Skip to content
Snippets Groups Projects
Unverified Commit 2cd7af46 authored by Peter Rotich's avatar Peter Rotich Committed by GitHub
Browse files

Merge pull request #5196 from protich/issue/secvuln-redforce

Security Vulnerabilities
parents 9951125e 4dfb77ca
No related branches found
No related tags found
No related merge requests found
......@@ -1063,7 +1063,8 @@ class AuthTokenAuthentication extends UserAuthenticationBackend {
if (($ticket = Ticket::lookupByNumber($_GET['t'], $_GET['e']))
// Using old ticket auth code algo - hardcoded here because it
// will be removed in ticket class in the upcoming rewrite
&& !strcasecmp($_GET['a'], md5($ticket->getId() . strtolower($_GET['e']) . SECRET_SALT))
&& strcasecmp((string) $_GET['a'], md5($ticket->getId()
. strtolower($_GET['e']) . SECRET_SALT)) === 0
&& ($owner = $ticket->getOwner()))
$user = new ClientSession($owner);
}
......
......@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
$file['data'] = base64_decode($file['data']);
}
}
if (isset($file['data'])) {
if (!isset($file['data']) && isset($file['dataclb'])
&& is_callable($file['dataclb'])) {
// Allow a callback function to delay or avoid reading or
// fetching ihe file contents
if (is_callable($file['data']))
$file['data'] = $file['data']();
$file['data'] = $file['dataclb']();
}
if (isset($file['data'])) {
list($key, $file['signature'])
= self::_getKeyAndHash($file['data']);
if (!$file['key'])
......
......@@ -831,7 +831,7 @@ class MailFetcher {
else {
// only fetch the body if necessary
$self = $this;
$file['data'] = function() use ($self, $mid, $a) {
$file['dataclb'] = function() use ($self, $mid, $a) {
return $self->decode(imap_fetchbody($self->mbox,
$mid, $a['index']), $a['encoding']);
};
......
......@@ -19,6 +19,9 @@ define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '
require_once(INCLUDE_DIR.'mpdf/vendor/autoload.php');
// unregister phar stream to mitigate vulnerability in mpdf library
@stream_wrapper_unregister('phar');
class mPDFWithLocalImages extends Mpdf {
function WriteHtml($html, $sub = 0, $init = true, $close = true) {
static $filenumber = 1;
......
......@@ -2224,6 +2224,17 @@ class CssManager
$path = preg_replace('/\.css\?.*$/', '.css', $path);
}
/*** Start osTicket Security Patch ***/
// Make sure only schemes allowed are http & https - this is to
// neutralize phar:// attack
$scheme = parse_url($path, PHP_URL_SCHEME);
if ($scheme && !in_array(strtolower($scheme), ['http', 'https']))
return '';
/*** End osTicket Security Patch ***/
$contents = @file_get_contents($path);
if ($contents) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment