Skip to content

Commit bed19db

Browse files
committed
XML Import: Fix php code injection vulnerability
Egidio Romano discovered a vulnerability in the XML import plugin. User input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed. This fix is a partial backport from a master branch commit which has been confirmed as addressing the issue (8401753) excluding changes not relevant to fixing the security issue, including subsequent fixes (aea1a34, 4350b4d). Fixes #17725 (CVE-2014-7146)
1 parent dc9f015 commit bed19db

File tree

1 file changed

+20
-9
lines changed

1 file changed

+20
-9
lines changed

Diff for: plugins/XmlImportExport/ImportXml.php

+20-9
Original file line numberDiff line numberDiff line change
@@ -102,16 +102,27 @@ public function import( ) {
102102

103103
echo " Done\n";
104104

105-
$importedIssues = $this->itemsMap_->getall( 'issue' );
106-
printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
107-
foreach( $importedIssues as $oldId => $newId ) {
108-
$bugData = bug_get( $newId, true );
109-
110-
$bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
111-
$replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
105+
# replace bug references
106+
$t_imported_issues = $this->itemsMap_->getall( 'issue' );
107+
printf( 'Processing cross-references for %s issues...', count( $t_imported_issues ) );
108+
foreach( $t_imported_issues as $t_old_id => $t_new_id ) {
109+
$t_bug = bug_get( $t_new_id, true );
110+
$t_content_replaced = false;
111+
$t_bug_link_regexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/';
112+
113+
# replace links in description
114+
preg_match_all( $t_bug_link_regexp, $t_bug->description, $t_matches );
115+
if( is_array( $t_matches[3] ) && count( $t_matches[3] ) > 0 ) {
116+
$t_content_replaced = true;
117+
foreach ( $t_matches[3] as $t_old_id2 ) {
118+
$t_bug->description = str_replace( $this->source_->issuelink . $t_old_id2, $this->getReplacementString( $this->source_->issuelink, $t_old_id2 ), $t_bug->description );
119+
}
120+
}
112121

113-
$bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
114-
$bugData->update( true, true );
122+
if( $t_content_replaced ) {
123+
# only update bug if necessary (otherwise last update date would be unnecessarily overwritten)
124+
$t_bug->update( true );
125+
}
115126
}
116127
echo " Done\n";
117128
}

0 commit comments

Comments
 (0)