CIVI-SA-2024-03: Smarty Security Policy

Published
2024-06-19 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

CiviCRM uses the Smarty template system for high-trust content (built-in template files, written by developers) and low-trust content (user-supplied templates, written by back-office users). Low-trust content is subject to sandboxing, but there were issues in how this was applied.

The issues arise at a time when the Smarty integration is transitioning. Different sites may use different Smarty versions (2.x, 3.x, 4.x, 5.x), and the exact impact varies by version. The impact is more severe on 3.x and 4.x, but all versions are impacted in some way -- allowing access to sensitive information and/or sensitive functionality.

The new updates establish a stricter and more consistent set of policies across all Smarty versions.

The new policies may be too strict for some organizations. For example, user-supplied templates are now prohibited from accessing some uncommon (but powerful) Smarty features. You may use a new programmatic API (hook_civicrm_userContentPolicy) to grant access to restricted functions.

(Addendum) You may wish to audit your user-supplied templates to determine if they conform to the latest security policy. See the User Content Audit snippet for an example.

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.74.3 and earlier

Fixed Versions

CiviCRM version 5.74.4 and 5.69.6 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Dave D; JMA Consulting - Seamus Lee; Greenpeace Central and Eastern Europe - Patrick Figel; CiviCRM - Tim Otten; Wikimedia Foundation - Eileen McNaughton

References

security/core#132