From 25051e6e88af39b5e455cecc85895b4beaaead6d Mon Sep 17 00:00:00 2001 From: Simon Wisselink Date: Mon, 12 Sep 2022 16:03:27 +0200 Subject: [PATCH] Bugfix/rand without param v3 (#796) * Fixed use of `rand()` without a parameter in math function (for v3.1) Fixes #794 * Add change in regex for PRCE (PHP < 7.3) * Add unit tests and correctly set PHP supported versions * Drop PHP5.2 from CI workflows because it cannot be build anymore * Fix CI workflow for PHP7.2 and up * re-add compose packages cache with specific key * Exclude unit test files from git export * prevent double CI workflows in PRs --- .gitattributes | 4 +- .github/workflows/ci.yml | 73 +++++++++++++++++++ CHANGELOG.md | 3 + composer.json | 2 +- docker-compose.yml | 51 +++++++++++++ libs/plugins/function.math.php | 2 +- run_tests_for_all_php_versions.sh | 11 +++ .../ValueTests/Math/MathTest.php | 8 ++ utilities/testrunners/php54/Dockerfile | 13 ++++ utilities/testrunners/php55/Dockerfile | 13 ++++ utilities/testrunners/php56/Dockerfile | 13 ++++ utilities/testrunners/php70/Dockerfile | 10 +++ utilities/testrunners/php71/Dockerfile | 10 +++ utilities/testrunners/php72/Dockerfile | 10 +++ utilities/testrunners/php73/Dockerfile | 10 +++ utilities/testrunners/php74/Dockerfile | 10 +++ utilities/testrunners/run-test.sh | 2 + .../testrunners/shared/install-composer.sh | 17 +++++ 18 files changed, 259 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/ci.yml create mode 100644 docker-compose.yml create mode 100755 run_tests_for_all_php_versions.sh create mode 100644 utilities/testrunners/php54/Dockerfile create mode 100644 utilities/testrunners/php55/Dockerfile create mode 100644 utilities/testrunners/php56/Dockerfile create mode 100644 utilities/testrunners/php70/Dockerfile create mode 100644 utilities/testrunners/php71/Dockerfile create mode 100644 utilities/testrunners/php72/Dockerfile create mode 100644 utilities/testrunners/php73/Dockerfile create mode 100644 utilities/testrunners/php74/Dockerfile create mode 100755 utilities/testrunners/run-test.sh create mode 100644 utilities/testrunners/shared/install-composer.sh diff --git a/.gitattributes b/.gitattributes index 2cda67b0e..362ff319f 100644 --- a/.gitattributes +++ b/.gitattributes @@ -8,7 +8,9 @@ # exclude from git export /tests export-ignore /utilities/ export-ignore - +/docker-compose.yml export-ignore +/.github export-ignore +/run_tests_for_all_php_versions.sh export-ignore /.gitattributes export-ignore /.gitignore export-ignore /.travis.yml export-ignore diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..1b24dc299 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,73 @@ +# https://help.github.com/en/categories/automating-your-workflow-with-github-actions + +on: + pull_request: + push: + branches: + - 'support/3.1' + +name: CI + +jobs: + tests: + name: Tests + + runs-on: ${{ matrix.os }} + + env: + PHP_EXTENSIONS: dom, json, libxml, mbstring, pdo_sqlite, soap, xml, xmlwriter + PHP_INI_VALUES: assert.exception=1, zend.assertions=1 + + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + + php-version: + - "5.3" + - "5.4" + - "5.5" + - "5.6" + - "7.1" + - "7.2" + - "7.3" + - "7.4" + + compiler: + - default + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Override PHP ini values for JIT compiler + if: matrix.compiler == 'jit' + run: echo "PHP_INI_VALUES::assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=1, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M" >> $GITHUB_ENV + + - name: Install PHP with extensions + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php-version }} + coverage: pcov + extensions: ${{ env.PHP_EXTENSIONS }} + ini-values: ${{ env.PHP_INI_VALUES }} + + - name: Validate composer.json and composer.lock + run: composer validate + + - name: Cache Composer packages + id: composer-cache + uses: actions/cache@v2 + with: + path: vendor + key: Smartyv3-${{ runner.os }}-php-${{ matrix.php-version }}-${{ hashFiles('**/composer.lock') }} + restore-keys: | + Smartyv3-${{ runner.os }}-php-${{ matrix.php-version }}- + + - name: Install dependencies + if: steps.composer-cache.outputs.cache-hit != 'true' + run: composer install --prefer-dist --no-progress --no-suggest + + - name: Run tests with phpunit + run: ./phpunit.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index fab8301d5..d8a680901 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixes +- Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794) + ## [3.1.46] - 2022-08-01 ### Fixed diff --git a/composer.json b/composer.json index 183f9f240..22f92083f 100644 --- a/composer.json +++ b/composer.json @@ -27,7 +27,7 @@ "forum": "http://www.smarty.net/forums/" }, "require": { - "php": ">=5.2" + "php": "^5.2 || ^7.0" }, "autoload": { "classmap": [ diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..5dedb7297 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,51 @@ +version: "2" +services: + base: + build: + context: . + dockerfile: ./utilities/testrunners/php54/Dockerfile + volumes: + - .:/app + working_dir: /app + entrypoint: sh ./utilities/testrunners/run-test.sh + php54: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php54/Dockerfile + php55: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php55/Dockerfile + php56: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php56/Dockerfile + php70: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php70/Dockerfile + php71: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php71/Dockerfile + php72: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php72/Dockerfile + php73: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php73/Dockerfile + php74: + extends: + service: base + build: + dockerfile: ./utilities/testrunners/php74/Dockerfile + diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php index d5f86a694..e2f8e04c8 100644 --- a/libs/plugins/function.math.php +++ b/libs/plugins/function.math.php @@ -70,7 +70,7 @@ function smarty_function_math($params, $template) $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; $operators = '[,+\/*\^%-]'; // Allowed math operators - $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?1))?)+$/'; + $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)*\)|\((?1)*\)))(?:'.$operators.'(?1))?)+$/'; if (!preg_match($regexp, $equation)) { trigger_error("math: illegal characters", E_USER_WARNING); diff --git a/run_tests_for_all_php_versions.sh b/run_tests_for_all_php_versions.sh new file mode 100755 index 000000000..67e3c6dea --- /dev/null +++ b/run_tests_for_all_php_versions.sh @@ -0,0 +1,11 @@ +# Runs tests for all supported PHP versions >= PHP 5.4. +# Cannot get 5.2 and 5.3 to run in docker anymore + +docker-compose run php54 && \ +docker-compose run php55 && \ +docker-compose run php56 && \ +docker-compose run php70 && \ +docker-compose run php71 && \ +docker-compose run php72 && \ +docker-compose run php73 && \ +docker-compose run php74 \ No newline at end of file diff --git a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php index c18cf1f41..b436939f5 100644 --- a/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php +++ b/tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php @@ -162,4 +162,12 @@ public function testBracketsIllegal() $this->assertEquals($expected, $this->smarty->fetch($tpl)); } + public function testRand() + { + $tpl = $this->smarty->createTemplate('eval:{$x = "0"}{math equation="x * rand()" x=$x}'); + // this assertion may seem silly, but it serves to prove that using rand() without a parameter + // will not trigger a security error (see https://github.com/smarty-php/smarty/issues/794) + $this->assertEquals("0", $this->smarty->fetch($tpl)); + } + } diff --git a/utilities/testrunners/php54/Dockerfile b/utilities/testrunners/php54/Dockerfile new file mode 100644 index 000000000..c8107aa41 --- /dev/null +++ b/utilities/testrunners/php54/Dockerfile @@ -0,0 +1,13 @@ +FROM php:5.4-cli + +## Upgrade CA certificates +RUN curl -k https://curl.se/ca/cacert.pem > cacert.crt && cp cacert.crt /usr/local/share/ca-certificates/ && update-ca-certificates + +## Basic utilities +RUN apt-get update -yqq && apt-get install --force-yes -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php55/Dockerfile b/utilities/testrunners/php55/Dockerfile new file mode 100644 index 000000000..fb4e14c18 --- /dev/null +++ b/utilities/testrunners/php55/Dockerfile @@ -0,0 +1,13 @@ +FROM php:5.5-cli + +## Upgrade CA certificates +RUN curl -k https://curl.se/ca/cacert.pem > cacert.crt && cp cacert.crt /usr/local/share/ca-certificates/ && update-ca-certificates + +## Basic utilities +RUN apt-get update -yqq && apt-get install --force-yes -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php56/Dockerfile b/utilities/testrunners/php56/Dockerfile new file mode 100644 index 000000000..8b72cf844 --- /dev/null +++ b/utilities/testrunners/php56/Dockerfile @@ -0,0 +1,13 @@ +FROM php:5.6-cli + +## Upgrade CA certificates +RUN curl -k https://curl.se/ca/cacert.pem > cacert.crt && cp cacert.crt /usr/local/share/ca-certificates/ && update-ca-certificates + +## Basic utilities +RUN apt-get update -yqq && apt-get install --force-yes -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php70/Dockerfile b/utilities/testrunners/php70/Dockerfile new file mode 100644 index 000000000..61fd92af5 --- /dev/null +++ b/utilities/testrunners/php70/Dockerfile @@ -0,0 +1,10 @@ +FROM php:7.0-cli + +## Basic utilities +RUN apt-get update -yqq && apt-get install -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php71/Dockerfile b/utilities/testrunners/php71/Dockerfile new file mode 100644 index 000000000..2ae6c1aef --- /dev/null +++ b/utilities/testrunners/php71/Dockerfile @@ -0,0 +1,10 @@ +FROM php:7.1-cli + +## Basic utilities +RUN apt-get update -yqq && apt-get install -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php72/Dockerfile b/utilities/testrunners/php72/Dockerfile new file mode 100644 index 000000000..25f1688db --- /dev/null +++ b/utilities/testrunners/php72/Dockerfile @@ -0,0 +1,10 @@ +FROM php:7.2-cli + +## Basic utilities +RUN apt-get update -yqq && apt-get install -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php73/Dockerfile b/utilities/testrunners/php73/Dockerfile new file mode 100644 index 000000000..e276bdcdb --- /dev/null +++ b/utilities/testrunners/php73/Dockerfile @@ -0,0 +1,10 @@ +FROM php:7.3-cli + +## Basic utilities +RUN apt-get update -yqq && apt-get install -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/php74/Dockerfile b/utilities/testrunners/php74/Dockerfile new file mode 100644 index 000000000..d6fb4c39a --- /dev/null +++ b/utilities/testrunners/php74/Dockerfile @@ -0,0 +1,10 @@ +FROM php:7.4-cli + +## Basic utilities +RUN apt-get update -yqq && apt-get install -y curl apt-utils git zip unzip + +## Composer +COPY ./utilities/testrunners/shared/install-composer.sh /root/install-composer.sh +WORKDIR /root +RUN sh ./install-composer.sh +RUN mv ./composer.phar /usr/local/bin/composer diff --git a/utilities/testrunners/run-test.sh b/utilities/testrunners/run-test.sh new file mode 100755 index 000000000..25fe94c79 --- /dev/null +++ b/utilities/testrunners/run-test.sh @@ -0,0 +1,2 @@ +#!/bin/sh +composer update && php ./vendor/phpunit/phpunit/phpunit -c phpunit.xml tests diff --git a/utilities/testrunners/shared/install-composer.sh b/utilities/testrunners/shared/install-composer.sh new file mode 100644 index 000000000..585031d99 --- /dev/null +++ b/utilities/testrunners/shared/install-composer.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" +php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" + +if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ] +then + >&2 echo 'ERROR: Invalid installer checksum' + rm composer-setup.php + exit 1 +fi + +php composer-setup.php --quiet +RESULT=$? +rm composer-setup.php +exit $RESULT \ No newline at end of file