[Bps-public-commit] rt-extension-mobileui branch, master, updated. 1.01-12-ged0fcf7
Alex Vandiver
alexmv at bestpractical.com
Fri Jul 27 17:13:35 EDT 2012
The branch, master has been updated
via ed0fcf726fd39f56f06c4a18302cd9e135b8e314 (commit)
via ced598093a5656a96048cde19c49987a9f075119 (commit)
via 71f052d9f645574b1d8996f31a143ec886834dc8 (commit)
via c7510d060b196db86e2f6a21b40dd40db050f7f2 (commit)
via 7f14071b5af6ec5829ddf748802b4b2a4437bc76 (commit)
via 1d75d3f8785c4acf3684b06c7f60634ce69468dc (commit)
via 5a2fb553ff058dd3a18406ee40382aba45ec2337 (commit)
via a0f39b8d3bee947c286f8afc01cc05c7cbb561ff (commit)
via a24f3e81d300125e5b02ca953b5cc0e3eb43b0f2 (commit)
from a6fdc3700788d0eb51382af4146484870fa7f3ca (commit)
Summary of changes:
Changes | 5 +++++
html/m/_elements/footer | 2 +-
html/m/_elements/header | 3 ++-
html/m/ticket/create | 15 ++++++++-------
html/m/ticket/show | 14 +++++++-------
html/m/tickets/search | 2 +-
lib/RT/Extension/MobileUI.pm | 20 +++++++++++++++++++-
7 files changed, 43 insertions(+), 18 deletions(-)
- Log -----------------------------------------------------------------
commit a24f3e81d300125e5b02ca953b5cc0e3eb43b0f2
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Thu May 5 13:29:14 2011 -0400
Escape subject and links in /m/ticket/create
diff --git a/html/m/ticket/create b/html/m/ticket/create
index 2d3a306..95cc529 100644
--- a/html/m/ticket/create
+++ b/html/m/ticket/create
@@ -6,6 +6,7 @@ $CloneTicket => undef
$m->callback( CallbackName => "Init", ARGSRef => \%ARGS );
my $Queue = $ARGS{Queue};
+my $escape = sub { $m->interp->apply_escapes(shift, 'h') };
my $showrows = sub {
my @pairs = @_;
@@ -218,7 +219,7 @@ if ((!exists $ARGS{'AddMoreAttach'}) and (defined($ARGS{'id'}) and $ARGS{'id'} e
<%perl>
$showrows->(
- loc("Subject") => '<input name="Subject" size="30" maxsize="200" value="'.($ARGS{Subject} || '').'" />');
+ loc("Subject") => '<input name="Subject" size="30" maxsize="200" value="'.$escape->($ARGS{Subject} || '').'" />');
</%perl>
<span class="content-label label"><%loc("Describe the issue below")%></span>
<& /Elements/MessageBox, exists $ARGS{Content} ? (Default => $ARGS{Content}, IncludeSignature => 0 ) : ( QuoteTransaction => $QuoteTransaction ), Height => 5 &>
@@ -382,12 +383,12 @@ $showrows->(
<%perl>
$showrows->(
- loc("Depends on") => '<input size="10" name="new-DependsOn" value="' . ($ARGS{'new-DependsOn'} || '' ). '" />',
- loc("Depended on by") => '<input size="10" name="DependsOn-new" value="' . ($ARGS{'DependsOn-new'} || '' ) . '" />',
- loc("Parents") => '<input size="10" name="new-MemberOf" value="' . ($ARGS{'new-MemberOf'} || '') . '" />',
- loc("Children") => '<input size="10" name="MemberOf-new" value="' . ($ARGS{'MemberOf-new'} || '') . '" />',
- loc("Refers to") => '<input size="10" name="new-RefersTo" value="' . ($ARGS{'new-RefersTo'} || '') . '" />',
- loc("Referred to by") => '<input size="10" name="RefersTo-new" value="' . ($ARGS{'RefersTo-new'} || ''). '" />'
+ loc("Depends on") => '<input size="10" name="new-DependsOn" value="' . $escape->($ARGS{'new-DependsOn'} || '' ). '" />',
+ loc("Depended on by") => '<input size="10" name="DependsOn-new" value="' . $escape->($ARGS{'DependsOn-new'} || '' ) . '" />',
+ loc("Parents") => '<input size="10" name="new-MemberOf" value="' . $escape->($ARGS{'new-MemberOf'} || '') . '" />',
+ loc("Children") => '<input size="10" name="MemberOf-new" value="' . $escape->($ARGS{'MemberOf-new'} || '') . '" />',
+ loc("Refers to") => '<input size="10" name="new-RefersTo" value="' . $escape->($ARGS{'new-RefersTo'} || '') . '" />',
+ loc("Referred to by") => '<input size="10" name="RefersTo-new" value="' . $escape->($ARGS{'RefersTo-new'} || ''). '" />'
);
</%perl>
commit a0f39b8d3bee947c286f8afc01cc05c7cbb561ff
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Thu May 5 13:46:33 2011 -0400
Escape the name of the predefined search that was not found
diff --git a/html/m/tickets/search b/html/m/tickets/search
index 16864b4..115426b 100644
--- a/html/m/tickets/search
+++ b/html/m/tickets/search
@@ -31,7 +31,7 @@ my $search;
if ( $custom->Description eq $name ) { $search = $custom; last }
}
unless ( $search && $search->id ) {
- $m->out("Predefined search $name not found");
+ $m->out("Predefined search ".$m->interp->apply_escapes($name, 'h')." not found");
return;
}
}
commit 5a2fb553ff058dd3a18406ee40382aba45ec2337
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Thu May 5 14:32:23 2011 -0400
Use loc for interpolation
diff --git a/html/m/tickets/search b/html/m/tickets/search
index 115426b..e688ea8 100644
--- a/html/m/tickets/search
+++ b/html/m/tickets/search
@@ -31,7 +31,7 @@ my $search;
if ( $custom->Description eq $name ) { $search = $custom; last }
}
unless ( $search && $search->id ) {
- $m->out("Predefined search ".$m->interp->apply_escapes($name, 'h')." not found");
+ $m->out(loc("Predefined search [_1] not found", $m->interp->apply_escapes($name, 'h')));
return;
}
}
commit 1d75d3f8785c4acf3684b06c7f60634ce69468dc
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Apr 5 13:00:44 2012 -0400
RT 3.8.12 and above escape arguments to <&|/l&>; use loc
In the process of resolving CVE-2011-2083, RT 3.8.12 moved to an
implementation of the /l component which HTML escapes its arguments, by
default. As we cannot be sure which version of /l is currently
installed without a version check, or a check to the new /l_unsafe,
simply fall back to an interpolated loc() call instead.
diff --git a/html/m/_elements/footer b/html/m/_elements/footer
index 2c7602d..aea8758 100644
--- a/html/m/_elements/footer
+++ b/html/m/_elements/footer
@@ -1,7 +1,7 @@
<div id="bpscredits">
<& /Elements/Logo, ShowName => 0 &>
<div id="copyright">
-<&|/l, '', '', '2010', '<a href="http://www.bestpractical.com?rt='.$RT::VERSION.'">Best Practical Solutions, LLC</a>', &>[_1] RT [_2] Copyright 1996-[_3] [_4].</&>
+<% loc("[_1] RT [_2] Copyright 1996-[_3] [_4].", '', '', '2012', qq{<a href="http://www.bestpractical.com?rt=$RT::VERSION">Best Practical Solutions, LLC</a>}) |n%>
</div>
</div>
</body>
commit 7f14071b5af6ec5829ddf748802b4b2a4437bc76
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Apr 5 14:21:40 2012 -0400
WebPath should be HTML-escaped, in case it contains \W
diff --git a/html/m/_elements/header b/html/m/_elements/header
index 2c20383..bf4c209 100644
--- a/html/m/_elements/header
+++ b/html/m/_elements/header
@@ -8,7 +8,7 @@ $r->headers_out->{'Cache-control'} = 'no-cache';
</%init>
<html>
<head>
-<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')|n%>/m/style.css"/>
+<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/m/style.css"/>
<title><%$title%></title>
<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
</head>
commit c7510d060b196db86e2f6a21b40dd40db050f7f2
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Apr 5 14:21:08 2012 -0400
Include the AHAH javascript for include-in-page CFs
da29e20 added the IncludeContentForValue codepath which calls ahah() in
javascript, but neglected to add the javascript include that provides
the ahah() function. Add it now, which makes the IncludeContentForValue
functionality work on mobile devices.
diff --git a/html/m/_elements/header b/html/m/_elements/header
index bf4c209..277bb8e 100644
--- a/html/m/_elements/header
+++ b/html/m/_elements/header
@@ -11,6 +11,7 @@ $r->headers_out->{'Cache-control'} = 'no-cache';
<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/m/style.css"/>
<title><%$title%></title>
<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
+<script type="text/javascript" src="<%RT->Config->Get('WebPath')%>/NoAuth/js/ahah.js"></script>
</head>
<body>
% if ($show_home_button) {
commit 71f052d9f645574b1d8996f31a143ec886834dc8
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Apr 5 13:29:43 2012 -0400
Ensure that javascript is correctly escaped, for CVE-2011-2083
RT 3.8.12 ensured that user-supplied strings in javascript were properly
escaped when output, by adding a 'j' Mason filter. Since we cannot
depend on having that version of RT, provide and use our own identical
EscapeJS function, which we use to escape user-supplied strings.
diff --git a/html/m/ticket/show b/html/m/ticket/show
index 1049ff5..8155a88 100644
--- a/html/m/ticket/show
+++ b/html/m/ticket/show
@@ -139,18 +139,18 @@ my $print_value = sub {
}
$m->out('</a>') if defined $linked && length $linked;
- # This section automatically populates a<div with the "IncludeContentForValue" for this custom
+ # This section automatically populates a div with the "IncludeContentForValue" for this custom
# field if it's been defined
if ( $cf->IncludeContentForValue ) {
my $vid = $value->id;
$m->out( '<div class="object_cf_value_include" id="object_cf_value_'. $vid .'">' );
- $m->print( loc("See also:") );
- $m->out( '<a href="'. $value->IncludeContentForValue .'">' );
- $m->print( $value->IncludeContentForValue );
+ $m->out( loc("See also:") );
+ $m->out( '<a href="'. $m->interp->apply_escapes($value->IncludeContentForValue, 'h') .'">' );
+ $m->out( $m->interp->apply_escapes($value->IncludeContentForValue, 'h') );
$m->out( qq{</a></div>\n} );
- $m->out( qq{<script><!--\nahah('} );
- $m->print( $value->IncludeContentForValue );
- $m->out( qq{', 'object_cf_value_$vid');\n--></script>\n} );
+ $m->out( qq{<script><!--\nahah(} );
+ $m->out( RT::Extension::MobileUI::EscapeJS($value->IncludeContentForValue) );
+ $m->out( qq{, 'object_cf_value_$vid');\n--></script>\n} );
}
};
diff --git a/lib/RT/Extension/MobileUI.pm b/lib/RT/Extension/MobileUI.pm
index a7ef216..1cfc3d5 100644
--- a/lib/RT/Extension/MobileUI.pm
+++ b/lib/RT/Extension/MobileUI.pm
@@ -5,6 +5,24 @@ package RT::Extension::MobileUI;
our $VERSION = "1.01";
+sub _encode_surrogates {
+ my $uni = $_[0] - 0x10000;
+ return ($uni / 0x400 + 0xD800, $uni % 0x400 + 0xDC00);
+}
+
+sub EscapeJS {
+ my $val = shift;
+ return unless defined $val;
+
+ return "'" . join('',
+ map {
+ chr($_) =~ /[a-zA-Z0-9]/ ? chr($_) :
+ $_ <= 255 ? sprintf("\\x%02X", $_) :
+ $_ <= 65535 ? sprintf("\\u%04X", $_) :
+ sprintf("\\u%X\\u%X", _encode_surrogates($_))
+ } unpack('U*', $val))
+ . "'";
+}
=head1 NAME
commit ced598093a5656a96048cde19c49987a9f075119
Merge: a6fdc37 71f052d
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Jul 3 13:21:01 2012 -0400
Merge branch 'security'
commit ed0fcf726fd39f56f06c4a18302cd9e135b8e314
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Jul 3 13:26:00 2012 -0400
Version bump
diff --git a/Changes b/Changes
index ab03f3c..16fbfc1 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,8 @@
+1.02
+
+* Apply a number of XSS security fixes from 4.0-trunk, which resolve
+ CVE-2012-2769.
+
1.01
* Corrected the "Reply" link to default to reply rather than comment
diff --git a/lib/RT/Extension/MobileUI.pm b/lib/RT/Extension/MobileUI.pm
index 1cfc3d5..c7980ec 100644
--- a/lib/RT/Extension/MobileUI.pm
+++ b/lib/RT/Extension/MobileUI.pm
@@ -3,7 +3,7 @@ use strict;
package RT::Extension::MobileUI;
-our $VERSION = "1.01";
+our $VERSION = "1.02";
sub _encode_surrogates {
my $uni = $_[0] - 0x10000;
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list