summaryrefslogtreecommitdiffstats
path: root/glpi-security1.patch
blob: f33fc96f61b34e38d044cbbd81a31349a0dbd5dc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
From c5314dd86d6560865670940b59ac0fbb97225bb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Tue, 26 Feb 2019 13:46:06 +0100
Subject: [PATCH 01/10] Fix chevrons display in select2 rendering

---
 inc/html.class.php | 10 ++++++++++
 js/common.js       | 16 ++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/inc/html.class.php b/inc/html.class.php
index 760ffe164b..e5907c8d5b 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -4329,6 +4329,11 @@ static function jsAdaptDropdown($id, $params = []) {
                   if (typeof data.text === 'string'
                      && data.text.toUpperCase().indexOf(params.term.toUpperCase()) >= 0
                   ) {
+                     if (data.text.indexOf('>') !== -1 || data.text.indexOf('<') !== -1) {
+                        // escape text, if it contains chevrons (can already be escaped prior to this point :/)
+                        data.text = jQuery.fn.select2.defaults.defaults.escapeMarkup(data.text);
+                     }
+
                      return data;
                   }
                   return null;
@@ -4341,6 +4346,11 @@ static function jsAdaptDropdown($id, $params = []) {
                   if (child.text.toUpperCase().indexOf(params.term.toUpperCase()) != -1
                      || data.text.toUpperCase().indexOf(params.term.toUpperCase()) != -1
                   ) {
+
+                     if (child.text.indexOf('>') !== -1 || child.text.indexOf('<') !== -1) {
+                        // escape text, if it contains chevrons (can already be escaped prior to this point :/)
+                        child.text = jQuery.fn.select2.defaults.defaults.escapeMarkup(child.text);
+                     }
                      filteredChildren.push(child);
                   }
                });
diff --git a/js/common.js b/js/common.js
index c08623434c..15cf04b200 100644
--- a/js/common.js
+++ b/js/common.js
@@ -948,17 +948,25 @@ function markMatch (text, term) {
  * Function that renders select2 results.
  */
 var templateResult = function(result) {
-   if (!result.id) {
-      return result.text;
+   if (!result.text) {
+      return null;
    }
 
    var _elt = $('<span></span>');
    _elt.attr('title', result.title);
 
-   var markup=[result.text];
+   var text = result.text;
+   if (text.indexOf('>') !== -1 || text.indexOf('<') !== -1) {
+      // escape text, if it contains chevrons (can already be escaped prior to this point :/)
+      text = jQuery.fn.select2.defaults.defaults.escapeMarkup(result.text);
+   };
+
+   if (!result.id) {
+      return text;
+   }
 
    var _term = query.term || '';
-   var markup = markMatch(result.text, _term);
+   var markup = markMatch(text, _term);
 
    if (result.level) {
       var a='';

From 2c5d9f80f64a1f5ef4c62af8be5d24b812b75ecc Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Tue, 5 Mar 2019 12:49:05 +0100
Subject: [PATCH 02/10] Disallow all on attributes

---
 inc/html.class.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/inc/html.class.php b/inc/html.class.php
index e5907c8d5b..f9aa6532dd 100644
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -3550,6 +3550,9 @@ static function initEditorSystem($name, $rand = '', $display = true, $readonly =
          // init editor
          tinyMCE.init({
             language: '$language',
+            invalid_elements: 'form,iframe,script,@[onclick|ondblclick|'
+               + 'onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|'
+               + 'onkeydown|onkeyup]',
             browser_spellcheck: true,
             mode: 'exact',
             elements: '$name',

From a330e5b49f46680cf9fb877fdac7a6e44eff9115 Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Mon, 4 Mar 2019 16:15:04 +0100
Subject: [PATCH 03/10] Strict check

---
 inc/auth.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/inc/auth.class.php b/inc/auth.class.php
index 323b3b94a2..707d7ab314 100644
--- a/inc/auth.class.php
+++ b/inc/auth.class.php
@@ -276,14 +276,14 @@ static function checkPassword($pass, $hash) {
          $ok = password_verify($pass, $hash);
 
       } else if (strlen($hash)==32) {
-         $ok = md5($pass) == $hash;
+         $ok = md5($pass) === $hash;
 
       } else if (strlen($hash)==40) {
-         $ok = sha1($pass) == $hash;
+         $ok = sha1($pass) === $hash;
 
       } else {
          $salt = substr($hash, 0, 8);
-         $ok = ($salt.sha1($salt.$pass) == $hash);
+         $ok = ($salt.sha1($salt.$pass) === $hash);
       }
 
       return $ok;

From f8959e587db32361c3013898c9f223a4151ada33 Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Tue, 12 Mar 2019 14:44:53 +0100
Subject: [PATCH 04/10] Use exif if present to check if file is image, or
 fallback with W on fileinfo

---
 inc/config.class.php           |  3 +++
 inc/document.class.php         | 13 +++++++++++--
 tests/functionnal/Document.php | 20 +++++++-------------
 tests/notanimage.jpg           |  3 +++
 4 files changed, 24 insertions(+), 15 deletions(-)
 create mode 100644 tests/notanimage.jpg

diff --git a/inc/config.class.php b/inc/config.class.php
index b648d53181..8797b5bd4c 100644
--- a/inc/config.class.php
+++ b/inc/config.class.php
@@ -2456,6 +2456,9 @@ static function checkExtensions($list = null) {
             'CAS'     => [
                'required' => false,
                'class'    => 'phpCAS'
+            ],
+            'exif' => [
+               'required'  => false
             ]
          ];
       } else {
diff --git a/inc/document.class.php b/inc/document.class.php
index 8072dac9f2..faca1a93ee 100644
--- a/inc/document.class.php
+++ b/inc/document.class.php
@@ -1497,8 +1497,17 @@ static function getImageTag($string) {
     * @return boolean
     */
    public static function isImage($file) {
-      $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION));
-      return (in_array($ext, ['jpg', 'jpeg', 'png', 'bmp', 'gif']));
+      if (extension_loaded('exif')) {
+         $etype = exif_imagetype($file);
+         return in_array($etype, [IMAGETYPE_JPEG, IMAGETYPE_GIF, IMAGETYPE_PNG, IMAGETYPE_BMP]);
+      } else {
+         Toolbox::logWarning('For security reasons, you should consider using exif PHP extension to properly check images.');
+         $fileinfo = finfo_open(FILEINFO_MIME_TYPE);
+         return in_array(
+            finfo_file($fileinfo, $file),
+            ['image/jpeg', 'image/png','image/gif', 'image/bmp']
+         );
+      }
    }
 
    /**
diff --git a/tests/functionnal/Document.php b/tests/functionnal/Document.php
index a00ca4b57f..1757ebc8e6 100644
--- a/tests/functionnal/Document.php
+++ b/tests/functionnal/Document.php
@@ -215,25 +215,19 @@ public function testGetImageTag() {
 
    protected function isImageProvider() {
       return [
-         ['PNG', true],
-         ['png', true],
-         ['JPG', true],
-         ['jpg', true],
-         ['jpeg', true],
-         ['JPEG', true],
-         ['bmp', true],
-         ['BMP', true],
-         ['gif', true],
-         ['GIF', true],
-         ['SVG', false]
+         [__FILE__, false],
+         [__DIR__ . "/../../pics/add_dropdown.png", true],
+         [__DIR__ . "/../../pics/corners.gif", true],
+         [__DIR__ . "/../../pics/PICS-AUTHORS.txt", false],
+         [__DIR__ . "/../notanimage.jpg", false]
       ];
    }
 
    /**
     * @dataProvider isImageProvider
     */
-   public function testIsImage($ext, $expected) {
-      $this->variable(\Document::isImage('myfile.' . $ext))->isIdenticalTo($expected);
+   public function testIsImage($file, $expected) {
+      $this->boolean(\Document::isImage($file))->isIdenticalTo($expected);
    }
 
    /**
diff --git a/tests/notanimage.jpg b/tests/notanimage.jpg
new file mode 100644
index 0000000000..d2dbc0fe33
--- /dev/null
+++ b/tests/notanimage.jpg
@@ -0,0 +1,3 @@
+<?php
+
+echo 'This is not an image.';

From 5d11af11e08cc16d52083fe4a13f64f5f1a332d2 Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Tue, 12 Mar 2019 10:59:54 +0100
Subject: [PATCH 05/10] Password token date was not removed

---
 inc/user.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/user.class.php b/inc/user.class.php
index e6ebb3a88d..fdc9d8b0ac 100644
--- a/inc/user.class.php
+++ b/inc/user.class.php
@@ -4355,7 +4355,7 @@ public function updateForgottenPassword(array $input) {
                }
                $input2 = [
                   'password_forget_token'      => '',
-                  'password_forget_token_date' => null,
+                  'password_forget_token_date' => 'NULL',
                   'id'                         => $this->fields['id']
                ];
                $this->update($input2);

From 1ae67932a3de9349fbe5f0cd4d10d9a81a811f9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Thu, 14 Mar 2019 17:22:48 +0100
Subject: [PATCH 06/10] Fix ITIL image path

---
 inc/ticket.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/ticket.class.php b/inc/ticket.class.php
index b414f85583..c9608c84e9 100644
--- a/inc/ticket.class.php
+++ b/inc/ticket.class.php
@@ -7249,7 +7249,7 @@ function showTimeline($rand) {
 
                echo "<a href='".$CFG_GLPI['root_doc']."/front/document.send.php?docid=".$item_i['id']
                       ."&tickets_id=".$this->getID()."' target='_blank'>$filename";
-               if (Document::isImage($filename)) {
+               if (Document::isImage(GLPI_DOC_DIR . '/' . $item_i['filepath'])) {
                   echo "<div class='timeline_img_preview'>";
                   echo "<img src='".$CFG_GLPI['root_doc']."/front/document.send.php?docid=".$item_i['id']
                         ."&tickets_id=".$this->getID()."&context=timeline'/>";

From cc1e2b02288635a4692bef5d2a7598862eafa4d1 Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <jcwiklinski@teclib.com>
Date: Mon, 18 Mar 2019 19:27:04 +0100
Subject: [PATCH 08/10] Update security-checker

---
 composer.json |  2 +-
 composer.lock | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/composer.json b/composer.json
index d1c3ee858b..66f6b52643 100644
--- a/composer.json
+++ b/composer.json
@@ -43,7 +43,7 @@
         "patchwork/jsqueeze": "^2.0",
         "atoum/atoum": "^3.3",
         "atoum/telemetry-extension": "^1.0",
-        "sensiolabs/security-checker": "^4.1",
+        "sensiolabs/security-checker": "^5.0",
         "fzaninotto/Faker": "^1.7",
         "jakub-onderka/php-parallel-lint": "^1.0"
     },
diff --git a/composer.lock b/composer.lock
index 467f8ce42d..4ce22d532d 100644
--- a/composer.lock
+++ b/composer.lock
@@ -1,10 +1,10 @@
 {
     "_readme": [
         "This file locks the dependencies of your project to a known state",
-        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "4db9a468fea5706b030e4b631a08b28a",
+    "content-hash": "57b9b4901479f79936d11b74f56ff761",
     "packages": [
         {
             "name": "container-interop/container-interop",
@@ -2769,20 +2769,21 @@
         },
         {
             "name": "sensiolabs/security-checker",
-            "version": "v4.1.8",
+            "version": "v5.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sensiolabs/security-checker.git",
-                "reference": "dc270d5fec418cc6ac983671dba5d80ffaffb142"
+                "reference": "46be3f58adac13084497961e10eed9a7fb4d44d1"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sensiolabs/security-checker/zipball/dc270d5fec418cc6ac983671dba5d80ffaffb142",
-                "reference": "dc270d5fec418cc6ac983671dba5d80ffaffb142",
+                "url": "https://api.github.com/repos/sensiolabs/security-checker/zipball/46be3f58adac13084497961e10eed9a7fb4d44d1",
+                "reference": "46be3f58adac13084497961e10eed9a7fb4d44d1",
                 "shasum": ""
             },
             "require": {
                 "composer/ca-bundle": "^1.0",
+                "php": ">=5.5.9",
                 "symfony/console": "~2.7|~3.0|~4.0"
             },
             "bin": [
@@ -2791,12 +2792,12 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "4.1-dev"
+                    "dev-master": "5.0-dev"
                 }
             },
             "autoload": {
-                "psr-0": {
-                    "SensioLabs\\Security": ""
+                "psr-4": {
+                    "SensioLabs\\Security\\": "SensioLabs/Security"
                 }
             },
             "notification-url": "https://packagist.org/downloads/",
@@ -2810,7 +2811,7 @@
                 }
             ],
             "description": "A security checker for your composer.lock",
-            "time": "2018-02-28T22:10:01+00:00"
+            "time": "2018-12-19T17:14:59+00:00"
         },
         {
             "name": "squizlabs/php_codesniffer",

From 150a94fc71230ca04fc00e2f2b6c40936cb3c060 Mon Sep 17 00:00:00 2001
From: Frederico Gendorf <fred@fldevws045>
Date: Fri, 15 Mar 2019 11:50:29 -0300
Subject: [PATCH 09/10] Fix user image display and upload; fixes #5604

---
 front/document.send.php | 2 +-
 inc/user.class.php      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/front/document.send.php b/front/document.send.php
index d80ab14aad..87a7db6298 100644
--- a/front/document.send.php
+++ b/front/document.send.php
@@ -69,7 +69,7 @@
       }
 
       if ($splitter[0] == "_pictures") {
-         if (Document::isImage($_GET['file'])) {
+         if (Document::isImage(GLPI_DOC_DIR."/".$_GET['file'])) {
             $send = true;
          }
       }
diff --git a/inc/user.class.php b/inc/user.class.php
index fdc9d8b0ac..67bfc71496 100644
--- a/inc/user.class.php
+++ b/inc/user.class.php
@@ -735,7 +735,7 @@ function prepareInputForUpdate($input) {
                $picture_path = GLPI_PICTURE_DIR  . "/$sub/${filename}.$extension";
                self::dropPictureFiles($filename.".".$extension);
 
-               if (Document::isImage($input["_picture"])
+               if (Document::isImage($fullpath)
                    && Document::renameForce($fullpath, $picture_path)) {
                   Session::addMessageAfterRedirect(__('The file is valid. Upload is successful.'));
                   // For display

From 9ef29babf8ae57986b2f3c1480a07c4608599a64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Fri, 22 Mar 2019 11:05:24 +0100
Subject: [PATCH 10/10] Fix escaping of optgroups in dropdowns; fixes #5646

---
 js/common.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/js/common.js b/js/common.js
index 15cf04b200..e083b3970e 100644
--- a/js/common.js
+++ b/js/common.js
@@ -958,11 +958,13 @@ var templateResult = function(result) {
    var text = result.text;
    if (text.indexOf('>') !== -1 || text.indexOf('<') !== -1) {
       // escape text, if it contains chevrons (can already be escaped prior to this point :/)
-      text = jQuery.fn.select2.defaults.defaults.escapeMarkup(result.text);
+      text = jQuery.fn.select2.defaults.defaults.escapeMarkup(text);
    };
 
    if (!result.id) {
-      return text;
+      // If result has no id, then it is used as an optgroup and is not used for matches
+      _elt.html(text);
+      return _elt;
    }
 
    var _term = query.term || '';