[Rt-commit] rt branch 5.0.3-releng updated. rt-5.0.3beta1-17-g45c29dce55

BPS Git Server git at git.bestpractical.com
Wed Jul 13 07:39:47 UTC 2022


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0.3-releng has been updated
       via  45c29dce558917cdd9960121f31f899698f75b69 (commit)
       via  41f95a834a4088041fdf69c837aecb70666257a8 (commit)
       via  76966873b4027c5939c61ba6df3756a1e4f640ed (commit)
       via  cd685af9b7425525a94c4c972c4bdd106dfaa8c3 (commit)
       via  f414560c454ed871c88fc0ac45b3e42ca4aa55a3 (commit)
       via  024ce4644606e19ea11b47db456af34a46accf36 (commit)
       via  c473555a298254ce0ef2570b6732728225e0671e (commit)
       via  99de78ac303043b4bd64f24111994e62dfec1927 (commit)
       via  9a571e96f25ebdca5d59613510e1646aa9bc0177 (commit)
       via  03f12ca042121c94c5f35f736cabd8da84275be2 (commit)
       via  8907571045db2297da0ff865570cb7c605c2342f (commit)
       via  7986fd798df5d055ea2ff9f74207631ab307cfc8 (commit)
       via  ba3a82144dbe83c05994522911d2b60268f08640 (commit)
       via  b24ddea4d8e63a403e47f8d2a980faf03a4e3eee (commit)
       via  abdc57cac8da9cea189b154413a022a3652f2ef7 (commit)
      from  0c3e3eaeb412cfea7e55308337285d80e2ed3025 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 45c29dce558917cdd9960121f31f899698f75b69
Merge: 41f95a834a 76966873b4
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Jul 13 14:58:19 2022 +0800

    Merge branch '4.4.6-releng' into 5.0.3-releng


commit 41f95a834a4088041fdf69c837aecb70666257a8
Merge: 0c3e3eaeb4 f414560c45
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Jul 13 14:58:14 2022 +0800

    Merge branch 'security/5.0.3-releng' into 5.0.3-releng


commit f414560c454ed871c88fc0ac45b3e42ca4aa55a3
Merge: c473555a29 03f12ca042
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 22:02:32 2022 +0800

    Merge branch 'security/4.4/ocfv-acl' into security/5.0.3-releng

diff --cc lib/RT/ObjectCustomFieldValues.pm
index 269a5ec9aa,9705b2f2d2..393bf23e15
--- a/lib/RT/ObjectCustomFieldValues.pm
+++ b/lib/RT/ObjectCustomFieldValues.pm
@@@ -208,6 -208,37 +208,15 @@@ sub HasEntry 
      }
  }
  
 -sub _DoSearch {
 -    my $self = shift;
 -
 -    if ( exists $self->{'find_expired_rows'} ) {
 -        RT->Deprecated( Arguments => "find_expired_rows", Instead => 'find_disabled_rows', Remove => '4.6' );
 -        $self->{'find_disabled_rows'} = $self->{'find_expired_rows'};
 -    }
 -
 -    return $self->SUPER::_DoSearch(@_);
 -}
 -
 -sub _DoCount {
 -    my $self = shift;
 -
 -    if ( exists $self->{'find_expired_rows'} ) {
 -        RT->Deprecated( Arguments => "find_expired_rows", Instead => 'find_disabled_rows', Remove => '4.6' );
 -        $self->{'find_disabled_rows'} = $self->{'find_expired_rows'};
 -    }
 -
 -    return $self->SUPER::_DoCount(@_);
 -}
 -
+ 
+ sub AddRecord {
+     my $self = shift;
+     my ($record) = @_;
+ 
+     return unless $record->CurrentUserCanSee;
+     return $self->SUPER::AddRecord($record);
+ }
+ 
  RT::Base->_ImportOverlays();
  
  # Clear the OCVF cache on exit to release connected RT::Ticket objects.

commit c473555a298254ce0ef2570b6732728225e0671e
Merge: 99de78ac30 ba3a82144d
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 21:58:51 2022 +0800

    Merge branch 'security/5.0/cve-2022-25803' into security/5.0.3-releng


commit 99de78ac303043b4bd64f24111994e62dfec1927
Merge: 294785307e 7986fd798d
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 21:55:34 2022 +0800

    Merge branch 'security/4.4/cve-2022-25802' into security/5.0.3-releng

diff --cc etc/RT_Config.pm.in
index 1b7720241e,35d5ffc794..8897981f62
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@@ -1095,13 -1069,27 +1095,25 @@@ if there are other query arguments
  
  =cut
  
 -Set($UsernameFormat, "role");
 +Set( %ReferrerComponents );
  
 -=item C<$UserSearchResultFormat>
++=item C<$StrictContentTypes>
+ 
 -This controls the display of lists of users returned from the User
 -Summary Search. The display of users in the Admin interface is
 -controlled by C<%AdminSearchResultFormat>.
++If set to 0, the C<X-Content-Type-Options: nosniff> header will be omitted on
++attachments.  Because RT does not filter HTML content in unknown content types,
++disabling this opens RT up to cross-site scripting (XSS) attacks by allowing
++the execution of arbitrary Javascript when the browser detects HTML-looking
++data in an attachment with an unknown content type.
+ 
+ =cut
+ 
 -Set($UserSearchResultFormat,
 -         q{ '<a href="__WebPath__/User/Summary.html?id=__id__">__id__</a>/TITLE:#'}
 -        .q{,'<a href="__WebPath__/User/Summary.html?id=__id__">__Name__</a>/TITLE:Name'}
 -        .q{,__RealName__, __EmailAddress__}
 -);
++Set($StrictContentTypes, 1);
+ 
 -=item C<@UserSummaryPortlets>
 +=item C<$BcryptCost>
  
 -A list of portlets to be displayed on the User Summary page.
 -By default, we show all of the available portlets.
 -Extensions may provide their own portlets for this page.
 +This sets the default cost parameter used for the C<bcrypt> key
 +derivation function.  Valid values range from 4 to 31, inclusive, with
 +higher numbers denoting greater effort.
  
  =cut
  

commit ba3a82144dbe83c05994522911d2b60268f08640
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Sat Mar 19 03:37:12 2022 +0800

    Validate ResultPage argument by whitelist
    
    This addresses CVE-2022-25803.
    
    ResultPage is initially for RTIR so it can redirect search results to
    specific RTIR pages like "/RTIR/Incident/Reply/". This is risky as we
    didn't validate the page to redirect previously and it could be
    anything.
    
    Note that unvalidated ResultPage is risky even without redirect
    involved: RT builds page menu "Show Results" using it, so the menu link
    is malicious once user clicks a URL with malicious ResultPage, e.g.
    
        /Search/Results.html?ResultPage=http://bad.example.com&Query=id<10
    
    This commit adds a whitelist validation mechanism and validates it at
    the beginning of request handling to prevent malicious ResultPage.
    
    See also https://wiki.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index c02f49af75..8e8a6ef090 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -305,6 +305,26 @@ sub HandleRequest {
     local $HTML::Mason::Commands::DECODED_ARGS = $ARGS;
     PreprocessTimeUpdates($ARGS);
 
+    if ( exists $ARGS->{ResultPage} ) {
+        my $passed;
+        if ( defined $ARGS->{ResultPage} && length $ARGS->{ResultPage}  ) {
+            for my $item ( @RT::Interface::Web::WHITELISTED_RESULT_PAGES ) {
+                if ( ref $item eq 'Regexp' ) {
+                    $passed = 1 if $ARGS->{ResultPage} =~ $item;
+                }
+                else {
+                    $passed = 1 if $ARGS->{ResultPage} eq $item;
+                }
+                last if $passed;
+            }
+        }
+
+        if ( !$passed ) {
+            RT->Logger->warning("ResultPage $ARGS->{ResultPage} is not whitelisted, ignoring");
+            delete $ARGS->{ResultPage};
+        }
+    }
+
     InitializeMenu();
     MaybeShowInstallModePage();
 
@@ -1481,6 +1501,10 @@ our %IS_WHITELISTED_COMPONENT = (
     '/Ticket/ShowEmailRecord.html' => 1,
 );
 
+our @WHITELISTED_RESULT_PAGES = (
+    '/Search/Results.html',
+);
+
 # Whitelist arguments that do not indicate an effectful request.
 our @GLOBAL_WHITELISTED_ARGS = (
     # For example, "id" is acceptable because that is how RT retrieves a

commit b24ddea4d8e63a403e47f8d2a980faf03a4e3eee
Author: Brian Conry <bconry at bestpractical.com>
Date:   Wed Mar 16 14:20:21 2022 -0500

    Drop unused redirect support from /Articles/Article/Edit.html
    
    Performing a redirect to a target specified by request parameters is
    potentially unsafe.  In this page the functionality is no longer used
    and has been removed.

diff --git a/share/html/Articles/Article/Edit.html b/share/html/Articles/Article/Edit.html
index d3bfce12c3..2f7ec4c7d5 100644
--- a/share/html/Articles/Article/Edit.html
+++ b/share/html/Articles/Article/Edit.html
@@ -50,7 +50,6 @@
 <& /Elements/ListActions, actions => \@results &>
 
 <form method="post" action="Edit.html" name="EditArticle" id="EditArticle" enctype="multipart/form-data">
-<input type="hidden" name="next" value="<%$ARGS{next}||''%>" />
 <input type="hidden" name="id" value="<%$id%>" />
 
 <&| /Widgets/TitleBox, title => $title, class => 'article-basics', &>
@@ -195,15 +194,10 @@ elsif ( $id eq 'new' ) {
         $title = loc( 'Modify article #[_1]', $ArticleObj->Id );
         delete $ARGS{id};
 
-        if ( $ARGS{next} ) {
-            $m->redirect($ARGS{next});
-        }
-        else {
-            MaybeRedirectForResults(
-                Actions   => \@results,
-                Arguments => { id => $ArticleObj->id },
-            );
-        }
+        MaybeRedirectForResults(
+            Actions   => \@results,
+            Arguments => { id => $ArticleObj->id },
+        );
     }
     else {
         $ArticleObj = RT::Article->new( $session{'CurrentUser'} );

-----------------------------------------------------------------------

Summary of changes:
 etc/RT_Config.pm.in                           | 12 ++++++++++
 lib/RT/Interface/Web.pm                       | 24 ++++++++++++++++++++
 lib/RT/ObjectCustomFieldValue.pm              | 32 ++++++++++++++++++++++++---
 lib/RT/ObjectCustomFieldValues.pm             |  9 ++++++++
 lib/RT/Record.pm                              |  3 ++-
 lib/RT/System.pm                              |  3 ++-
 share/html/Articles/Article/Edit.html         | 14 ++++--------
 share/html/Download/CustomFieldValue/dhandler |  3 +++
 share/html/Ticket/Attachment/dhandler         |  2 ++
 9 files changed, 87 insertions(+), 15 deletions(-)


hooks/post-receive
-- 
rt


More information about the rt-commit mailing list