[Rt-commit] rt branch 4.4.6-releng updated. rt-4.4.6beta1-8-g76966873b4

BPS Git Server git at git.bestpractical.com
Wed Jul 13 06:05:56 UTC 2022 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 4.4.6-releng has been updated
       via  76966873b4027c5939c61ba6df3756a1e4f640ed (commit)
       via  cd685af9b7425525a94c4c972c4bdd106dfaa8c3 (commit)
       via  024ce4644606e19ea11b47db456af34a46accf36 (commit)
       via  9a571e96f25ebdca5d59613510e1646aa9bc0177 (commit)
       via  03f12ca042121c94c5f35f736cabd8da84275be2 (commit)
       via  8907571045db2297da0ff865570cb7c605c2342f (commit)
       via  7986fd798df5d055ea2ff9f74207631ab307cfc8 (commit)
       via  abdc57cac8da9cea189b154413a022a3652f2ef7 (commit)
      from  8cd02c8404e032dc9ed97ce13770d9d0c2a7577c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 76966873b4027c5939c61ba6df3756a1e4f640ed
Merge: cd685af9b7 abdc57cac8
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Jul 13 12:57:47 2022 +0800

    Merge branch '4.4/prevent-warning-attachment-image-rewrite' into 4.4.6-releng


commit cd685af9b7425525a94c4c972c4bdd106dfaa8c3
Merge: 8cd02c8404 024ce46446
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Jul 13 12:55:44 2022 +0800

    Merge branch 'security/4.4.6-releng' into 4.4.6-releng


commit 024ce4644606e19ea11b47db456af34a46accf36
Merge: 9a571e96f2 03f12ca042
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 22:00:10 2022 +0800

    Merge branch 'security/4.4/ocfv-acl' into security/4.4.6-releng


commit 9a571e96f25ebdca5d59613510e1646aa9bc0177
Merge: 8cd02c8404 7986fd798d
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 21:45:28 2022 +0800

    Merge branch 'security/4.4/cve-2022-25802' into security/4.4.6-releng


commit 03f12ca042121c94c5f35f736cabd8da84275be2
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 21:31:19 2022 +0800

    Add ACL check to /Download/CustomFieldValue/... endpoints

diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler
index 688160bdd9..7825104636 100644
--- a/share/html/Download/CustomFieldValue/dhandler
+++ b/share/html/Download/CustomFieldValue/dhandler
@@ -61,6 +61,8 @@ unless ($OCFV->id) {
     Abort("Bad OCFV id. Couldn't find OCFV '$id'\n");
 }
 
+Abort( loc('Permission Denied'), Code => HTTP::Status::HTTP_FORBIDDEN ) unless $OCFV->CurrentUserCanSee;
+
 my $content_type = $OCFV->ContentType || 'text/plain; charset=utf-8';
     
 if (RT->Config->Get('AlwaysDownloadAttachments')) {

commit 8907571045db2297da0ff865570cb7c605c2342f
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 21:28:54 2022 +0800

    Add ACL check to ObjectCustomFieldValues

diff --git a/lib/RT/ObjectCustomFieldValue.pm b/lib/RT/ObjectCustomFieldValue.pm
index 1a11e13e13..db14fd9fde 100644
--- a/lib/RT/ObjectCustomFieldValue.pm
+++ b/lib/RT/ObjectCustomFieldValue.pm
@@ -523,9 +523,9 @@ Get the OCFV cache key for this object
 
 sub GetOCFVCacheKey {
     my $self = shift;
-    my $ocfv_key = "CustomField-" . $self->CustomField
-        . '-ObjectType-' . $self->ObjectType
-        . '-ObjectId-' . $self->ObjectId;
+    my $ocfv_key = "CustomField-" . $self->__Value('CustomField')
+        . '-ObjectType-' . $self->__Value('ObjectType')
+        . '-ObjectId-' . $self->__Value('ObjectId');
     return $ocfv_key;
 }
 
@@ -806,6 +806,32 @@ sub ExternalStoreDigest {
     return $self->_Value( 'LargeContent' );
 }
 
+=head2 CurrentUserCanSee
+
+Returns true if user has "SeeCustomField" on the associated CustomField
+object, otherwise false.
+
+=cut
+
+sub CurrentUserCanSee {
+    my $self = shift;
+    return $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField');
+}
+
+sub _Value {
+    my $self  = shift;
+    return undef unless $self->id;
+
+    unless ( $self->CurrentUserCanSee ) {
+        $RT::Logger->debug(
+            "Permission denied. User #". $self->CurrentUser->id
+            ." has no SeeCustomField right on CF #". $self->__Value('CustomField')
+        );
+        return undef;
+    }
+    return $self->SUPER::_Value(@_);
+}
+
 RT::Base->_ImportOverlays();
 
 1;
diff --git a/lib/RT/ObjectCustomFieldValues.pm b/lib/RT/ObjectCustomFieldValues.pm
index ce698f5dcd..9705b2f2d2 100644
--- a/lib/RT/ObjectCustomFieldValues.pm
+++ b/lib/RT/ObjectCustomFieldValues.pm
@@ -230,6 +230,15 @@ sub _DoCount {
     return $self->SUPER::_DoCount(@_);
 }
 
+
+sub AddRecord {
+    my $self = shift;
+    my ($record) = @_;
+
+    return unless $record->CurrentUserCanSee;
+    return $self->SUPER::AddRecord($record);
+}
+
 RT::Base->_ImportOverlays();
 
 # Clear the OCVF cache on exit to release connected RT::Ticket objects.
diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm
index bf7d8abef8..65d700b44b 100644
--- a/lib/RT/Record.pm
+++ b/lib/RT/Record.pm
@@ -2036,7 +2036,8 @@ sub _AddCustomFieldValue {
               );
         }
 
-        my $new_content = $new_value->Content;
+        # Fall back to '' in case current user doesn't have rights.
+        my $new_content = $new_value->Content // '';
 
         # For datetime, we need to display them in "human" format in result message
         #XXX TODO how about date without time?
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index 0c90f3c88e..8e7839b4d3 100644
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -386,7 +386,8 @@ sub ExternalStorageURLFor {
     # external storage direct links disabled
     return undef if !RT->Config->Get('ExternalStorageDirectLink');
 
-    return undef unless $Object->ContentEncoding eq 'external';
+    # If current user doesn't have rights, ContentEncoding is undef
+    return undef unless ( $Object->ContentEncoding // '' ) eq 'external';
 
     return $self->ExternalStorage->DownloadURLFor($Object);
 }

commit 7986fd798df5d055ea2ff9f74207631ab307cfc8
Author: Brian Conry <bconry at bestpractical.com>
Date:   Wed Feb 23 14:16:44 2022 -0600

    Set X-Content-Type-Options to nosniff to tell browser not to change content-type
    
    This addresses CVE-2022-25802.
    
    When browser encounters a content-type it doesn't recognize, it can
    "sniff" the content and choose one suitable for the content, which is
    risky as it could execute the content(e.g. as HTML with js) that is from
    untrusted external source.
    
    Setting X-Content-Type-Options to "nosniff" disables browser's "sniff"
    behavior. By setting it here, it not only fixes the issue above, but
    also potentially provides better CORB-protection for various content
    types.
    
    See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    
    There is a config option to disable this if necessary.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 97afc855d5..35d5ffc794 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2574,6 +2574,18 @@ if there are other query arguments.
 
 Set( %ReferrerComponents );
 
+=item C<$StrictContentTypes>
+
+If set to 0, the C<X-Content-Type-Options: nosniff> header will be omitted on
+attachments.  Because RT does not filter HTML content in unknown content types,
+disabling this opens RT up to cross-site scripting (XSS) attacks by allowing
+the execution of arbitrary Javascript when the browser detects HTML-looking
+data in an attachment with an unknown content type.
+
+=cut
+
+Set($StrictContentTypes, 1);
+
 =item C<$BcryptCost>
 
 This sets the default cost parameter used for the C<bcrypt> key
diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler
index 688160bdd9..c2624957a0 100644
--- a/share/html/Download/CustomFieldValue/dhandler
+++ b/share/html/Download/CustomFieldValue/dhandler
@@ -70,6 +70,7 @@ elsif (!RT->Config->Get('TrustHTMLAttachments')) {
     $content_type = 'text/plain; charset=utf-8' if ($content_type =~ /^text\/html/i);
 }
 
+$r->headers_out->{'X-Content-Type-Options'} = 'nosniff' if RT->Config->Get('StrictContentTypes');
 $r->content_type( $content_type );
 $m->clear_buffer();
 $m->out($OCFV->LargeContent);
diff --git a/share/html/Ticket/Attachment/dhandler b/share/html/Ticket/Attachment/dhandler
index 44ada1e211..1492303ffa 100644
--- a/share/html/Ticket/Attachment/dhandler
+++ b/share/html/Ticket/Attachment/dhandler
@@ -96,6 +96,7 @@ unless ( $mimetype && $mimetype->isBinary ) {
     $content_type .= ";charset=$iana";
 }
 
+$r->headers_out->{'X-Content-Type-Options'} = 'nosniff' if RT->Config->Get('StrictContentTypes');
 $r->content_type($content_type);
 $m->clear_buffer();
 $m->out($content);

-----------------------------------------------------------------------

Summary of changes:
 etc/RT_Config.pm.in                           | 12 ++++++++++
 lib/RT/ObjectCustomFieldValue.pm              | 32 ++++++++++++++++++++++++---
 lib/RT/ObjectCustomFieldValues.pm             |  9 ++++++++
 lib/RT/Record.pm                              |  3 ++-
 lib/RT/System.pm                              |  3 ++-
 share/html/Download/CustomFieldValue/dhandler |  3 +++
 share/html/Ticket/Attachment/dhandler         |  2 ++
 7 files changed, 59 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list