[Rt-commit] rtir branch 4.0.3-releng created. 4.0.2-10-gbfcf7cef

BPS Git Server git at git.bestpractical.com
Wed Jul 13 08:38:30 UTC 2022 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rtir".

The branch, 4.0.3-releng has been created
        at  bfcf7cef38bda1f1345e093cca0a9354eff8d80d (commit)

- Log -----------------------------------------------------------------
commit bfcf7cef38bda1f1345e093cca0a9354eff8d80d
Merge: 3e9ecc45 2ec9e7ac
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Jul 13 16:26:13 2022 +0800

    Merge branch 'security/4.0.3-releng' into 4.0.3-releng


commit 2ec9e7ac5901a021d08034b683d94098dfeb821d
Merge: 3e9ecc45 fd5d1f6f
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 17 23:09:09 2022 +0800

    Merge branch 'security/4.0/cve-2022-25800-cve-2022-25801' into security/4.0.3-releng


commit fd5d1f6f717e52732c4186c0e9a6fd0ed9df8112
Author: Brian Conry <bconry at bestpractical.com>
Date:   Wed Feb 23 14:15:12 2022 -0600

    Restrict whois queries to configured servers.
    
    Addresses CVE-2022-25800 and CVE-2022-25801.

diff --git a/lib/RT/IR.pm b/lib/RT/IR.pm
index 21a98cd2..4b8fa610 100644
--- a/lib/RT/IR.pm
+++ b/lib/RT/IR.pm
@@ -635,6 +635,14 @@ sub FirstWhoisServer {
     return $res;
 }
 
+sub IsValidWhoisServer {
+    my $self = shift;
+    my $server = lc (shift or return 0);
+    my $servers = RT->Config->Get('whois');
+
+    return ((grep { lc $_ eq $server } map { ref $_ ? $_->{'Host'} : $_ } values %$servers) ? 1 : 0);
+}
+
 sub WhoisLookup {
     my $self = shift;
     my %args = (
@@ -647,6 +655,9 @@ sub WhoisLookup {
     return (undef, $args{'CurrentUser'}->loc("No whois servers configured"))
         unless $server;
 
+    return (undef, $args{'CurrentUser'}->loc("Invalid whois server specified"))
+        unless $self->IsValidWhoisServer( $server );
+
     my ($host, $port) = split /\s*:\s*/, $server, 2;
     $port = 43 unless ($port || '') =~ /^\d+$/;
 

-----------------------------------------------------------------------


hooks/post-receive
-- 
rtir

More information about the rt-commit mailing list