Version in base suite: 3.1.47-2

Base version: smarty3_3.1.47-2
Target version: smarty3_3.1.47-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/smarty3/smarty3_3.1.47-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/smarty3/smarty3_3.1.47-2+deb12u1.dsc

 changelog                                            |   10 +
 patches/0001-CVE-2024-35226.patch                    |  155 +++++++++++++++++++
 patches/0002-CVE-2023-28447.patch                    |   56 ++++++
 patches/series                                       |    2 
 tests/CVE-2018-25047                                 |   12 +
 tests/CVE-2018-25047-tests/output.html-good          |    2 
 tests/CVE-2018-25047-tests/page1.tpl                 |    2 
 tests/CVE-2018-25047-tests/test.php                  |   11 +
 tests/CVE-2023-28447                                 |   12 +
 tests/CVE-2023-28447-tests/test.php                  |   25 +++
 tests/CVE-2023-28447-tests/test2.php                 |   25 +++
 tests/CVE-2023-28447-tests/test3.php                 |   27 +++
 tests/CVE-2024-35226                                 |   12 +
 tests/CVE-2024-35226-tests/001_parent.tpl            |    1 
 tests/CVE-2024-35226-tests/escaping.tpl              |    1 
 tests/CVE-2024-35226-tests/escaping2.tpl             |    1 
 tests/CVE-2024-35226-tests/escaping3.tpl             |    1 
 tests/CVE-2024-35226-tests/helloworld.tpl            |    1 
 tests/CVE-2024-35226-tests/test1.php                 |   22 ++
 tests/CVE-2024-35226-tests/test2.php                 |   23 ++
 tests/CVE-2024-35226-tests/test3.php                 |   23 ++
 tests/CVE-2024-35226-tests/test4.php                 |   24 ++
 tests/CVE-2024-35226-tests/test5.php                 |   22 ++
 tests/CVE-2024-35226-tests/test_include_001.tpl      |    1 
 tests/CVE-2024-35226-tests/test_include_001_2.tpl    |    1 
 tests/CVE-2024-35226-tests/test_include_001_3.tpl    |    1 
 tests/CVE-2024-35226-tests/test_include_security.tpl |    1 
 tests/control                                        |    4 
 28 files changed, 478 insertions(+)

diff -Nru smarty3-3.1.47/debian/changelog smarty3-3.1.47/debian/changelog
--- smarty3-3.1.47/debian/changelog	2022-10-25 05:42:53.000000000 +0000
+++ smarty3-3.1.47/debian/changelog	2024-12-06 13:39:32.000000000 +0000
@@ -1,3 +1,13 @@
+smarty3 (3.1.47-2+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2023-28447 - JavaScript injection (Closes: #1033964)
+  * CVE-2024-35226 - PHP Code injection by untrusted template authors
+    (Closes: #1072530)
+  * Add simple autopkgtests for the three CVEs.
+
+ -- Tobias Frost <tobi@debian.org>  Fri, 06 Dec 2024 14:39:32 +0100
+
 smarty3 (3.1.47-2) unstable; urgency=medium
 
   * debian/control:
diff -Nru smarty3-3.1.47/debian/patches/0001-CVE-2024-35226.patch smarty3-3.1.47/debian/patches/0001-CVE-2024-35226.patch
--- smarty3-3.1.47/debian/patches/0001-CVE-2024-35226.patch	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/patches/0001-CVE-2024-35226.patch	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,155 @@
+Description: CVE-2024-35226 - code injection vulnerability in extends-tag
+Origin: https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2
+Bug:  https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072530
+
+From 76881c8d33d80648f70c9b0339f770f5f69a87a2 Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <wisskid@users.noreply.github.com>
+Date: Tue, 28 May 2024 22:44:30 +0200
+Subject: [PATCH] Merge pull request from GHSA-4rmg-292m-wg3w
+
+* Fixed a code injection vulnerability in extends-tag
+
+* update tests for smarty v4
+---
+ changelog/GHSA-4rmg-292m-wg3w.md              |  1 +
+ .../smarty_internal_compile_extends.php       | 66 +------------------
+ .../smarty_internal_templatecompilerbase.php  | 24 +++++--
+ .../BockExtend/CompileBlockExtendsTest.php    | 36 +++++++++-
+ .../BockExtend/templates/escaping.tpl         |  1 +
+ .../BockExtend/templates/escaping2.tpl        |  1 +
+ .../BockExtend/templates/escaping3.tpl        |  1 +
+ .../TagTests/Include/CompileIncludeTest.php   | 12 ++++
+ .../templates/test_include_security.tpl       |  1 +
+ .../_Issues/419/ExtendsIssue419Test.php       |  7 ++
+ 10 files changed, 78 insertions(+), 72 deletions(-)
+ create mode 100644 changelog/GHSA-4rmg-292m-wg3w.md
+ create mode 100644 tests/UnitTests/TemplateSource/TagTests/BockExtend/templates/escaping.tpl
+ create mode 100644 tests/UnitTests/TemplateSource/TagTests/BockExtend/templates/escaping2.tpl
+ create mode 100644 tests/UnitTests/TemplateSource/TagTests/BockExtend/templates/escaping3.tpl
+ create mode 100644 tests/UnitTests/TemplateSource/TagTests/Include/templates/test_include_security.tpl
+
+--- a/libs/sysplugins/smarty_internal_compile_extends.php
++++ b/libs/sysplugins/smarty_internal_compile_extends.php
+@@ -30,7 +30,7 @@
+      *
+      * @var array
+      */
+-    public $optional_attributes = array('extends_resource');
++    public $optional_attributes = array();
+ 
+     /**
+      * Attribute definition: Overwrites base class.
+@@ -62,29 +62,7 @@
+         }
+         // add code to initialize inheritance
+         $this->registerInit($compiler, true);
+-        $file = trim($_attr[ 'file' ], '\'"');
+-        if (strlen($file) > 8 && substr($file, 0, 8) === 'extends:') {
+-            // generate code for each template
+-            $files = array_reverse(explode('|', substr($file, 8)));
+-            $i = 0;
+-            foreach ($files as $file) {
+-                if ($file[ 0 ] === '"') {
+-                    $file = trim($file, '".');
+-                } else {
+-                    $file = "'{$file}'";
+-                }
+-                $i++;
+-                if ($i === count($files) && isset($_attr[ 'extends_resource' ])) {
+-                    $this->compileEndChild($compiler);
+-                }
+-                $this->compileInclude($compiler, $file);
+-            }
+-            if (!isset($_attr[ 'extends_resource' ])) {
+-                $this->compileEndChild($compiler);
+-            }
+-        } else {
+-            $this->compileEndChild($compiler, $_attr[ 'file' ]);
+-        }
++        $this->compileEndChild($compiler, $_attr[ 'file' ]);
+         $compiler->has_code = false;
+         return '';
+     }
+@@ -115,44 +93,4 @@
+                 '') . ");\n?>"
+         );
+     }
+-
+-    /**
+-     * Add code for including subtemplate to end of template
+-     *
+-     * @param \Smarty_Internal_TemplateCompilerBase $compiler
+-     * @param string                                $template subtemplate name
+-     *
+-     * @throws \SmartyCompilerException
+-     * @throws \SmartyException
+-     */
+-    private function compileInclude(Smarty_Internal_TemplateCompilerBase $compiler, $template)
+-    {
+-        $compiler->parser->template_postfix[] = new Smarty_Internal_ParseTree_Tag(
+-            $compiler->parser,
+-            $compiler->compileTag(
+-                'include',
+-                array(
+-                    $template,
+-                    array('scope' => 'parent')
+-                )
+-            )
+-        );
+-    }
+-
+-    /**
+-     * Create source code for {extends} from source components array
+-     *
+-     * @param \Smarty_Internal_Template $template
+-     *
+-     * @return string
+-     */
+-    public static function extendsSourceArrayCode(Smarty_Internal_Template $template)
+-    {
+-        $resources = array();
+-        foreach ($template->source->components as $source) {
+-            $resources[] = $source->resource;
+-        }
+-        return $template->smarty->left_delimiter . 'extends file=\'extends:' . join('|', $resources) .
+-               '\' extends_resource=true' . $template->smarty->right_delimiter;
+-    }
+ }
+--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php
++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php
+@@ -470,15 +470,29 @@
+             $this->smarty->_current_file = $this->template->source->filepath;
+             // get template source
+             if (!empty($this->template->source->components)) {
+-                // we have array of inheritance templates by extends: resource
+-                // generate corresponding source code sequence
+-                $_content =
+-                    Smarty_Internal_Compile_Extends::extendsSourceArrayCode($this->template);
++				$_compiled_code = '<?php $_smarty_tpl->_loadInheritance(); $_smarty_tpl->inheritance->init($_smarty_tpl, true); ?>';
++
++				$i = 0;
++				$reversed_components = array_reverse($this->template->getSource()->components);
++				foreach ($reversed_components as $source) {
++					$i++;
++					if ($i === count($reversed_components)) {
++						$_compiled_code .= '<?php $_smarty_tpl->inheritance->endChild($_smarty_tpl); ?>';
++					}
++					$_compiled_code .= $this->compileTag(
++						'include',
++						[
++							var_export($source->resource, true),
++							['scope' => 'parent'],
++						]
++					);
++				}
++				$_compiled_code = $this->postFilter($_compiled_code, $this->template);
+             } else {
+                 // get template source
+                 $_content = $this->template->source->getContent();
++				$_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
+             }
+-            $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
+             if (!empty($this->required_plugins[ 'compiled' ]) || !empty($this->required_plugins[ 'nocache' ])) {
+                 $_compiled_code = '<?php ' . $this->compileRequiredPlugins() . "?>\n" . $_compiled_code;
+             }
diff -Nru smarty3-3.1.47/debian/patches/0002-CVE-2023-28447.patch smarty3-3.1.47/debian/patches/0002-CVE-2023-28447.patch
--- smarty3-3.1.47/debian/patches/0002-CVE-2023-28447.patch	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/patches/0002-CVE-2023-28447.patch	2024-11-17 15:00:11.000000000 +0000
@@ -0,0 +1,56 @@
+Description: CVE-2023-28447 - potential arbitrary code execution in victim's browser
+Origin: https://github.com/smarty-php/smarty/commit/7677db7bc9a1dcfcad1435fc9d3bac3f295ca3ad
+Bug: https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033964
+From 7677db7bc9a1dcfcad1435fc9d3bac3f295ca3ad Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Fri, 24 Mar 2023 12:19:34 +0100
+Subject: [PATCH] Implement fix and tests
+
+---
+ libs/plugins/modifier.escape.php              |  4 +++-
+ libs/plugins/modifiercompiler.escape.php      |  4 +++-
+ .../PluginModifierEscapeTest.php              | 21 +++++++++++++++++++
+ .../Operators/templates_c/.gitignore          |  2 ++
+ 4 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+
+--- a/libs/plugins/modifier.escape.php
++++ b/libs/plugins/modifier.escape.php
+@@ -176,7 +176,8 @@
+             return $return;
+         case 'javascript':
+             // escape quotes and backslashes, newlines, etc.
+-            return strtr(
++            $_ret =
++              strtr(
+                 $string,
+                 array(
+                     '\\' => '\\\\',
+@@ -188,9 +189,12 @@
+                     // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                     '<!--' => '<\!--',
+                     '<s'   => '<\s',
+-                    '<S'   => '<\S'
++                    '<S'   => '<\S',
++                    "`" => "\\\\`",
++                    "\${" => "\\\\\\$\\{"
+                 )
+             );
++            return $_ret;
+         case 'mail':
+             if (Smarty::$_MBSTRING) {
+                 if (!$is_loaded_2) {
+--- a/libs/plugins/modifiercompiler.escape.php
++++ b/libs/plugins/modifiercompiler.escape.php
+@@ -92,7 +92,9 @@
+                 // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                 return 'strtr(' .
+                        $params[ 0 ] .
+-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
++                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", 
++                       "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
++                       "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
+         }
+     } catch (SmartyException $e) {
+         // pass through to regular plugin fallback
diff -Nru smarty3-3.1.47/debian/patches/series smarty3-3.1.47/debian/patches/series
--- smarty3-3.1.47/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/patches/series	2024-11-17 14:55:58.000000000 +0000
@@ -0,0 +1,2 @@
+0001-CVE-2024-35226.patch
+0002-CVE-2023-28447.patch
diff -Nru smarty3-3.1.47/debian/tests/CVE-2018-25047 smarty3-3.1.47/debian/tests/CVE-2018-25047
--- smarty3-3.1.47/debian/tests/CVE-2018-25047	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2018-25047	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+cd $0-tests
+
+rm -rf templates_c
+
+php test.php
+
+cmp output.html output.html-good
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/output.html-good smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/output.html-good
--- smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/output.html-good	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/output.html-good	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,2 @@
+<a href="mailto:iricartb@gmail.com&quot;&gt;&lt;h1&gt;" >iricartb@gmail.com&quot;&gt;&lt;h1&gt;</a>
+<script type="text/javascript">document.write(unescape('%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%69%72%69%63%61%72%74%62%40%67%6d%61%69%6c%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%69%72%69%63%61%72%74%62%40%67%6d%61%69%6c%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%2d%20%4a%61%76%61%53%63%72%69%70%74%20%49%6e%6a%65%63%74%65%64%20%2d%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%69%72%69%63%61%72%74%62%40%67%6d%61%69%6c%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%69%72%69%63%61%72%74%62%40%67%6d%61%69%6c%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%2d%20%4a%61%76%61%53%63%72%69%70%74%20%49%6e%6a%65%63%74%65%64%20%2d%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e'))</script>
diff -Nru smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/page1.tpl smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/page1.tpl
--- smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/page1.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/page1.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,2 @@
+{mailto address=$htmladdress}
+{mailto address=$jsaddress encode=javascript}
diff -Nru smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/test.php smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/test.php
--- smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/test.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2018-25047-tests/test.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,11 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+
+require('Smarty.class.php');
+
+$tpl = new Smarty();
+$tpl->assign("htmladdress", 'iricartb@gmail.com"><h1>');
+$tpl->assign("jsaddress", 'iricartb@gmail.com">iricartb@gmail.com\'); alert("- JavaScript Injected -"); //');
+
+file_put_contents("output.html", $tpl->fetch('page1.tpl'));
diff -Nru smarty3-3.1.47/debian/tests/CVE-2023-28447 smarty3-3.1.47/debian/tests/CVE-2023-28447
--- smarty3-3.1.47/debian/tests/CVE-2023-28447	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2023-28447	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+cd $0-tests
+
+rm -rf templates_c
+
+for x in *php ;
+do
+  php $x
+done
diff -Nru smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test.php smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test.php
--- smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,25 @@
+<?php
+
+$specimem='string:{"`Hello, World!`"|escape:"javascript"}';
+
+$reference="\\`Hello, World!\\`";
+
+set_include_path('/usr/share/php/smarty3/');
+
+require('Smarty.class.php');
+
+$tpl = new Smarty();
+$test = $tpl->createTemplate($specimem);
+
+$output =$tpl->fetch($test);
+
+print("EXPECTED: $reference\n");
+print("ACTUALLY: $output\n");
+
+assert(0==strcmp($output,$reference));
+
+if(0!=strcmp($output,$reference)) {
+  print("NOT EQUAL\n");
+  exit(1);
+}
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test2.php smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test2.php
--- smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test2.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test2.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,25 @@
+<?php
+
+$specimem='string:{$vector|escape:"javascript"}';
+
+$reference="\\`Hello, \\\$\\{name}!\\`";
+
+set_include_path('/usr/share/php/smarty3/');
+
+require('Smarty.class.php');
+
+$tpl = new Smarty();
+$test = $tpl->createTemplate($specimem);
+
+$tpl->assign('vector', "`Hello, \${name}!`");
+
+$output =$tpl->fetch($test);
+
+print("EXPECTED: $reference\n");
+print("ACTUALLY: $output\n");
+
+if(0!=strcmp($output,$reference)) {
+  print("NOT EQUAL\n");
+  exit(1);
+}
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test3.php smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test3.php
--- smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test3.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2023-28447-tests/test3.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,27 @@
+<?php
+
+$specimem='string:{$vector|escape:"javascript"}';
+
+$reference="\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`";
+
+set_include_path('/usr/share/php/smarty3/');
+
+require('Smarty.class.php');
+
+$tpl = new Smarty();
+
+$tpl->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
+$test = $tpl->createTemplate($specimem);
+
+$output =$tpl->fetch($test);
+
+print("EXPECTED: $reference\n");
+print("ACTUALLY: $output\n");
+
+assert(0==strcmp($output,$reference));
+
+if(0!=strcmp($output,$reference)) {
+  print("NOT EQUAL\n");
+  exit(1);
+}
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226 smarty3-3.1.47/debian/tests/CVE-2024-35226
--- smarty3-3.1.47/debian/tests/CVE-2024-35226	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+cd $0-tests
+
+rm -rf templates_c
+
+for x in *php ;
+do
+  php $x
+done
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/001_parent.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/001_parent.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/001_parent.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/001_parent.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+{{block name='b'}}parent{{/block}}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+{extends "extends:helloworld.tpl', var_dump(shell_exec('ls')), 1, 2, 3, 4, 5, 6);}}?>"}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping2.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping2.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping2.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping2.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+{extends 'extends:"helloworld.tpl\', var_dump(shell_exec(\'ls\')), 1, 2, 3, 4, 5, 6);}}?>'}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping3.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping3.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping3.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/escaping3.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+{extends file='extends:"helloworld.tpl'|cat:"', var_dump(shell_exec('ls')), 1, 2, 3, 4, 5, 6);}}?>"}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/helloworld.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/helloworld.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/helloworld.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/helloworld.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+hello world
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test1.php smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test1.php
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test1.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test1.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,22 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+require('Smarty.class.php');
+
+$error_reporting = 1;
+
+// test for CVE-2024-35226; extracted from upstream.
+$tpl = new Smarty();
+
+print "\n### escaping.tpl\n";
+
+try {
+    $tpl->fetch('escaping.tpl');
+    print "ERROR\n";
+    exit(1);
+} catch (Exception $e) {
+    echo 'GOOD: Caught exception: ',  $e->getMessage(), "\n";
+}
+
+exit(0);
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test2.php smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test2.php
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test2.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test2.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,23 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+require('Smarty.class.php');
+
+$error_reporting = 1;
+
+// test for CVE-2024-35226; extracted from upstream.
+$tpl = new Smarty();
+
+print "\n### escaping.tpl2\n";
+
+
+try {
+    $tpl->fetch('escaping2.tpl');
+    print "ERROR\n";
+    exit(1);
+} catch (Exception $e) {
+    echo 'GOOD: Caught exception: ',  $e->getMessage(), "\n";
+}
+
+exit(0);
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test3.php smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test3.php
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test3.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test3.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,23 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+require('Smarty.class.php');
+
+$error_reporting = 1;
+
+// test for CVE-2024-35226; extracted from upstream.
+$tpl = new Smarty();
+
+print "\n### escaping.tpl3\n";
+
+
+try {
+    $tpl->fetch('escaping3.tpl');
+    print "ERROR\n";
+    exit(1);
+} catch (Exception $e) {
+    echo 'GOOD: Caught exception: ',  $e->getMessage(), "\n";
+}
+
+exit(0);
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test4.php smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test4.php
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test4.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test4.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,24 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+require('Smarty.class.php');
+
+
+$error_reporting = 1;
+
+// test for CVE-2024-35226; extracted from upstream.
+$tpl = new Smarty();
+
+print "\n### test_include_security.tpl\n";
+
+
+try {
+    $tpl->fetch('test_include_security.tpl');
+    print "ERROR\n";
+    exit(1);
+} catch (Exception $e) {
+    echo 'GOOD: Caught exception: ',  $e->getMessage(), "\n";
+}
+
+exit(0);
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test5.php smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test5.php
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test5.php	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test5.php	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,22 @@
+<?php
+
+set_include_path('/usr/share/php/smarty3/');
+require('Smarty.class.php');
+
+$error_reporting = 1;
+
+// test for CVE-2024-35226; extracted from upstream.
+$tpl = new Smarty();
+
+print "\n### 001_parent.tpl\n";
+
+try {
+    $tpl->fetch('string:{include "001_parent.tpl\', var_dump(shell_exec(\'ls\')), 1, 2, 3, 4, 5, 6);}}?>"}');
+    print "ERROR\n";
+    exit(1);
+} catch (Exception $e) {
+    echo 'GOOD: Caught exception: ',  $e->getMessage(), "\n";
+}
+
+exit(0);
+
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+I1{include file='test_include_001_2.tpl'}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_2.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_2.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_2.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_2.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+I2{include file='test_include_001_3.tpl'}
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_3.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_3.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_3.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_001_3.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+I3
\ No newline at end of file
diff -Nru smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_security.tpl smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_security.tpl
--- smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_security.tpl	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/CVE-2024-35226-tests/test_include_security.tpl	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1 @@
+{include file="helloworld.tpl', var_dump(shell_exec('ls')), 1, 2, 3, 4, 5, 6);}}?>"}
diff -Nru smarty3-3.1.47/debian/tests/control smarty3-3.1.47/debian/tests/control
--- smarty3-3.1.47/debian/tests/control	1970-01-01 00:00:00.000000000 +0000
+++ smarty3-3.1.47/debian/tests/control	2024-11-17 14:51:45.000000000 +0000
@@ -0,0 +1,4 @@
+# quick test against some CVEs, marked as supeficial as they only test this aspect.
+Tests: CVE-2018-25047, CVE-2023-28447, CVE-2024-35226
+Depends: smarty3
+Restrictions: superficial