From 272f715bebc7894ef42eee498a193eae52e75068 Mon Sep 17 00:00:00 2001 From: Alexandre Delaunay Date: Thu, 20 Jun 2019 10:40:41 +0200 Subject: [PATCH 1/3] avoid xss attack on user picture (cherry picked from commit c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb) --- inc/user.class.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/inc/user.class.php b/inc/user.class.php index 2a7b9a87c4..0257684326 100644 --- a/inc/user.class.php +++ b/inc/user.class.php @@ -576,6 +576,11 @@ function prepareInputForAdd($input) { return false; } + // avoid xss (picture field is autogenerated) + if (isset($input['picture'])) { + $input['picture'] = 'NULL'; + } + if (!isset($input["authtype"])) { $input["authtype"] = Auth::DB_GLPI; } @@ -707,6 +712,11 @@ function post_addItem() { function prepareInputForUpdate($input) { global $CFG_GLPI; + // avoid xss (picture field is autogenerated) + if (isset($input['picture'])) { + $input['picture'] = 'NULL'; + } + //picture manually uploaded by user if (isset($input["_blank_picture"]) && $input["_blank_picture"]) { self::dropPictureFiles($this->fields['picture']); @@ -2012,6 +2022,7 @@ function showForm($ID, array $options = []) { } if (!empty($this->fields["name"])) { + echo "" . __('Picture') . ""; echo ""; echo "
"; @@ -4701,6 +4712,9 @@ static function checkDefaultPasswords() { static function getURLForPicture($picture) { global $CFG_GLPI; + // prevent xss + $picture = Html::cleanInputText($picture); + if (!empty($picture)) { return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture"; } @@ -4720,6 +4734,9 @@ static function getURLForPicture($picture) { static function getThumbnailURLForPicture($picture) { global $CFG_GLPI; + // prevent xss + $picture = Html::cleanInputText($picture); + if (!empty($picture)) { $tmp = explode(".", $picture); if (count($tmp) ==2) { From d9690bfc66e07cc24494d80d9a73176f557aec29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Anne?= Date: Thu, 20 Jun 2019 11:51:54 +0200 Subject: [PATCH 2/3] Prevent execution of javascript event on rich text (cherry picked from commit 2ee18d241632b29e3402b4c2990176309a5bd84c) --- inc/html.class.php | 1 + 1 file changed, 1 insertion(+) diff --git a/inc/html.class.php b/inc/html.class.php index f9aa6532dd..6fd95adc7c 100644 --- a/inc/html.class.php +++ b/inc/html.class.php @@ -84,6 +84,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) { $value, [ 'elements' => ($striptags) ? 'none' : '', + 'deny_attribute' => 'on*', 'keep_bad' => $keep_bad, // 1: neutralize tag and content, 2 : remove tag and neutralize content 'comment' => 1, // 1: remove 'cdata' => 1, // 1: remove From 7e2dfbf68b48988f717f3b4c9e58f1ca873d6e4e Mon Sep 17 00:00:00 2001 From: Johan Cwiklinski Date: Thu, 20 Jun 2019 14:47:18 +0200 Subject: [PATCH 3/3] Forbid javascript scheme (cherry picked from commit 081338b2fa3a98eacb6f7ca380714f34ec0266ff) --- inc/html.class.php | 1 + 1 file changed, 1 insertion(+) diff --git a/inc/html.class.php b/inc/html.class.php index 6fd95adc7c..6a1b1961c9 100644 --- a/inc/html.class.php +++ b/inc/html.class.php @@ -89,6 +89,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) { 'comment' => 1, // 1: remove 'cdata' => 1, // 1: remove 'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags + 'schemes' => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet' ] );