1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
From 272f715bebc7894ef42eee498a193eae52e75068 Mon Sep 17 00:00:00 2001
From: Alexandre Delaunay <delaunay.alexandre@gmail.com>
Date: Thu, 20 Jun 2019 10:40:41 +0200
Subject: [PATCH 1/3] avoid xss attack on user picture
(cherry picked from commit c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb)
---
inc/user.class.php | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/inc/user.class.php b/inc/user.class.php
index 2a7b9a87c4..0257684326 100644
--- a/inc/user.class.php
+++ b/inc/user.class.php
@@ -576,6 +576,11 @@ function prepareInputForAdd($input) {
return false;
}
+ // avoid xss (picture field is autogenerated)
+ if (isset($input['picture'])) {
+ $input['picture'] = 'NULL';
+ }
+
if (!isset($input["authtype"])) {
$input["authtype"] = Auth::DB_GLPI;
}
@@ -707,6 +712,11 @@ function post_addItem() {
function prepareInputForUpdate($input) {
global $CFG_GLPI;
+ // avoid xss (picture field is autogenerated)
+ if (isset($input['picture'])) {
+ $input['picture'] = 'NULL';
+ }
+
//picture manually uploaded by user
if (isset($input["_blank_picture"]) && $input["_blank_picture"]) {
self::dropPictureFiles($this->fields['picture']);
@@ -2012,6 +2022,7 @@ function showForm($ID, array $options = []) {
}
if (!empty($this->fields["name"])) {
+
echo "<td rowspan='4'>" . __('Picture') . "</td>";
echo "<td rowspan='4'>";
echo "<div class='user_picture_border_small' id='picture$rand'>";
@@ -4701,6 +4712,9 @@ static function checkDefaultPasswords() {
static function getURLForPicture($picture) {
global $CFG_GLPI;
+ // prevent xss
+ $picture = Html::cleanInputText($picture);
+
if (!empty($picture)) {
return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture";
}
@@ -4720,6 +4734,9 @@ static function getURLForPicture($picture) {
static function getThumbnailURLForPicture($picture) {
global $CFG_GLPI;
+ // prevent xss
+ $picture = Html::cleanInputText($picture);
+
if (!empty($picture)) {
$tmp = explode(".", $picture);
if (count($tmp) ==2) {
From d9690bfc66e07cc24494d80d9a73176f557aec29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Thu, 20 Jun 2019 11:51:54 +0200
Subject: [PATCH 2/3] Prevent execution of javascript event on rich text
(cherry picked from commit 2ee18d241632b29e3402b4c2990176309a5bd84c)
---
inc/html.class.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/inc/html.class.php b/inc/html.class.php
index f9aa6532dd..6fd95adc7c 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -84,6 +84,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
$value,
[
'elements' => ($striptags) ? 'none' : '',
+ 'deny_attribute' => 'on*',
'keep_bad' => $keep_bad, // 1: neutralize tag and content, 2 : remove tag and neutralize content
'comment' => 1, // 1: remove
'cdata' => 1, // 1: remove
From 7e2dfbf68b48988f717f3b4c9e58f1ca873d6e4e Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Thu, 20 Jun 2019 14:47:18 +0200
Subject: [PATCH 3/3] Forbid javascript scheme
(cherry picked from commit 081338b2fa3a98eacb6f7ca380714f34ec0266ff)
---
inc/html.class.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/inc/html.class.php b/inc/html.class.php
index 6fd95adc7c..6a1b1961c9 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -89,6 +89,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
'comment' => 1, // 1: remove
'cdata' => 1, // 1: remove
'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags
+ 'schemes' => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet'
]
);
|
