[Rt-commit] rt branch, 4.0-trunk, updated. rt-4.0.23-23-g31c15b6

Alex Vandiver alexmv at bestpractical.com
Sat May 9 23:50:48 EDT 2015 

The branch, 4.0-trunk has been updated
       via  31c15b65d9d593e3fca4f2b27b29343a8937dadc (commit)
      from  c6d4f60eb5b718d82257b0c98c48a30b6780a332 (commit)

Summary of changes:
 t/security/CVE-2012-4733-status.t                  | 26 ++++++++++++++++++
 .../CVE-2013-3373-template-header-injection.t      | 32 ++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 t/security/CVE-2012-4733-status.t
 create mode 100644 t/security/CVE-2013-3373-template-header-injection.t

- Log -----------------------------------------------------------------
commit 31c15b65d9d593e3fca4f2b27b29343a8937dadc
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Sat May 9 23:50:18 2015 -0400

    Add security tests that are no longer embargo'd

diff --git a/t/security/CVE-2012-4733-status.t b/t/security/CVE-2012-4733-status.t
new file mode 100644
index 0000000..7b89268
--- /dev/null
+++ b/t/security/CVE-2012-4733-status.t
@@ -0,0 +1,26 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+my $ticket = RT::Ticket->new(RT::CurrentUser->new('root'));
+my ($ok, $msg) = $ticket->Create(Queue => 1, Owner => 'nobody', Subject => 'status changes');
+ok($ok);
+
+my ($baseurl, $m) = RT::Test->started_ok;
+$m->add_header(Referer => $baseurl);
+ok $m->login, 'logged in';
+
+$m->get_ok("/Ticket/Display.html?id=1&Status=RESOLVED");
+$m->content_like(qr/Status changed from/,
+             "A status change happened");
+$m->content_like(qr/Status changed from 'new' to 'resolved'/,
+             "The new status is resolved");
+
+$ticket->Load( $ticket->Id );
+is($ticket->Status, 'resolved', "Status is now resolved");
+
+($ok, $msg) = $ticket->SetStatus('open');
+ok($ok, "Can set status back to open");
+
+undef $m;
+done_testing;
diff --git a/t/security/CVE-2013-3373-template-header-injection.t b/t/security/CVE-2013-3373-template-header-injection.t
new file mode 100644
index 0000000..1ce31bb
--- /dev/null
+++ b/t/security/CVE-2013-3373-template-header-injection.t
@@ -0,0 +1,32 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+
+my ($ticket, $ok, $msg);
+
+note "Ticket Subject: in templates";
+for my $sep ("\n", "\r\n", "\r") {
+    # Create evil ticket subject
+    $ticket     = RT::Ticket->new( RT->SystemUser );
+    ($ok, $msg) = $ticket->Create(
+        Queue       => 1,
+        Subject     => "test ticket".$sep."Evil: yes",
+        Requestor   => 'foo at example.com',  # provide any recipient just to generate a mail
+    );
+    ok $ticket->id, "Created ticket: $msg";
+    unlike $ticket->Subject, qr/\n/, "Newline didn't make it into ticket subject";
+
+    # ... sends an email
+    my @email = RT::Test->fetch_caught_mails;
+    is @email, 1, "Caught one email";
+
+    ok open(my $fh, "<", \$email[0]), "Opened email"
+        or diag $!;
+
+    my $head = MIME::Head->read($fh);
+    ok !$head->get("Evil"), "No Evil header"
+        or diag explain $email[0];
+}
+
+done_testing;

-----------------------------------------------------------------------

More information about the rt-commit mailing list