From f4dd8cae6b07d186eed1fbd80f1ee8d73944bf2b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 21 Jun 2019 11:07:34 +0200 Subject: - [security] Prevent execution of XSS on rich text - [security] Prevent XSS attack on user picture --- 6054.patch | 112 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 6054.patch (limited to '6054.patch') diff --git a/6054.patch b/6054.patch new file mode 100644 index 0000000..1b0e9cf --- /dev/null +++ b/6054.patch @@ -0,0 +1,112 @@ +From 272f715bebc7894ef42eee498a193eae52e75068 Mon Sep 17 00:00:00 2001 +From: Alexandre Delaunay +Date: Thu, 20 Jun 2019 10:40:41 +0200 +Subject: [PATCH 1/3] avoid xss attack on user picture + +(cherry picked from commit c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb) +--- + inc/user.class.php | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/inc/user.class.php b/inc/user.class.php +index 2a7b9a87c4..0257684326 100644 +--- a/inc/user.class.php ++++ b/inc/user.class.php +@@ -576,6 +576,11 @@ function prepareInputForAdd($input) { + return false; + } + ++ // avoid xss (picture field is autogenerated) ++ if (isset($input['picture'])) { ++ $input['picture'] = 'NULL'; ++ } ++ + if (!isset($input["authtype"])) { + $input["authtype"] = Auth::DB_GLPI; + } +@@ -707,6 +712,11 @@ function post_addItem() { + function prepareInputForUpdate($input) { + global $CFG_GLPI; + ++ // avoid xss (picture field is autogenerated) ++ if (isset($input['picture'])) { ++ $input['picture'] = 'NULL'; ++ } ++ + //picture manually uploaded by user + if (isset($input["_blank_picture"]) && $input["_blank_picture"]) { + self::dropPictureFiles($this->fields['picture']); +@@ -2012,6 +2022,7 @@ function showForm($ID, array $options = []) { + } + + if (!empty($this->fields["name"])) { ++ + echo "" . __('Picture') . ""; + echo ""; + echo "
"; +@@ -4701,6 +4712,9 @@ static function checkDefaultPasswords() { + static function getURLForPicture($picture) { + global $CFG_GLPI; + ++ // prevent xss ++ $picture = Html::cleanInputText($picture); ++ + if (!empty($picture)) { + return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture"; + } +@@ -4720,6 +4734,9 @@ static function getURLForPicture($picture) { + static function getThumbnailURLForPicture($picture) { + global $CFG_GLPI; + ++ // prevent xss ++ $picture = Html::cleanInputText($picture); ++ + if (!empty($picture)) { + $tmp = explode(".", $picture); + if (count($tmp) ==2) { + +From d9690bfc66e07cc24494d80d9a73176f557aec29 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Anne?= +Date: Thu, 20 Jun 2019 11:51:54 +0200 +Subject: [PATCH 2/3] Prevent execution of javascript event on rich text + +(cherry picked from commit 2ee18d241632b29e3402b4c2990176309a5bd84c) +--- + inc/html.class.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/inc/html.class.php b/inc/html.class.php +index f9aa6532dd..6fd95adc7c 100644 +--- a/inc/html.class.php ++++ b/inc/html.class.php +@@ -84,6 +84,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) { + $value, + [ + 'elements' => ($striptags) ? 'none' : '', ++ 'deny_attribute' => 'on*', + 'keep_bad' => $keep_bad, // 1: neutralize tag and content, 2 : remove tag and neutralize content + 'comment' => 1, // 1: remove + 'cdata' => 1, // 1: remove + +From 7e2dfbf68b48988f717f3b4c9e58f1ca873d6e4e Mon Sep 17 00:00:00 2001 +From: Johan Cwiklinski +Date: Thu, 20 Jun 2019 14:47:18 +0200 +Subject: [PATCH 3/3] Forbid javascript scheme + +(cherry picked from commit 081338b2fa3a98eacb6f7ca380714f34ec0266ff) +--- + inc/html.class.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/inc/html.class.php b/inc/html.class.php +index 6fd95adc7c..6a1b1961c9 100644 +--- a/inc/html.class.php ++++ b/inc/html.class.php +@@ -89,6 +89,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) { + 'comment' => 1, // 1: remove + 'cdata' => 1, // 1: remove + 'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags ++ 'schemes' => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet' + ] + ); + -- cgit