13982, CVE-2018-16831

- License LGPLv2+ => LGPLv3

* Sat Feb 2 2019 Fedora Release Engineering - 3.1.21-9

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Fri Jul 13 2018 Fedora Release Engineering - 3.1.21-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

[ 1 ] Bug #1631098 - CVE-2018-13982 php-Smarty: Path traversal vulnerability in Smarty_Security::isTrustedResourceDir() [epel-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1631098

[ 2 ] Bug #1628740 - CVE-2018-16831 php-Smarty: trusted_dir protection mechanism bypass [epel-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1628740

[ 3 ] Bug #1532493 - CVE-2017-1000480 php-Smarty: Code injection when calling fetch() or display() on unsanitized template names [epel-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1532493

[ 4 ] Bug #1631096 - CVE-2018-13982 php-Smarty: Path traversal vulnerability in Smarty_Security::isTrustedResourceDir() [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1631096

[ 5 ] Bug #1628741 - CVE-2018-16831 php-Smarty: trusted_dir protection mechanism bypass [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1628741

[ 6 ] Bug #1532494 - CVE-2017-1000480 php-Smarty: Code injection when calling fetch() or display() on unsanitized template names [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1532494

su -c 'dnf upgrade --advisory FEDORA-2019-d248c5aa39' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/