summaryrefslogtreecommitdiffstats
path: root/6054.patch
blob: 1b0e9cf063bfd49e2a8015cf969aa630ae439715 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
From 272f715bebc7894ef42eee498a193eae52e75068 Mon Sep 17 00:00:00 2001
From: Alexandre Delaunay <delaunay.alexandre@gmail.com>
Date: Thu, 20 Jun 2019 10:40:41 +0200
Subject: [PATCH 1/3] avoid xss attack on user picture

(cherry picked from commit c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb)
---
 inc/user.class.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/inc/user.class.php b/inc/user.class.php
index 2a7b9a87c4..0257684326 100644
--- a/inc/user.class.php
+++ b/inc/user.class.php
@@ -576,6 +576,11 @@ function prepareInputForAdd($input) {
          return false;
       }
 
+      // avoid xss (picture field is autogenerated)
+      if (isset($input['picture'])) {
+         $input['picture'] = 'NULL';
+      }
+
       if (!isset($input["authtype"])) {
          $input["authtype"] = Auth::DB_GLPI;
       }
@@ -707,6 +712,11 @@ function post_addItem() {
    function prepareInputForUpdate($input) {
       global $CFG_GLPI;
 
+      // avoid xss (picture field is autogenerated)
+      if (isset($input['picture'])) {
+         $input['picture'] = 'NULL';
+      }
+
       //picture manually uploaded by user
       if (isset($input["_blank_picture"]) && $input["_blank_picture"]) {
          self::dropPictureFiles($this->fields['picture']);
@@ -2012,6 +2022,7 @@ function showForm($ID, array $options = []) {
       }
 
       if (!empty($this->fields["name"])) {
+
          echo "<td rowspan='4'>" . __('Picture') . "</td>";
          echo "<td rowspan='4'>";
          echo "<div class='user_picture_border_small' id='picture$rand'>";
@@ -4701,6 +4712,9 @@ static function checkDefaultPasswords() {
    static function getURLForPicture($picture) {
       global $CFG_GLPI;
 
+      // prevent xss
+      $picture = Html::cleanInputText($picture);
+
       if (!empty($picture)) {
          return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture";
       }
@@ -4720,6 +4734,9 @@ static function getURLForPicture($picture) {
    static function getThumbnailURLForPicture($picture) {
       global $CFG_GLPI;
 
+      // prevent xss
+      $picture = Html::cleanInputText($picture);
+
       if (!empty($picture)) {
          $tmp = explode(".", $picture);
          if (count($tmp) ==2) {

From d9690bfc66e07cc24494d80d9a73176f557aec29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Thu, 20 Jun 2019 11:51:54 +0200
Subject: [PATCH 2/3] Prevent execution of javascript event on rich text

(cherry picked from commit 2ee18d241632b29e3402b4c2990176309a5bd84c)
---
 inc/html.class.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inc/html.class.php b/inc/html.class.php
index f9aa6532dd..6fd95adc7c 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -84,6 +84,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
          $value,
          [
             'elements'         => ($striptags) ? 'none' : '',
+            'deny_attribute'   => 'on*',
             'keep_bad'         => $keep_bad, // 1: neutralize tag and content, 2 : remove tag and neutralize content
             'comment'          => 1, // 1: remove
             'cdata'            => 1, // 1: remove

From 7e2dfbf68b48988f717f3b4c9e58f1ca873d6e4e Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Thu, 20 Jun 2019 14:47:18 +0200
Subject: [PATCH 3/3] Forbid javascript scheme

(cherry picked from commit 081338b2fa3a98eacb6f7ca380714f34ec0266ff)
---
 inc/html.class.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inc/html.class.php b/inc/html.class.php
index 6fd95adc7c..6a1b1961c9 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -89,6 +89,7 @@ static function clean($value, $striptags = true, $keep_bad = 2) {
             'comment'          => 1, // 1: remove
             'cdata'            => 1, // 1: remove
             'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags
+            'schemes'          => 'aim, app, feed, file, ftp, gopher, http, https, !javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet'
          ]
       );