From a64a0d220a44ec7d26fce77154f7ee2a62337a95 Mon Sep 17 00:00:00 2001 From: Victor Boctor Date: Sun, 14 May 2017 21:32:02 -0700 Subject: [PATCH 1/2] Fixes markdown formating for notes column The 3 dashes marked the notes above it as a markdown header. Fix is to use `=-=` instead. Fixes #22867 --- core/bugnote_api.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/bugnote_api.php b/core/bugnote_api.php index 92561fc857..7e302239af 100644 --- a/core/bugnote_api.php +++ b/core/bugnote_api.php @@ -534,7 +534,9 @@ function bugnote_get_all_visible_as_string( $p_bug_id, $p_user_bugnote_order, $p $t_note_string .= "\n" . $t_note->note . "\n"; if ( !empty( $t_output ) ) { - $t_output .= "---\n"; + # Use a marker that doesn't confuse markdown parser. + # `---` or `===` would mark previous line as a header. + $t_output .= "=-=\n"; } $t_output .= $t_note_string; From 2d2309a384bcd9d4b6d7d2928e8ded2c46d2d7b0 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Fri, 19 May 2017 17:48:57 +0200 Subject: [PATCH 2/2] Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes #22702, #22816 --- core/filter_api.php | 5 ++++- core/string_api.php | 4 +++- permalink_page.php | 4 ++++ tests/Mantis/StringTest.php | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/core/filter_api.php b/core/filter_api.php index ac6a630ced..bee19cdc0d 100644 --- a/core/filter_api.php +++ b/core/filter_api.php @@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] ); if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) { + # Add CSRF protection, see #22702 + $t_permalink_url = urlencode( filter_get_url( $t_filter ) ) + . form_security_param( 'permalink' ); echo '
  • '; - echo ''; + echo ''; echo '  ' . lang_get( 'create_filter_link' ); echo ''; echo '
    • '; diff --git a/core/string_api.php b/core/string_api.php index 4e3c238cdf..fb2e65ebc3 100644 --- a/core/string_api.php +++ b/core/string_api.php @@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) { } # Start extracting regex matches - $t_script = $t_matches['script']; + # Encode backslashes to prevent unwanted escaping of a leading '/' allowing + # redirection to external sites + $t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) ); $t_script_path = $t_matches['path']; # Clean/encode query params diff --git a/permalink_page.php b/permalink_page.php index 87a9058916..b73ccabf0b 100644 --- a/permalink_page.php +++ b/permalink_page.php @@ -36,6 +36,7 @@ require_once( 'core.php' ); require_api( 'access_api.php' ); require_api( 'config_api.php' ); +require_api( 'form_api.php' ); require_api( 'gpc_api.php' ); require_api( 'html_api.php' ); require_api( 'lang_api.php' ); @@ -43,6 +44,8 @@ require_api( 'string_api.php' ); require_api( 'utility_api.php' ); +form_security_validate( 'permalink' ); + layout_page_header(); layout_page_begin(); @@ -75,4 +78,5 @@ ?>