Merge pull request #5196 from protich/issue/secvuln-redforce

Security Vulnerabilities

Merge pull request #5196 from protich/issue/secvuln-redforce
Security Vulnerabilities
2cd7af46 · Peter Rotich · GitHub · 9951125e · 4dfb77ca · 2cd7af46
Unverified Commit 2cd7af46 authored 5 years ago by Peter Rotich Committed by GitHub 5 years ago
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -1063,7 +1063,8 @@ class AuthTokenAuthentication extends UserAuthenticationBackend {
            if (($ticket = Ticket::lookupByNumber($_GET['t'], $_GET['e']))
                    // Using old ticket auth code algo - hardcoded here because it
                    // will be removed in ticket class in the upcoming rewrite
-                    && !strcasecmp($_GET['a'], md5($ticket->getId() .  strtolower($_GET['e']) . SECRET_SALT))
+                    && strcasecmp((string) $_GET['a'], md5($ticket->getId()
+                            .  strtolower($_GET['e']) . SECRET_SALT)) === 0
                    && ($owner = $ticket->getOwner()))
                $user = new ClientSession($owner);
        }

--- a/include/class.file.php
+++ b/include/class.file.php
@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
                $file['data'] = base64_decode($file['data']);
            }
        }
-        if (isset($file['data'])) {
+
+        if (!isset($file['data']) && isset($file['dataclb'])
+                && is_callable($file['dataclb'])) {
            // Allow a callback function to delay or avoid reading or
            // fetching ihe file contents
-            if (is_callable($file['data']))
-                $file['data'] = $file['data']();
+            $file['data'] = $file['dataclb']();
+        }

+        if (isset($file['data'])) {
            list($key, $file['signature'])
                = self::_getKeyAndHash($file['data']);
            if (!$file['key'])

--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -831,7 +831,7 @@ class MailFetcher {
                else {
                    // only fetch the body if necessary
                    $self = $this;
-                    $file['data'] = function() use ($self, $mid, $a) {
+                    $file['dataclb'] = function() use ($self, $mid, $a) {
                        return $self->decode(imap_fetchbody($self->mbox,
                            $mid, $a['index']), $a['encoding']);
                    };

--- a/include/class.pdf.php
+++ b/include/class.pdf.php
@@ -19,6 +19,9 @@ define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '

 require_once(INCLUDE_DIR.'mpdf/vendor/autoload.php');

+// unregister phar stream to mitigate vulnerability in mpdf library
+@stream_wrapper_unregister('phar');
+
 class mPDFWithLocalImages extends Mpdf {
    function WriteHtml($html, $sub = 0, $init = true, $close = true) {
        static $filenumber = 1;

--- a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
+++ b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
@@ -2224,6 +2224,17 @@ class CssManager
 			$path = preg_replace('/\.css\?.*$/', '.css', $path);
 		}

+        /*** Start osTicket Security Patch ***/
+
+        // Make sure only schemes allowed are http & https - this is to
+        // neutralize phar:// attack
+        $scheme = parse_url($path, PHP_URL_SCHEME);
+        if ($scheme && !in_array(strtolower($scheme), ['http', 'https']))
+            return '';
+
+        /*** End osTicket Security Patch ***/
+
+
 		$contents = @file_get_contents($path);

 		if ($contents) {