Smarty DB resource

Smarty resource plugin that can read templates from database.

This plugin is inspired but similar from Xoops - resource.db.

Installation

To install and use this package, we recommend to use Composer:

composer require imponeer/smarty-db-resource

Otherwise, you need to include manually files from src/ directory.

Registering in Smarty

If you want to use these extensions from this package in your project you need register them with registerResource function from Smarty. For example:

$smarty = new \Smarty();
$plugin = new \Imponeer\Smarty\Extensions\DBResource\DBResource(
    $pdo, // PDO compatible database connection
    'default', // current template set name
    'tplfile',
    'tpl_source',
    'tpl_lastmodified',
    'tpl_tplset',
    'tpl_file',
    function (array $row): string { // function that converts database row info into string of real file
       return $row['file'];
    },
    'default'
);
$smarty->registerResource($plugin->getName(), $plugin);

Using from templates

To use this resource from templates, you need to use db: prefix when accessing files. For example :

  {include file="db:/images/image.tpl"}

How to contribute?

If you want to add some functionality or fix bugs, you can fork, change and create pull request. If you not sure how this works, try interactive GitHub tutorial.

If you found any bug or have some questions, use issues tab and write there your questions.

CVE-2022-29221 (High) detected in smarty/smarty-v3.1.44

CVE-2022-29221 - High Severity Vulnerability

Vulnerable Library - smarty/smarty-v3.1.44

Smarty - the compiling PHP template engine

Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/99085d8dc65eeb5e55ae3cba74d3dc6b3bb0205e

Dependency Hierarchy:

imponeer/smarty-extensions-contracts-v1.0.0 (Root Library)
- ❌ smarty/smarty-v3.1.44 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

Publish Date: 2022-05-24

URL: CVE-2022-29221

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-634x-pc3q-cf4c

Release Date: 2022-05-24

Fix Resolution: v3.1.45;v4.1.1

Step up your Open Source Security Game with Mend here

imponeer / smarty-db-resource Goto Github PK