summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-06-21 11:07:34 +0200
committerRemi Collet <remi@remirepo.net>2019-06-21 11:07:34 +0200
commitf4dd8cae6b07d186eed1fbd80f1ee8d73944bf2b (patch)
tree4aaffbeb8edada25708279730be879d8d7119e54
parentf7d427b103d9e36960170be59233252b0a8fdd74 (diff)
- [security] Prevent execution of XSS on rich text
- [security] Prevent XSS attack on user picture
-rw-r--r--6054.patch112
-rw-r--r--glpi.spec10
2 files changed, 121 insertions, 1 deletions
diff --git a/6054.patch b/6054.patch
new file mode 100644
index 0000000..1b0e9cf
--- /dev/null
+++ b/6054.patch
@@ -0,0 +1,112 @@
+From 272f715bebc7894ef42eee498a193eae52e75068 Mon Sep 17 00:00:00 2001
+From: Alexandre Delaunay <delaunay.alexandre@gmail.com>
+Date: Thu, 20 Jun 2019 10:40:41 +0200
+Subject: [PATCH 1/3] avoid xss attack on user picture
+
+(cherry picked from commit c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb)
+---
+ inc/user.class.php | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/inc/user.class.php b/inc/user.class.php
+index 2a7b9a87c4..0257684326 100644
+--- a/inc/user.class.php
++++ b/inc/user.class.php
+@@ -576,6 +576,11 @@ function prepareInputForAdd($input) {
+ return false;
+ }
+
++ // avoid xss (picture field is autogenerated)
++ if (isset($input['picture'])) {
++ $input['picture'] = 'NULL';
++ }
++
+ if (!isset($input["authtype"])) {
+ $input["authtype"] = Auth::DB_GLPI;
+ }
+@@ -707,6 +712,11 @@ function post_addItem() {
+ function prepareInputForUpdate($input) {
+ global $CFG_GLPI;
+
++ // avoid xss (picture field is autogenerated)
++ if (isset($input['picture'])) {
++ $input['picture'] = 'NULL';
++ }
++
+ //picture manually uploaded by user
+ if (isset($input["_blank_picture"]) && $input["_blank_picture"]) {
+ self::dropPictureFiles($this->fields['picture']);
+@@ -2012,6 +2022,7 @@ function showForm($ID, array $options = []) {
+ }
+
+ if (!empty($this->fields["name"])) {
++
+ echo "<td rowspan='4'>" . __('Picture') . "</td>";
+ echo "<td rowspan='4'>";
+ echo "<div class='user_picture_border_small' id='picture$rand'>";
+@@ -4701,6 +4712,9 @@ static function checkDefaultPasswords() {
+ static function getURLForPicture($picture) {
+ global $CFG_GLPI;
+
++ // prevent xss
++ $picture = Html::cleanInputText($picture);
++
+ if (!empty($picture)) {
+ return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture";
+ }
+@@ -4720,6 +4734,9 @@ static function getURLForPicture($picture) {
+ static function getThumbnailURLForPicture($picture) {
+ global $CFG_GLPI;
+
++ // prevent xss
++ $picture = Html::cleanInputText($picture);
++
+ if (!empty($picture)) {
+ $tmp = explode(".", $picture);
+ if (count($tmp) ==2) {
+
+From d9690bfc66e07cc24494d80d9a73176f557aec29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
+Date: Thu, 20 Jun 2019 11:51:54 +0200
+Subject: [PATCH 2/3] Prevent execution of javascript event on rich text
+
+(cherry picked from commit 2ee18d241632b29e3402b4c2990176309a5bd84c)
+---
+ inc/html.class.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/inc/html.class.php b/inc/html.class.php
+index f9aa6532dd..6fd95adc7c 100644
+--- a/inc/html.class.php
++++ b/inc/html.class.php
+@@ -84,6 +84,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
+ $value,
+ [
+ 'elements' => ($striptags) ? 'none' : '',
++ 'deny_attribute' => 'on*',
+ 'keep_bad' => $keep_bad, // 1: neutralize tag and content, 2 : remove tag and neutralize content
+ 'comment' => 1, // 1: remove
+ 'cdata' => 1, // 1: remove
+
+From 7e2dfbf68b48988f717f3b4c9e58f1ca873d6e4e Mon Sep 17 00:00:00 2001
+From: Johan Cwiklinski <jcwiklinski@teclib.com>
+Date: Thu, 20 Jun 2019 14:47:18 +0200
+Subject: [PATCH 3/3] Forbid javascript scheme
+
+(cherry picked from commit 081338b2fa3a98eacb6f7ca380714f34ec0266ff)
+---
+ inc/html.class.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/inc/html.class.php b/inc/html.class.php
+index 6fd95adc7c..6a1b1961c9 100644
+--- a/inc/html.class.php
++++ b/inc/html.class.php
+@@ -89,6 +89,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
+ 'comment' => 1, // 1: remove
+ 'cdata' => 1, // 1: remove
+ 'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags
++ 'schemes' => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet'
+ ]
+ );
+
diff --git a/glpi.spec b/glpi.spec
index 22aee17..e06b306 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -55,7 +55,7 @@ Name: %{gh_project}
%global upstream_version 9.3.4
#global upstream_prever RC2
Version: %{upstream_version}%{?upstream_prever:~%{upstream_prever}}
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Free IT asset management software
Summary(fr): Gestion Libre de Parc Informatique
@@ -75,6 +75,9 @@ Source6: %{name}-minify.php
# Override PHP configuration for php-fpm
Source7: %{name}-user.ini
+# Security patches
+Patch0: https://patch-diff.githubusercontent.com/raw/glpi-project/glpi/pull/6054.patch
+
BuildArch: noarch
BuildRequires: gettext
BuildRequires: php-cli
@@ -308,6 +311,7 @@ techniciens grâce à une maintenance plus cohérente.
%prep
%setup -q -n %{name}-%{gh_commit}
+%patch0 -p1
grep %{upstream_version} inc/define.php
@@ -596,6 +600,10 @@ fi
%changelog
+* Fri Jun 21 2019 Remi Collet <remi@remirepo.net> - 9.3.4-2
+- [security] Prevent execution of XSS on rich text
+- [security] Prevent XSS attack on user picture
+
* Thu Apr 11 2019 Remi Collet <remi@remirepo.net> - 9.3.4-1
- update to 9.3.4