[Rt-commit] rt branch, 4.2-trunk, updated. rt-4.2.12-48-g747f8f3

Shawn Moore shawn at bestpractical.com
Wed Aug 12 16:04:16 EDT 2015 

The branch, 4.2-trunk has been updated
       via  747f8f369636283c3efb019e8919e2fbf428ff45 (commit)
       via  46e61e019b20af8332a7d95431f83ad675510173 (commit)
       via  f097857f24fa80c4113d3aef260ca8292a339777 (commit)
       via  36a461947b00b105336adb4997d1c7767d8484c4 (commit)
       via  67d517ba3421ba462e349c73207a627d137ef8ac (commit)
      from  ac1ab02d08b58cfae78ec1cbc5b291eb0420999d (commit)

Summary of changes:
 share/html/Elements/CryptStatus | 10 +++++-----
 share/static/js/util.js         |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

- Log -----------------------------------------------------------------
commit 67d517ba3421ba462e349c73207a627d137ef8ac
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Wed Jul 15 17:54:02 2015 +0000

    Escape principal name as we insert it into the DOM
    
    jQuery's text() setter method escapes the passed-in content. Using the original
    html() leaves us vulnerable to an XSS injection attack. This resolves
    CVE-2015-5475.

diff --git a/share/static/js/util.js b/share/static/js/util.js
index b665c0e..f6f5c3b 100644
--- a/share/static/js/util.js
+++ b/share/static/js/util.js
@@ -277,7 +277,7 @@ function toggle_addprincipal_validity(input, good, title) {
 
 function update_addprincipal_title(title) {
     var h3 = jQuery("#acl-AddPrincipal h3");
-    h3.html( h3.text().replace(/: .*$/,'') + ": " + title );
+    h3.text( h3.text().replace(/: .*$/,'') + ": " + title );
 }
 
 // when a value is selected from the autocompleter

commit 36a461947b00b105336adb4997d1c7767d8484c4
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Mon Jul 27 23:20:10 2015 +0000

    Escape message crypt status as we insert it into the DOM
    
    The ->{'Value'} part of each message is inserted into the DOM with no
    escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
    receives from other systems must be escaped or they leave us vulnerable to
    an XSS injection attack.
    
    This also happens to fix a bug where email addresses of senders would in
    some cases not be shown in the browser.

diff --git a/share/html/Elements/CryptStatus b/share/html/Elements/CryptStatus
index b022b10..f2411a5 100644
--- a/share/html/Elements/CryptStatus
+++ b/share/html/Elements/CryptStatus
@@ -147,7 +147,7 @@ foreach my $run ( @runs ) {
                 push @messages, {
                     Tag     => $protocol,
                     Classes => [qw/keycheck bad/],
-                    Value   => loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ),
+                    Value   => $m->interp->apply_escapes( loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ), 'h'),
                 };
             }
         }
@@ -156,21 +156,21 @@ foreach my $run ( @runs ) {
             push @messages, {
                 Tag     => $protocol,
                 Classes => ['passphrasecheck', lc $line->{Status}],
-                Value   => loc( $line->{'Message'} ),
+                Value   => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
             };
         }
         elsif ( $line->{'Operation'} eq 'Decrypt' ) {
             push @messages, {
                 Tag     => $protocol,
                 Classes => ['decrypt', lc $line->{Status}],
-                Value   => loc( $line->{'Message'} ),
+                Value   => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
             };
         }
         elsif ( $line->{'Operation'} eq 'Verify' ) {
             push @messages, {
                 Tag     => $protocol,
                 Classes => ['verify', lc $line->{Status}, 'trust-'.($line->{Trust} || 'UNKNOWN')],
-                Value   => loc( $line->{'Message'} ),
+                Value   => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
             };
         }
         else {
@@ -178,7 +178,7 @@ foreach my $run ( @runs ) {
             push @messages, {
                 Tag     => $protocol,
                 Classes => [lc $line->{Operation}, lc $line->{Status}],
-                Value   => loc( $line->{'Message'} ),
+                Value   => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
             }
         }
     }

commit f097857f24fa80c4113d3aef260ca8292a339777
Merge: 62de9fe 67d517b
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Tue Jul 28 19:37:29 2015 +0000

    Merge branch 'security/4.2/rights-xss' into security/4.2.12-releng


commit 46e61e019b20af8332a7d95431f83ad675510173
Merge: f097857 36a4619
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Tue Jul 28 19:37:33 2015 +0000

    Merge branch 'security/4.2/crypt-xss' into security/4.2.12-releng


commit 747f8f369636283c3efb019e8919e2fbf428ff45
Merge: ac1ab02 46e61e0
Author: Shawn M Moore <shawn at bestpractical.com>
Date:   Wed Aug 12 16:04:12 2015 -0400

    Merge branch 'security/4.2.12-releng' into 4.2-trunk


-----------------------------------------------------------------------

More information about the rt-commit mailing list