From 4eb86a67701301c38ed763b5ff5d251999adb491 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Mon, 16 May 2022 12:34:49 +0200
Subject: [PATCH 1/2] Replace '*/' in user supplied input in C-style comments
 with '* /'.

---
 libs/sysplugins/smarty_internal_compile_block.php      |  4 ++--
 libs/sysplugins/smarty_internal_compile_function.php   |  8 ++++----
 libs/sysplugins/smarty_internal_compile_include.php    |  4 ++--
 .../smarty_internal_config_file_compiler.php           | 10 ++++++----
 libs/sysplugins/smarty_internal_runtime_codeframe.php  |  9 ++++++---
 .../smarty_internal_templatecompilerbase.php           |  4 ++++
 6 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/libs/sysplugins/smarty_internal_compile_block.php b/libs/sysplugins/smarty_internal_compile_block.php
index 8ff15d8e5..cbaccd2b3 100644
--- a/libs/sysplugins/smarty_internal_compile_block.php
+++ b/libs/sysplugins/smarty_internal_compile_block.php
@@ -125,7 +125,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler, $
         // setup buffer for template function code
         $compiler->parser->current_buffer = new Smarty_Internal_ParseTree_Template();
         $output = "<?php\n";
-        $output .= "/* {block {$_name}} */\n";
+        $output .= $compiler->cStyleComment(" {block {$_name}} ") . "\n";
         $output .= "class {$_className} extends Smarty_Internal_Block\n";
         $output .= "{\n";
         foreach ($_block as $property => $value) {
@@ -155,7 +155,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler, $
         }
         $output .= "}\n";
         $output .= "}\n";
-        $output .= "/* {/block {$_name}} */\n\n";
+        $output .= $compiler->cStyleComment(" {/block {$_name}} ") . "\n\n";
         $output .= "?>\n";
         $compiler->parser->current_buffer->append_subtree(
             $compiler->parser,
diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php
index d0f2b0f4a..1b73a6ba6 100644
--- a/libs/sysplugins/smarty_internal_compile_function.php
+++ b/libs/sysplugins/smarty_internal_compile_function.php
@@ -134,7 +134,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
         if ($compiler->template->compiled->has_nocache_code) {
             $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name_caching' ] = $_funcNameCaching;
             $output = "<?php\n";
-            $output .= "/* {$_funcNameCaching} */\n";
+            $output .= $compiler->cStyleComment(" {$_funcNameCaching} ") . "\n";
             $output .= "if (!function_exists('{$_funcNameCaching}')) {\n";
             $output .= "function {$_funcNameCaching} (Smarty_Internal_Template \$_smarty_tpl,\$params) {\n";
             $output .= "ob_start();\n";
@@ -159,7 +159,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
             $output .= "/*/%%SmartyNocache:{$compiler->template->compiled->nocache_hash}%%*/\";\n?>";
             $output .= "<?php echo str_replace('{$compiler->template->compiled->nocache_hash}', \$_smarty_tpl->compiled->nocache_hash, ob_get_clean());\n";
             $output .= "}\n}\n";
-            $output .= "/*/ {$_funcName}_nocache */\n\n";
+            $output .= $compiler->cStyleComment("/ {$_funcName}_nocache ") . "\n\n";
             $output .= "?>\n";
             $compiler->parser->current_buffer->append_subtree(
                 $compiler->parser,
@@ -179,7 +179,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
         }
         $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name' ] = $_funcName;
         $output = "<?php\n";
-        $output .= "/* {$_funcName} */\n";
+        $output .= $compiler->cStyleComment(" {$_funcName} ") . "\n";
         $output .= "if (!function_exists('{$_funcName}')) {\n";
         $output .= "function {$_funcName}(Smarty_Internal_Template \$_smarty_tpl,\$params) {\n";
         $output .= $_paramsCode;
@@ -196,7 +196,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
         );
         $compiler->parser->current_buffer->append_subtree($compiler->parser, $_functionCode);
         $output = "<?php\n}}\n";
-        $output .= "/*/ {$_funcName} */\n\n";
+        $output .= $compiler->cStyleComment("/ {$_funcName} ") . "\n\n";
         $output .= "?>\n";
         $compiler->parser->current_buffer->append_subtree(
             $compiler->parser,
diff --git a/libs/sysplugins/smarty_internal_compile_include.php b/libs/sysplugins/smarty_internal_compile_include.php
index 716c91d49..bf62461bc 100644
--- a/libs/sysplugins/smarty_internal_compile_include.php
+++ b/libs/sysplugins/smarty_internal_compile_include.php
@@ -318,14 +318,14 @@ public function compileInlineTemplate(
             }
             // get compiled code
             $compiled_code = "<?php\n\n";
-            $compiled_code .= "/* Start inline template \"{$sourceInfo}\" =============================*/\n";
+            $compiled_code .= $compiler->cStyleComment(" Start inline template \"{$sourceInfo}\" =============================") . "\n";
             $compiled_code .= "function {$tpl->compiled->unifunc} (Smarty_Internal_Template \$_smarty_tpl) {\n";
             $compiled_code .= "?>\n" . $tpl->compiler->compileTemplateSource($tpl, null, $compiler->parent_compiler);
             $compiled_code .= "<?php\n";
             $compiled_code .= "}\n?>\n";
             $compiled_code .= $tpl->compiler->postFilter($tpl->compiler->blockOrFunctionCode);
             $compiled_code .= "<?php\n\n";
-            $compiled_code .= "/* End inline template \"{$sourceInfo}\" =============================*/\n";
+            $compiled_code .= $compiler->cStyleComment(" End inline template \"{$sourceInfo}\" =============================") . "\n";
             $compiled_code .= '?>';
             unset($tpl->compiler);
             if ($tpl->compiled->has_nocache_code) {
diff --git a/libs/sysplugins/smarty_internal_config_file_compiler.php b/libs/sysplugins/smarty_internal_config_file_compiler.php
index 90c5dcefa..469b9667a 100644
--- a/libs/sysplugins/smarty_internal_config_file_compiler.php
+++ b/libs/sysplugins/smarty_internal_config_file_compiler.php
@@ -157,10 +157,12 @@ public function compileTemplate(Smarty_Internal_Template $template)
             $this->smarty->_debug->end_compile($this->template);
         }
         // template header code
-        $template_header =
-            "<?php /* Smarty version " . Smarty::SMARTY_VERSION . ", created on " . strftime("%Y-%m-%d %H:%M:%S") .
-            "\n";
-        $template_header .= "         compiled from '{$this->template->source->filepath}' */ ?>\n";
+        $template_header = sprintf(
+            "<?php /* Smarty version %s, created on %s\n         compiled from '%s' */ ?>\n",
+            Smarty::SMARTY_VERSION,
+            date("Y-m-d H:i:s"),
+            str_replace('*/', '* /' , $this->template->source->filepath)
+        );
         $code = '<?php $_smarty_tpl->smarty->ext->configLoad->_loadConfigVars($_smarty_tpl, ' .
                 var_export($this->config_data, true) . '); ?>';
         return $template_header . $this->template->smarty->ext->_codeFrame->create($this->template, $code);
diff --git a/libs/sysplugins/smarty_internal_runtime_codeframe.php b/libs/sysplugins/smarty_internal_runtime_codeframe.php
index 983ca6180..4a7781c44 100644
--- a/libs/sysplugins/smarty_internal_runtime_codeframe.php
+++ b/libs/sysplugins/smarty_internal_runtime_codeframe.php
@@ -44,9 +44,12 @@ public function create(
             $properties[ 'file_dependency' ] = $_template->cached->file_dependency;
             $properties[ 'cache_lifetime' ] = $_template->cache_lifetime;
         }
-        $output = "<?php\n";
-        $output .= "/* Smarty version {$properties[ 'version' ]}, created on " . strftime("%Y-%m-%d %H:%M:%S") .
-                   "\n  from '" . str_replace('*/', '* /', $_template->source->filepath) . "' */\n\n";
+        $output = sprintf(
+            "<?php\n/* Smarty version %s, created on %s\n  from '%s' */\n\n",
+            $properties[ 'version' ],
+            date("Y-m-d H:i:s"),
+            str_replace('*/', '* /', $_template->source->filepath)
+        );
         $output .= "/* @var Smarty_Internal_Template \$_smarty_tpl */\n";
         $dec = "\$_smarty_tpl->_decodeProperties(\$_smarty_tpl, " . var_export($properties, true) . ',' .
                ($cache ? 'true' : 'false') . ')';
diff --git a/libs/sysplugins/smarty_internal_templatecompilerbase.php b/libs/sysplugins/smarty_internal_templatecompilerbase.php
index 3cc957dec..b4e270c18 100644
--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php
+++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php
@@ -1455,6 +1455,10 @@ public function compileCheckPlugins($requiredPlugins)
      */
     abstract protected function doCompile($_content, $isTemplateSource = false);
 
+    public function cStyleComment($string) {
+        return '/*' . str_replace('*/', '* /' , $string) . '*/';
+    }
+
     /**
      * Compile Tag
      *

From 8a8cf58c5a2414ed127464f326d90c54d6aa4a56 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Mon, 16 May 2022 13:38:45 +0200
Subject: [PATCH 2/2] Changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 795c45ee1..daab13263 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-
+
 ### Fixed
 - Math equation `max(x, y)` didn't work anymore [#721](https://github.com/smarty-php/smarty/issues/721)