Skip to content
Permalink
Browse files Browse the repository at this point in the history
request #22570: XSS via the name of a deleted attachment
Change-Id: I3b7289c719ed8eacb836237fc186f59898b627bc
  • Loading branch information
LeSuisse committed Jul 26, 2021
1 parent 6e0f8bf commit d6c837e
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 7 deletions.
Expand Up @@ -242,7 +242,8 @@ private function formatDiff($changeset_value, $format, $is_for_mail)
$removed[] = $fi->getFilename();
}
if ($removed = implode(', ', $removed)) {
$result .= $removed . ' ' . dgettext('tuleap-tracker', 'removed');
$purifier = Codendi_HTMLPurifier::instance();
$result .= $purifier->purify($removed) . ' ' . dgettext('tuleap-tracker', 'removed');
}

$added = $this->fetchAddedFiles(array_diff($this->files, $changeset_value->getFiles()), $format, $is_for_mail);
Expand Down
Expand Up @@ -310,7 +310,7 @@ public function fetchAllAttachment(
$uh = UserHelper::instance();
$added = [];
foreach ($values as $fileinfo) {
$query_link = $this->getFileHTMLUrl($fileinfo);
$query_link = $hp->purify($this->getFileHTMLUrl($fileinfo));
$sanitized_description = $hp->purify($fileinfo->getDescription(), CODENDI_PURIFIER_CONVERT_HTML);

$link_show = '<a href="' . $query_link . '"' .
Expand All @@ -326,15 +326,15 @@ public function fetchAllAttachment(
if ($submitter_needed) {
$add .= '<div class="tracker_artifact_attachment_submitter">' . 'By ' . $uh->getLinkOnUserFromUserId($fileinfo->getSubmittedBy()) . '</div>';
}
$add .= '<div class="tracker_artifact_attachment_size">(' . $fileinfo->getHumanReadableFilesize() . ')</div>';
$add .= '<div class="tracker_artifact_attachment_size">(' . $hp->purify($fileinfo->getHumanReadableFilesize()) . ')</div>';
$add .= '<div>';
$add .= $link_show . '<i class="fa fa-eye"></i></a>';
$add .= '<a href="' . $query_link . '" download><i class="fa fa-download"></i></a>';
$add .= '</div>';
$add .= '</div>';

if ($fileinfo->isImage()) {
$query_add = $this->getFileHTMLPreviewUrl($fileinfo);
$query_add = $hp->purify($this->getFileHTMLPreviewUrl($fileinfo));

$add .= '<div class="tracker_artifact_preview_attachment image">';
$add .= '<div style="background-image: url(\'' . $query_add . '\')"></div>';
Expand Down Expand Up @@ -508,13 +508,13 @@ protected function fetchMailAllAttachment($artifact_id, $values, $format)
$hp = Codendi_HTMLPurifier::instance();
$added = [];
foreach ($values as $fileinfo) {
$query_link = $this->getFileHTMLUrl($fileinfo);
$query_link = $hp->purify($this->getFileHTMLUrl($fileinfo));
$sanitized_description = $hp->purify($fileinfo->getDescription(), CODENDI_PURIFIER_CONVERT_HTML);
$link_show = '<a href="' . $url . $query_link . '"
title="' . $sanitized_description . '">';

$info = $link_show . $hp->purify($fileinfo->getFilename(), CODENDI_PURIFIER_CONVERT_HTML) . '</a>';
$info .= ' (' . $fileinfo->getHumanReadableFilesize() . ')';
$info .= ' (' . $hp->purify($fileinfo->getHumanReadableFilesize()) . ')';

$add = '<div class="tracker_artifact_attachment">';
$add .= '<table><tr><td>';
Expand Down Expand Up @@ -660,7 +660,7 @@ protected function fetchTooltipValue(Artifact $artifact, ?Tracker_Artifact_Chang

if ($file_info->isImage()) {
$query = $this->getFileHTMLPreviewUrl($file_info);
$add .= '<img src="' . $query . '"
$add .= '<img src="' . $hp->purify($query) . '"
alt="' . $hp->purify($file_info->getDescription(), CODENDI_PURIFIER_CONVERT_HTML) . '"
>';
} elseif ($file_info->getDescription()) {
Expand Down

0 comments on commit d6c837e

Please sign in to comment.