CIVI-PSA-2023-01: Smarty v2 Audit

Veröffentlicht
2023-09-06 23:59
Written by

CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net project has stopped publishing security backports for Smarty v2, so civicrm.org will do so (until a migration to a newer Smarty is complete).

As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.

The following one issue does impact Smarty v2. We've ported a fix to CiviCRM.

The following four issues do not impact Smarty v2. They relate to new behaviors that only exist in v3+.

The following one issue has hypothetical considerations but does not impact CiviCRM's usage of Smarty v2.

  • Cross site scripting vulnerability in Javascript escaping (GHSA-7j98-h7fp-4vwj)
    • (Smarty supports multiple techniques for encoding Javascript. By convention, CiviCRM and its universe of extensions generally use the safer json_encode technique -- rather than the riskier escape:javascript technique.)
    • (It is theoretically possible to create a Smarty v2 application with this defect -- that is, by using the escape:javascript string-encoder as a way to generate "template-literals". However, this is anachronistic -- "template-literals" should not naturally appear in applications or coding-conventions from the era of Smarty v2.)

civicrm.org will continue to provide backports/analyses for future issues -- until such time as we are able to coordinate a migration to a newer major release of Smarty.

Security Risk
Not Critical
Vulnerability
Other
Affected Versions

N/A

Fixed Versions

N/A

Publication Date
Solutions

N/A

Credits

N/A

References

GHSA-7j98-h7fp-4vwj
GHSA-634x-pc3q-cf4c
GHSA-29gp-2c3m-3j6m
GHSA-4h9c-v5vg-5m6m
GHSA-3rpf-5rqv-689q
GHSA-w5hr-jm4j-9jvq