From 4ac61fec228820155335ede01696c90333fa613a Mon Sep 17 00:00:00 2001
From: Repellent <aleksprm777@gmail.com>
Date: Sun, 16 Nov 2025 23:55:05 +0500
Subject: [PATCH] fix for Smarty 5

---
 forms/class/forms.php | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/forms/class/forms.php b/forms/class/forms.php
index 4123e37..5c2aaf5 100644
--- a/forms/class/forms.php
+++ b/forms/class/forms.php
@@ -627,8 +627,13 @@ function _cleanvar($var)
 					$valid = false;
 					// если капча
 					if ($field['title'] == 'captcha') $valid = (empty($_SESSION['captcha_keystring']) || empty($fld_val[0]) || $_SESSION['captcha_keystring'] != $fld_val[0]) ? false : true;
-					// если файл
-					elseif ($field['type'] == 'file') $valid = ($_FILES['form-' . $alias_id]['size'][$field_id] / 1024 / 1024) <= $field['setting'];
+
+                    // если файл
+					elseif ($field['type'] == 'file') {
+						$file_size = (isset($_FILES['form-' . $alias_id]['size'][$field_id])) ? $_FILES['form-' . $alias_id]['size'][$field_id] : 0;
+						$valid = ($file_size / 1024 / 1024) <= $field['setting'];
+					}
+
                    // Если передали регулярку
                    elseif (isset($field['setting'][0]) && $field['setting'][0] == '/') {
                    $valid = false; // Изначально считаем, что валидности нет
@@ -678,11 +683,13 @@ function _cleanvar($var)
 				// пустота (для любых обязательных полей)
 				if (! empty($field['required']) && $field['required'])
 				{
-					if ($field['type'] == 'file')
-						$empty = (
-							 empty($_FILES['form-' . $alias_id]['tmp_name'][$field_id]) ||
-							!empty($_FILES['form-' . $alias_id]['error'][$field_id])
-						);
+                    if ($field['type'] == 'file') {
+                        // Безопасный доступ к $_FILES
+						$is_uploaded = isset($_FILES['form-' . $alias_id]['tmp_name'][$field_id]) && !empty($_FILES['form-' . $alias_id]['tmp_name'][$field_id]);
+                        $has_error = isset($_FILES['form-' . $alias_id]['error'][$field_id]) && !empty($_FILES['form-' . $alias_id]['error'][$field_id]);
+                        
+						$empty = (!$is_uploaded || $has_error);
+                    }
 					else
 					{
 						$clean_fld_val = $this->_cleanvar($fld_val);
@@ -731,7 +738,8 @@ function _cleanvar($var)
 			if ($field['is_used'] !== true || empty($field['active'])) return '';
 			// иначе, продолжаем
 			$alias_id = $this->form['alias_id'];
-			$val = $_POST['form-' . $alias_id][$field_id];
+			// Если ключ $field_id отсутствует в $_POST, берем пустую строку.
+			$val = $_POST['form-' . $alias_id][$field_id] ?? '';
 			$newval = '';
 			$tag_mail_empty = ($this->form['mail_set']['format'] === 'text' ? '<' : '&lt;') . $AVE_Template->get_config_vars('tag_mail_empty') . ($this->form['mail_set']['format'] === 'text' ? '>' : '&gt;');
 
@@ -1418,7 +1426,9 @@ function _cleanvar($var)
 			{
 				foreach ($_FILES['form-' . $alias_id]['name'] as $field_id => $fname)
 				{
-					$ext = (end(explode('.', $fname)));
+					// ИСПРАВЛЕНИЕ: Безопасное получение расширения
+					$path_parts = pathinfo($fname);
+					$ext = $path_parts['extension'] ?? '';
 
 					if (
 						!empty($_FILES['form-' . $alias_id]['tmp_name'][$field_id]) &&