Skip to content
Permalink
Browse files

Fixed: External images are automatically loaded in forward screen (bu…

…g#14398).
  • Loading branch information...
milanrakic authored and zilibasic committed May 9, 2019
1 parent 9fed451 commit edbc7371a52fc5d0032e934d2456b5f39da317f1
@@ -1,4 +1,6 @@
#5.0.36 ????-??-??
- 2019-05-09 Fixed bug#[14114](https://bugs.otrs.org/show_bug.cgi?id=14114) - External images are automatically loaded in forward screen.
New config 'Ticket::Frontend::BlockLoadingRemoteContent' is added. It controls if external content should be loaded, by default it is disabled.
- 2019-04-12 Updated CPAN module Mozilla::CA.

#5.0.35 2019-04-26
@@ -1866,6 +1866,17 @@
</Option>
</Setting>
</ConfigItem>
<ConfigItem Name="Ticket::Frontend::BlockLoadingRemoteContent" Required="0" Valid="1">
<Description Translatable="1">Makes the application block external content loading.</Description>
<Group>Ticket</Group>
<SubGroup>Frontend::Agent</SubGroup>
<Setting>
<Option SelectedID="0">
<Item Key="0" Translatable="1">No</Item>
<Item Key="1" Translatable="1">Yes</Item>
</Option>
</Setting>
</ConfigItem>
<ConfigItem Name="Ticket::Frontend::CustomerInfoCompose" Required="1" Valid="1">
<Description Translatable="1">Shows the customer user information (phone and email) in the compose screen.</Description>
<Group>Ticket</Group>
@@ -1329,6 +1329,15 @@ sub Run {
# set Body var to calculated content
$GetParam{Body} = $Body;

# Strip out external content if needed.
if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
String => $GetParam{Body},
NoExtSrcLoad => 1,
);
$GetParam{Body} = $SafetyCheckResult{String};
}

if ( $Self->{ReplyToArticle} ) {
my $TicketSubjectRe = $ConfigObject->Get('Ticket::SubjectRe') || 'Re';
$GetParam{Subject} = $TicketSubjectRe . ': ' . $Self->{ReplyToArticleContent}{Subject};
@@ -168,15 +168,6 @@ sub Run {
# set filename for inline viewing
$Data{Filename} = "Ticket-$Article{TicketNumber}-ArticleID-$Article{ArticleID}.html";

my $LoadExternalImages = $ParamObject->GetParam(
Param => 'LoadExternalImages'
) || 0;

# safety check only on customer article
if ( !$LoadExternalImages && $Article{SenderType} ne 'customer' ) {
$LoadExternalImages = 1;
}

# generate base url
my $URL = 'Action=AgentTicketAttachment;Subaction=HTMLView'
. ";ArticleID=$ArticleID;FileID=";
@@ -187,6 +178,22 @@ sub Run {
UserID => $Self->{UserID},
);

# Do not load external images if 'BlockLoadingRemoteContent' is enabled.
my $LoadExternalImages;
if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
$LoadExternalImages = 0;
}
else {
$LoadExternalImages = $ParamObject->GetParam(
Param => 'LoadExternalImages'
) || 0;

# Safety check only on customer article.
if ( !$LoadExternalImages && $Article{SenderType} ne 'customer' ) {
$LoadExternalImages = 1;
}
}

# reformat rich text document to have correct charset and links to
# inline documents
%Data = $LayoutObject->RichTextDocumentServe(
@@ -1180,6 +1180,15 @@ sub Run {
UploadCacheObject => $UploadCacheObject,
);

# Strip out external content if needed.
if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
String => $Data{Body},
NoExtSrcLoad => 1,
);
$Data{Body} = $SafetyCheckResult{String};
}

# restrict number of body lines if configured
if (
$Data{Body}
@@ -295,6 +295,15 @@ sub Form {
AttachmentsInclude => 1,
);

# Strip out external content if needed.
if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
String => $Data{Body},
NoExtSrcLoad => 1,
);
$Data{Body} = $SafetyCheckResult{String};
}

if ( $LayoutObject->{BrowserRichText} ) {

# prepare body, subject, ReplyTo ...
@@ -351,6 +351,15 @@ sub Run {
$Article{ContentType} = 'text/plain';
}

# Strip out external content if needed.
if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
String => $Article{Body},
NoExtSrcLoad => 1,
);
$Article{Body} = $SafetyCheckResult{String};
}

# show customer info
if ( $ConfigObject->Get('Ticket::Frontend::CustomerInfoCompose') ) {
if ( $Article{CustomerUserID} ) {
@@ -121,14 +121,6 @@ sub Run {
# unset filename for inline viewing
$Data{Filename} = "Ticket-$Article{TicketNumber}-ArticleID-$Article{ArticleID}.html";

# safety check only on customer article
my $LoadExternalImages = $ParamObject->GetParam(
Param => 'LoadExternalImages'
) || 0;
if ( !$LoadExternalImages && $Article{SenderType} ne 'customer' ) {
$LoadExternalImages = 1;
}

# generate base url
my $URL = 'Action=CustomerTicketAttachment;Subaction=HTMLView'
. ";ArticleID=$ArticleID;FileID=";
@@ -139,6 +131,22 @@ sub Run {
UserID => $Self->{UserID},
);

# Do not load external images if 'BlockLoadingRemoteContent' is enabled.
my $LoadExternalImages;
if ( $Kernel::OM->Get('Kernel::Config')->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
$LoadExternalImages = 0;
}
else {
$LoadExternalImages = $ParamObject->GetParam(
Param => 'LoadExternalImages'
) || 0;

# Safety check only on customer article.
if ( !$LoadExternalImages && $Article{SenderType} ne 'customer' ) {
$LoadExternalImages = 1;
}
}

# reformat rich text document to have correct charset and links to
# inline documents
%Data = $LayoutObject->RichTextDocumentServe(
@@ -4449,8 +4449,7 @@ sub RichTextDocumentServe {

if ( !$Param{LoadExternalImages} ) {

# Strip out external images, but show a confirmation button to
# load them explicitly.
# Strip out external content.
my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
String => $Param{Data}->{Content},
NoApplet => 1,
@@ -4465,7 +4464,12 @@ sub RichTextDocumentServe {

$Param{Data}->{Content} = $SafetyCheckResult{String};

if ( $SafetyCheckResult{Replace} ) {
# Show confirmation button to load external content explicitly only if BlockLoadingRemoteContent is disabled.
if (
$SafetyCheckResult{Replace}
&& !$Kernel::OM->Get('Kernel::Config')->Get('Ticket::Frontend::BlockLoadingRemoteContent')
)
{

# Generate blocker message.
my $Message = $Self->Output( TemplateFile => 'AttachmentBlocker' );
@@ -14,7 +14,6 @@ use vars (qw($Self));

local $ENV{SCRIPT_NAME} = 'index.pl';

# get needed objects
$Kernel::OM->ObjectParamAdd(
'Kernel::System::UnitTest::Helper' => {
RestoreDatabase => 1,
@@ -30,6 +29,13 @@ $Kernel::OM->ObjectParamAdd(
);
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

# Disable global external content blocking.
$Helper->ConfigSettingChange(
Valid => 1,
Key => 'Ticket::Frontend::BlockLoadingRemoteContent',
Value => 0,
);

my @Tests = (
{
Name => '',

0 comments on commit edbc737

Please sign in to comment.
You can’t perform that action at this time.