Skip to content

Commit

Permalink
Security: Fix XSS in social network and one extended access to tickets
Browse files Browse the repository at this point in the history
  • Loading branch information
@ywarnier
ywarnier committed Jan 16, 2019
1 parent 41d8a38 commit 33e2692
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 13 deletions.
4 changes: 2 additions & 2 deletions main/inc/lib/TicketManager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -966,7 +966,7 @@ public static function getTicketsByCurrentUser(

if ($isAdmin) {
$ticket = [
$icon.' '.$row['subject'],
$icon.' '.Security::remove_XSS($row['subject']),
$row['status_name'],
$row['start_date'],
$row['sys_lastedit_datetime'],
Expand All @@ -977,7 +977,7 @@ public static function getTicketsByCurrentUser(
];
} else {
$ticket = [
$icon.' '.$row['subject'],
$icon.' '.Security::remove_XSS($row['subject']),
$row['status_name'],
$row['start_date'],
$row['sys_lastedit_datetime'],
Expand Down
6 changes: 3 additions & 3 deletions main/messages/new_message.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ function manageForm($default, $select_from_user_list = null, $sent_to = '', $tpl

if (isset($_GET['re_id'])) {
$message_reply_info = MessageManager::get_message_by_id($_GET['re_id']);
$default['title'] = get_lang('MailSubjectReplyShort').' '.$message_reply_info['title'];
$default['title'] = get_lang('MailSubjectReplyShort').' '.Security::remove_XSS($message_reply_info['title']);
$form->addHidden('re_id', (int) $_GET['re_id']);
$form->addHidden('save_form', 'save_form');

Expand All @@ -207,14 +207,14 @@ function manageForm($default, $select_from_user_list = null, $sent_to = '', $tpl
$fileListToString = !empty($attachments) ? implode('<br />', $attachments) : '';
$form->addLabel('', $fileListToString);
}
$default['title'] = '['.get_lang('MailSubjectForwardShort').": ".$message_reply_info['title'].']';
$default['title'] = '['.get_lang('MailSubjectForwardShort').": ".Security::remove_XSS($message_reply_info['title']).']';
$form->addHidden('forward_id', $forwardId);
$form->addHidden('save_form', 'save_form');
$receiverInfo = api_get_user_info($message_reply_info['user_receiver_id']);

$forwardMessage = '---------- '.get_lang('ForwardedMessage').' ---------'.'<br />';
$forwardMessage .= get_lang('Date').': '.api_get_local_time($message_reply_info['send_date']).'<br />';
$forwardMessage .= get_lang('Subject').': '.$message_reply_info['title'].'<br />';
$forwardMessage .= get_lang('Subject').': '.Security::remove_XSS($message_reply_info['title']).'<br />';
$forwardMessage .= get_lang('To').': '.$receiverInfo['complete_name'].' - '.$receiverInfo['email'].' <br />';
$default['content'] = '<p><br/></p>'.$forwardMessage.'<br />'.Security::filter_terms($message_reply_info['content']);
}
Expand Down
10 changes: 5 additions & 5 deletions main/social/personal_data.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@
$personalDataContent .= '<li>'.get_lang('NoData').'</li>';
} else {
foreach ($subValue as $subSubValue) {
$personalDataContent .= '<li>'.$subSubValue.'</li>';
$personalDataContent .= '<li>'.Security::remove_XSS($subSubValue).'</li>';
}
}
$personalDataContent .= '</ul>';
Expand All @@ -268,7 +268,7 @@
$personalDataContent .= '<li>'.get_lang('NoData').'</li>';
} else {
foreach ($value as $subValue) {
$personalDataContent .= '<li>'.$subValue->variable.': '.$subValue->value.'</li>';
$personalDataContent .= '<li>'.$subValue->variable.': '.Security::remove_XSS($subValue->value).'</li>';
}
}
$personalDataContent .= '</ul>';
Expand All @@ -292,7 +292,7 @@
);
$personalDataContent .= '<li>'.$documentLink.'</li>';
} else {
$personalDataContent .= '<li>'.$subSubValue.'</li>';
$personalDataContent .= '<li>'.Security::remove_XSS($subSubValue).'</li>';
}
}
}
Expand All @@ -312,7 +312,7 @@
$personalDataContent .= '<li>'.get_lang('NoData').'</li>';
} else {
foreach ($value as $subValue) {
$personalDataContent .= '<li>'.$subValue.'</li>';
$personalDataContent .= '<li>'.Security::remove_XSS($subValue).'</li>';
}
}
$personalDataContent .= '</ul>';
Expand Down Expand Up @@ -350,7 +350,7 @@
$personalDataContent .= '<li>'.$key.': '.get_lang('ComplexDataNotShown').'</li>';
}*/
} else {
$personalDataContent .= '<li>'.$key.': '.$value.'</li>';
$personalDataContent .= '<li>'.$key.': '.Security::remove_XSS($value).'</li>';
}
}
$personalDataContent .= '</ul>';
Expand Down
13 changes: 10 additions & 3 deletions main/ticket/ticket_details.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,12 @@ class: "controls"

$ticket_id = (int) $_REQUEST['ticket_id'];
$ticket = TicketManager::get_ticket_detail_by_id($ticket_id);
if (!isset($ticket['ticket'])) {
if (!isset($ticket['ticket']) ||
// make sure it's either a user assigned to this ticket, or the reporter, or and admin
!($ticket['ticket']['assigned_last_user'] == $user_id ||
$ticket['ticket']['sys_insert_user_id'] == $user_id ||
$isAdmin)
) {
api_not_allowed(true);
}
if (!isset($_REQUEST['ticket_id'])) {
Expand Down Expand Up @@ -347,11 +352,12 @@ class: "controls"
}
$senderData = get_lang('AddedBy').' '.$ticket['usuario']['complete_name_with_message_link'];


echo '<table width="100%" >
<tr>
<td colspan="3">
<h1>'.$title.'</h1>
<h2>'.$ticket['ticket']['subject'].'</h2>
<h2>'.Security::remove_XSS($ticket['ticket']['subject']).'</h2>
<p>
'.$senderData.' '.
get_lang('Created').' '.
Expand Down Expand Up @@ -405,11 +411,12 @@ class: "controls"
<td colspan="2"></td>
</tr>';
}

echo '<tr>
<td>
<hr />
<b>'.get_lang('Description').':</b> <br />
'.$ticket['ticket']['message'].'
'.Security::remove_XSS($ticket['ticket']['message']).'
<hr />
</td>
</tr>
Expand Down

0 comments on commit 33e2692

Please sign in to comment.