diff --git a/include/class.auth.php b/include/class.auth.php
index a0abe4ed4468455e9867730cd1d46a9d20fd3405..5ace9e26c3d121ada9aebf9643ef6fe3d0ff17e5 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -1063,7 +1063,8 @@ class AuthTokenAuthentication extends UserAuthenticationBackend {
if (($ticket = Ticket::lookupByNumber($_GET['t'], $_GET['e']))
// Using old ticket auth code algo - hardcoded here because it
// will be removed in ticket class in the upcoming rewrite
- && !strcasecmp($_GET['a'], md5($ticket->getId() . strtolower($_GET['e']) . SECRET_SALT))
+ && strcasecmp((string) $_GET['a'], md5($ticket->getId()
+ . strtolower($_GET['e']) . SECRET_SALT)) === 0
&& ($owner = $ticket->getOwner()))
$user = new ClientSession($owner);
}
diff --git a/include/class.file.php b/include/class.file.php
index 204b7945fe4051d02b988578b89d309e7d99807f..2316301535b672fc4c8f6fc35283ba74bd3fc1cd 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
$file['data'] = base64_decode($file['data']);
}
}
- if (isset($file['data'])) {
+
+ if (!isset($file['data']) && isset($file['dataclb'])
+ && is_callable($file['dataclb'])) {
// Allow a callback function to delay or avoid reading or
// fetching ihe file contents
- if (is_callable($file['data']))
- $file['data'] = $file['data']();
+ $file['data'] = $file['dataclb']();
+ }
+ if (isset($file['data'])) {
list($key, $file['signature'])
= self::_getKeyAndHash($file['data']);
if (!$file['key'])
diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index dd7edd815653fee8a8fb3f0a81e79863dc3d9a94..d814d1d9fe6289aa20bf0747b84fb1b7aa9b6f62 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -831,7 +831,7 @@ class MailFetcher {
else {
// only fetch the body if necessary
$self = $this;
- $file['data'] = function() use ($self, $mid, $a) {
+ $file['dataclb'] = function() use ($self, $mid, $a) {
return $self->decode(imap_fetchbody($self->mbox,
$mid, $a['index']), $a['encoding']);
};
diff --git a/include/class.pdf.php b/include/class.pdf.php
index 5e0b76371a55886d90e1353c886064fcff931c42..14c7b20c97c0dd948a7f87f2a8a472c8daa92b5e 100644
--- a/include/class.pdf.php
+++ b/include/class.pdf.php
@@ -19,6 +19,9 @@ define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '
require_once(INCLUDE_DIR.'mpdf/vendor/autoload.php');
+// unregister phar stream to mitigate vulnerability in mpdf library
+@stream_wrapper_unregister('phar');
+
class mPDFWithLocalImages extends Mpdf {
function WriteHtml($html, $sub = 0, $init = true, $close = true) {
static $filenumber = 1;
diff --git a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
index eabda53c3c74f1d385a3dd5782dca78131c8812b..a78362033d43265112577b87e9239d69d61895ef 100644
--- a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
+++ b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
@@ -2224,6 +2224,17 @@ class CssManager
$path = preg_replace('/\.css\?.*$/', '.css', $path);
}
+ /*** Start osTicket Security Patch ***/
+
+ // Make sure only schemes allowed are http & https - this is to
+ // neutralize phar:// attack
+ $scheme = parse_url($path, PHP_URL_SCHEME);
+ if ($scheme && !in_array(strtolower($scheme), ['http', 'https']))
+ return '';
+
+ /*** End osTicket Security Patch ***/
+
+
$contents = @file_get_contents($path);
if ($contents) {