[Rt-commit] rt branch 5.0.3-releng updated. rt-5.0.3beta1-17-g45c29dce55
BPS Git Server
git at git.bestpractical.com
Wed Jul 13 07:39:47 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0.3-releng has been updated
via 45c29dce558917cdd9960121f31f899698f75b69 (commit)
via 41f95a834a4088041fdf69c837aecb70666257a8 (commit)
via 76966873b4027c5939c61ba6df3756a1e4f640ed (commit)
via cd685af9b7425525a94c4c972c4bdd106dfaa8c3 (commit)
via f414560c454ed871c88fc0ac45b3e42ca4aa55a3 (commit)
via 024ce4644606e19ea11b47db456af34a46accf36 (commit)
via c473555a298254ce0ef2570b6732728225e0671e (commit)
via 99de78ac303043b4bd64f24111994e62dfec1927 (commit)
via 9a571e96f25ebdca5d59613510e1646aa9bc0177 (commit)
via 03f12ca042121c94c5f35f736cabd8da84275be2 (commit)
via 8907571045db2297da0ff865570cb7c605c2342f (commit)
via 7986fd798df5d055ea2ff9f74207631ab307cfc8 (commit)
via ba3a82144dbe83c05994522911d2b60268f08640 (commit)
via b24ddea4d8e63a403e47f8d2a980faf03a4e3eee (commit)
via abdc57cac8da9cea189b154413a022a3652f2ef7 (commit)
from 0c3e3eaeb412cfea7e55308337285d80e2ed3025 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 45c29dce558917cdd9960121f31f899698f75b69
Merge: 41f95a834a 76966873b4
Author: sunnavy <sunnavy at bestpractical.com>
Date: Wed Jul 13 14:58:19 2022 +0800
Merge branch '4.4.6-releng' into 5.0.3-releng
commit 41f95a834a4088041fdf69c837aecb70666257a8
Merge: 0c3e3eaeb4 f414560c45
Author: sunnavy <sunnavy at bestpractical.com>
Date: Wed Jul 13 14:58:14 2022 +0800
Merge branch 'security/5.0.3-releng' into 5.0.3-releng
commit f414560c454ed871c88fc0ac45b3e42ca4aa55a3
Merge: c473555a29 03f12ca042
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 17 22:02:32 2022 +0800
Merge branch 'security/4.4/ocfv-acl' into security/5.0.3-releng
diff --cc lib/RT/ObjectCustomFieldValues.pm
index 269a5ec9aa,9705b2f2d2..393bf23e15
--- a/lib/RT/ObjectCustomFieldValues.pm
+++ b/lib/RT/ObjectCustomFieldValues.pm
@@@ -208,6 -208,37 +208,15 @@@ sub HasEntry
}
}
-sub _DoSearch {
- my $self = shift;
-
- if ( exists $self->{'find_expired_rows'} ) {
- RT->Deprecated( Arguments => "find_expired_rows", Instead => 'find_disabled_rows', Remove => '4.6' );
- $self->{'find_disabled_rows'} = $self->{'find_expired_rows'};
- }
-
- return $self->SUPER::_DoSearch(@_);
-}
-
-sub _DoCount {
- my $self = shift;
-
- if ( exists $self->{'find_expired_rows'} ) {
- RT->Deprecated( Arguments => "find_expired_rows", Instead => 'find_disabled_rows', Remove => '4.6' );
- $self->{'find_disabled_rows'} = $self->{'find_expired_rows'};
- }
-
- return $self->SUPER::_DoCount(@_);
-}
-
+
+ sub AddRecord {
+ my $self = shift;
+ my ($record) = @_;
+
+ return unless $record->CurrentUserCanSee;
+ return $self->SUPER::AddRecord($record);
+ }
+
RT::Base->_ImportOverlays();
# Clear the OCVF cache on exit to release connected RT::Ticket objects.
commit c473555a298254ce0ef2570b6732728225e0671e
Merge: 99de78ac30 ba3a82144d
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 17 21:58:51 2022 +0800
Merge branch 'security/5.0/cve-2022-25803' into security/5.0.3-releng
commit 99de78ac303043b4bd64f24111994e62dfec1927
Merge: 294785307e 7986fd798d
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 17 21:55:34 2022 +0800
Merge branch 'security/4.4/cve-2022-25802' into security/5.0.3-releng
diff --cc etc/RT_Config.pm.in
index 1b7720241e,35d5ffc794..8897981f62
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@@ -1095,13 -1069,27 +1095,25 @@@ if there are other query arguments
=cut
-Set($UsernameFormat, "role");
+Set( %ReferrerComponents );
-=item C<$UserSearchResultFormat>
++=item C<$StrictContentTypes>
+
-This controls the display of lists of users returned from the User
-Summary Search. The display of users in the Admin interface is
-controlled by C<%AdminSearchResultFormat>.
++If set to 0, the C<X-Content-Type-Options: nosniff> header will be omitted on
++attachments. Because RT does not filter HTML content in unknown content types,
++disabling this opens RT up to cross-site scripting (XSS) attacks by allowing
++the execution of arbitrary Javascript when the browser detects HTML-looking
++data in an attachment with an unknown content type.
+
+ =cut
+
-Set($UserSearchResultFormat,
- q{ '<a href="__WebPath__/User/Summary.html?id=__id__">__id__</a>/TITLE:#'}
- .q{,'<a href="__WebPath__/User/Summary.html?id=__id__">__Name__</a>/TITLE:Name'}
- .q{,__RealName__, __EmailAddress__}
-);
++Set($StrictContentTypes, 1);
+
-=item C<@UserSummaryPortlets>
+=item C<$BcryptCost>
-A list of portlets to be displayed on the User Summary page.
-By default, we show all of the available portlets.
-Extensions may provide their own portlets for this page.
+This sets the default cost parameter used for the C<bcrypt> key
+derivation function. Valid values range from 4 to 31, inclusive, with
+higher numbers denoting greater effort.
=cut
commit ba3a82144dbe83c05994522911d2b60268f08640
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Mar 19 03:37:12 2022 +0800
Validate ResultPage argument by whitelist
This addresses CVE-2022-25803.
ResultPage is initially for RTIR so it can redirect search results to
specific RTIR pages like "/RTIR/Incident/Reply/". This is risky as we
didn't validate the page to redirect previously and it could be
anything.
Note that unvalidated ResultPage is risky even without redirect
involved: RT builds page menu "Show Results" using it, so the menu link
is malicious once user clicks a URL with malicious ResultPage, e.g.
/Search/Results.html?ResultPage=http://bad.example.com&Query=id<10
This commit adds a whitelist validation mechanism and validates it at
the beginning of request handling to prevent malicious ResultPage.
See also https://wiki.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index c02f49af75..8e8a6ef090 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -305,6 +305,26 @@ sub HandleRequest {
local $HTML::Mason::Commands::DECODED_ARGS = $ARGS;
PreprocessTimeUpdates($ARGS);
+ if ( exists $ARGS->{ResultPage} ) {
+ my $passed;
+ if ( defined $ARGS->{ResultPage} && length $ARGS->{ResultPage} ) {
+ for my $item ( @RT::Interface::Web::WHITELISTED_RESULT_PAGES ) {
+ if ( ref $item eq 'Regexp' ) {
+ $passed = 1 if $ARGS->{ResultPage} =~ $item;
+ }
+ else {
+ $passed = 1 if $ARGS->{ResultPage} eq $item;
+ }
+ last if $passed;
+ }
+ }
+
+ if ( !$passed ) {
+ RT->Logger->warning("ResultPage $ARGS->{ResultPage} is not whitelisted, ignoring");
+ delete $ARGS->{ResultPage};
+ }
+ }
+
InitializeMenu();
MaybeShowInstallModePage();
@@ -1481,6 +1501,10 @@ our %IS_WHITELISTED_COMPONENT = (
'/Ticket/ShowEmailRecord.html' => 1,
);
+our @WHITELISTED_RESULT_PAGES = (
+ '/Search/Results.html',
+);
+
# Whitelist arguments that do not indicate an effectful request.
our @GLOBAL_WHITELISTED_ARGS = (
# For example, "id" is acceptable because that is how RT retrieves a
commit b24ddea4d8e63a403e47f8d2a980faf03a4e3eee
Author: Brian Conry <bconry at bestpractical.com>
Date: Wed Mar 16 14:20:21 2022 -0500
Drop unused redirect support from /Articles/Article/Edit.html
Performing a redirect to a target specified by request parameters is
potentially unsafe. In this page the functionality is no longer used
and has been removed.
diff --git a/share/html/Articles/Article/Edit.html b/share/html/Articles/Article/Edit.html
index d3bfce12c3..2f7ec4c7d5 100644
--- a/share/html/Articles/Article/Edit.html
+++ b/share/html/Articles/Article/Edit.html
@@ -50,7 +50,6 @@
<& /Elements/ListActions, actions => \@results &>
<form method="post" action="Edit.html" name="EditArticle" id="EditArticle" enctype="multipart/form-data">
-<input type="hidden" name="next" value="<%$ARGS{next}||''%>" />
<input type="hidden" name="id" value="<%$id%>" />
<&| /Widgets/TitleBox, title => $title, class => 'article-basics', &>
@@ -195,15 +194,10 @@ elsif ( $id eq 'new' ) {
$title = loc( 'Modify article #[_1]', $ArticleObj->Id );
delete $ARGS{id};
- if ( $ARGS{next} ) {
- $m->redirect($ARGS{next});
- }
- else {
- MaybeRedirectForResults(
- Actions => \@results,
- Arguments => { id => $ArticleObj->id },
- );
- }
+ MaybeRedirectForResults(
+ Actions => \@results,
+ Arguments => { id => $ArticleObj->id },
+ );
}
else {
$ArticleObj = RT::Article->new( $session{'CurrentUser'} );
-----------------------------------------------------------------------
Summary of changes:
etc/RT_Config.pm.in | 12 ++++++++++
lib/RT/Interface/Web.pm | 24 ++++++++++++++++++++
lib/RT/ObjectCustomFieldValue.pm | 32 ++++++++++++++++++++++++---
lib/RT/ObjectCustomFieldValues.pm | 9 ++++++++
lib/RT/Record.pm | 3 ++-
lib/RT/System.pm | 3 ++-
share/html/Articles/Article/Edit.html | 14 ++++--------
share/html/Download/CustomFieldValue/dhandler | 3 +++
share/html/Ticket/Attachment/dhandler | 2 ++
9 files changed, 87 insertions(+), 15 deletions(-)
hooks/post-receive
--
rt
More information about the rt-commit
mailing list