Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: Reported Vulns July-August 2020 #5616

Merged
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
xss: Internal Notes
This addresses a vulnerability reported by heinhtetaung where Internal Note
contents are not correctly sanitized if errors are returned. This adds
`true` as the second argument to `Format::htmlchars()` so that all content
is sanitized properly. In some cases however we cannot blanket sanitize all
the content as Inline Images, etc. tend to get obfuscated. So in those cases
this adds `Format::sanitize()` to the Internal Notes directly.
  • Loading branch information
JediKev committed Aug 19, 2020
commit fb570820ef1138776f929a179906e1d8089179d9
2 changes: 1 addition & 1 deletion include/staff/apikey.inc.php
Expand Up @@ -15,7 +15,7 @@
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<form action="apikeys.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
<?php csrf_token(); ?>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/banrule.inc.php
Expand Up @@ -17,7 +17,7 @@
$qs += array('a' => $_REQUEST['a']);
}

$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<form action="banlist.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
<?php csrf_token(); ?>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/cannedresponse.inc.php
Expand Up @@ -110,7 +110,7 @@
<tr>
<td colspan=2>
<textarea class="richtext no-bar" name="notes" cols="21"
rows="8" style="width: 80%;"><?php echo $info['notes']; ?></textarea>
rows="8" style="width: 80%;"><?php echo Format::sanitize($info['notes']); ?></textarea>
</td>
</tr>
</tbody>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/category.inc.php
Expand Up @@ -33,7 +33,7 @@
$submit_text=__('Add');
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);

?>
<form action="categories.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
Expand Down
2 changes: 1 addition & 1 deletion include/staff/dynamic-list.inc.php
Expand Up @@ -16,7 +16,7 @@
$newcount=4;
}

$info=Format::htmlchars(($errors && $_POST) ? array_merge($info,$_POST) : $info);
$info=Format::htmlchars(($errors && $_POST) ? array_merge($info,$_POST) : $info, true);

?>
<form action="" method="post" class="save">
Expand Down
2 changes: 1 addition & 1 deletion include/staff/email.inc.php
Expand Up @@ -32,7 +32,7 @@
$info['smtp_auth'] = 1;
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<h2><?php echo $title; ?>
<?php if (isset($info['email'])) { ?><small>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/faq.inc.php
Expand Up @@ -250,7 +250,7 @@ class="richtext draft" <?php
</div>
<div style="margin-top:10px"></div>
<textarea class="richtext no-bar" name="notes" cols="21"
rows="8" style="width: 80%;"><?php echo $info['notes']; ?></textarea>
rows="8" style="width: 80%;"><?php echo Format::sanitize($info['notes']); ?></textarea>
</div>

<p style="text-align:center;">
Expand Down
2 changes: 1 addition & 1 deletion include/staff/filter.inc.php
Expand Up @@ -21,7 +21,7 @@
$info['rules'] = array();
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<form action="filters.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
<?php csrf_token(); ?>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/page.inc.php
Expand Up @@ -184,7 +184,7 @@
<em><strong><?php echo __('Internal Notes'); ?></strong>:
<?php echo __("Be liberal, they're internal"); ?></em>
<textarea class="richtext no-bar" name="notes" cols="21"
rows="8" style="width: 80%;"><?php echo $info['notes']; ?></textarea>
rows="8" style="width: 80%;"><?php echo Format::sanitize($info['notes']); ?></textarea>
</div>
</div>

Expand Down
2 changes: 1 addition & 1 deletion include/staff/role.inc.php
Expand Up @@ -15,7 +15,7 @@
$newcount=4;
}

$info = Format::htmlchars(($errors && $_POST) ? array_merge($info, $_POST) : $info);
$info = Format::htmlchars(($errors && $_POST) ? array_merge($info, $_POST) : $info, true);

?>
<form action="" method="post" class="save">
Expand Down
2 changes: 1 addition & 1 deletion include/staff/slaplan.inc.php
Expand Up @@ -18,7 +18,7 @@
$info['disable_overdue_alerts']=isset($info['disable_overdue_alerts'])?$info['disable_overdue_alerts']:0;
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<form action="slas.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
<?php csrf_token(); ?>
Expand Down
2 changes: 1 addition & 1 deletion include/staff/template.inc.php
Expand Up @@ -17,7 +17,7 @@
$info['lang_id'] = $cfg->getPrimaryLanguage();
$qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<form action="templates.php?<?php echo Http::build_query($qs); ?>" method="post" class="save">
<?php csrf_token(); ?>
Expand Down