- Nov 19, 2019
-
-
Peter Rotich authored
This commit addresses possible Arbitrary Method Invocation via AJAX file upload. To save some memory osTicket uses callback method to fetch the content of a file on mail fetch. $file['data'] was overloaded as a callback by simply checking if the content is callable, resulting in method invocation when content of the uploaded file is a callable. The address the issue we're not using locally set callback parameter / method.
-
- Aug 13, 2019
-
-
JediKev authored
This enhances security patch (33ed10) to allow image attachments to be opened in a new tab if the setting is enabled. This adds a new setting to the Agent Profile labeled "Image Attachment View" that determines how image attachments are handled. The two options are "Download" and "Inline" with "Download" being the default. If the option is set to "Download" all image attachments will be forced to download. If the option is set to "Inline" all image attachments will open in a new tab when you right click + open in new tab.
-
- Jul 24, 2019
-
-
JediKev authored
This addresses an issue reported by Aishwarya Iyer where attached HTML files are executed in the browser instead of forcing download in Firefox and IE for Windows specifically. This is caused by an incorrect `Content-Disposition` set in the `AttachmentFile::download` function. Instead of attachments having a disposition of `attachment` (which forces download) they have a disposition of `inline` (which displays the file contents in the browser). This updates the download function to use whatever disposition is passed (for S3 plugin), if none it defaults to `attachment`. In addition, this overwrites the disposition and sets it to `attachment` after the `$bk->sendRedirectURL()` so that S3 attachments still work and the issue of an attacker passing their own disposition is mitigated.
-
- Jun 13, 2019
-
-
Peter Rotich authored
Remove file type overwrite previously used to force downloads. This addresses potential XSS where an attacker could pass "image" resulting in the file being displayed in line.
-
- Nov 19, 2018
-
-
JediKev authored
Support using %{ticket.thread} to export the entire ticket thread correspondence between agents and end users (owner + collaborators).
-
- Oct 03, 2018
-
-
aydreeihn authored
This commit ensures that we use the correct disposition for downloading files.
-
- Oct 02, 2018
-
-
aydreeihn authored
This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)
-
- Oct 01, 2018
-
-
aydreeihn authored
This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)
-
- Jul 18, 2018
-
-
Jared Hancock authored
An index was added to the v1.11 branch to support the ORM query. Because the index cannot be applied to v1.10, the query was rewritten for the 1.10.x branch to provide better performance without changes to the database. When 1.10.x was merged into 1.11.x the rewritten SQL accidentally showed up. This reverts that merge to use the original ORM query.
-
- Jul 17, 2018
-
-
JediKev authored
This addresses an issue that was introduced by a previous attempt to address the orphaned file query. The previous attempt addressed the original issue but slowed database performance so this addresses the performance issue.
-
- Jul 12, 2018
-
-
JediKev authored
This addresses an issue that was introduced by a previous attempt to address the orphaned file query. The previous attempt addressed the original issue but slowed database performance so this addresses the performance issue.
-
- May 15, 2018
-
-
JediKev authored
This addresses the issue where files were being deleted before being sent out in Agent responses. This was due to a bug in the query that gets the orphaned files. This query was getting files created within the last 24 hours not after the last 24 hours. The query also had another bug that would use the time from PHP instead of MySQL which could cause issues. This updates the query as per @greezybacon's suggestions to delete orphaned files that were created more than 24 hours ago.
-
- Apr 25, 2018
-
-
JediKev authored
This addresses the issue where files were being deleted before being sent out in Agent responses. This was due to a bug in the query that gets the orphaned files. This query was getting files created within the last 24 hours not after the last 24 hours. The query also had another bug that would use the time from PHP instead of MySQL which could cause issues. This updates the query as per @greezybacon's suggestions to delete orphaned files that were created more than 24 hours ago.
-
- Mar 22, 2018
-
-
Peter Rotich authored
Commit c4579277 introduced an extra administrative security feature to restrict files access to signed in users only, even if a user has a valid & signed download URL. The feature, however, did not take into account public images & files associated with FAQs and pages such as landing/thank-you pages. This commit addresses the shortcoming by adding a reference ID (attachment ID) to the download/access URL, that can be used to deduce the model/object type that the file request is associated with. The technique will allow us in the future to enforce ACL at the file level depending on privacy settings and the security clearance of the user (agent).
-
- Mar 25, 2016
-
-
Jared Hancock authored
-
- Mar 24, 2016
-
-
Jared Hancock authored
-
- Mar 20, 2016
-
-
Jared Hancock authored
This duplicates the custom logo code to allow for custom login backdrops. A new page is added to the "Company" settings page which allows for management of the uploaded custom backdrops.
-
- Mar 18, 2016
-
-
Jared Hancock authored
Previously, the create method was used to create a new instance of an orm model (which would later result in an INSERT when persisted); however, some classes require or utilize varying parameters to their create() method, which PHP7 considers an error. Methods in subclasses must be defined with a calling signature compatible with the parent class. This patch shifts the concept of model creation to the constructor. Now, the constructor of ORM models is required to be compatible with that of ModelBase class. Now that most models do not define a constructor, this is much easier to control, and much more logical. Also, remove an issue where assignments on a relationship field to an instance of a super class of the foreign model would raise an error. This was previously addressed by re-classing the instance in the ModelInstanceManager::getOrBuild(); however that design would create multiple instances of the same object in memory, which defeats one of the primary design concepts of the ORM. This patch addresses the issue by allowing super-classes of the declared foreign model in relationship assignments.
-
Jared Hancock authored
This commit attempts to remove all coding standard warnings emitted by PHP 7.0.
-
- Dec 18, 2015
-
-
Jared Hancock authored
-
- Sep 28, 2015
-
-
Jared Hancock authored
If the configuration for the file backend is set to something invalid, do a better job of falling back to database-backed attachments.
-
- Aug 28, 2015
-
-
ericLemanissier authored
When saving an attached file in the database, Passing the whole content of the file to bin2hex leads to allocating the memory for the whole hex encoded file while the binary content of the file is still in memory. This leads easily to Out of memory error on limited resources servers. Calling bin2hex on each chunk of the file greatly limits the memory usage.
-
- Jul 22, 2015
-
-
Jared Hancock authored
Also, * use current year when no company name exists (yet) * log a `created` timestamp for new files * drop table %group during the upgrade
-
- Jul 21, 2015
-
-
Jared Hancock authored
-
- Jul 10, 2015
-
-
Jared Hancock authored
This patch suggests that old attachments in the `upload_dir` can be located and left alone when upgrading away from osTicket v1.6. Later, via the `file` command line applet, the attachments can be migrated into the database, or to the new filesystem plugin after it is installed with: php manage.php file migrate --backend=6 --to=D This allows attachment migration to be retried in the event it failed for any reason.
-
- Jun 03, 2015
-
-
Jared Hancock authored
* Log events for AJAX collaborator list edits * Avoid extra selects for inline image handling * Avoid using htmLawed to add target="_blank" and class="no-pjax" to links in the ticket thread * Cache instances of IntlDateFormatter; seems expensive to set up * Cache filetypes Yaml in APC if available * Cache I18n::getDefaltLanguage() in the request * Avoid extraneous usage of Model::_inspect and Model::$meta * Add aggregated query support to the ORM * Lazily compile SQL query for InstrumentedLists * Apply `select_related` setting when setting up InstrumentedList instances * Slight optimization in SqlCompiler::getField * Avoid double compiling Sql annotations in the ORDER BY clause * Cache Thread::getEntries * Break out event types for ThreadEvent for more legible code * Eliminate one query from Ticket::loadDynamicData * Fix ticket number bolding if already answered * Use dependent subqueries for ticket statistics in the queue page, which is significantly faster for large data sets (like hundreds of attachments or thread entries) * Fixup sidebar layout on client knowledge base pages
-
- May 13, 2015
-
-
Jared Hancock authored
-
- Feb 12, 2015
-
-
Jared Hancock authored
This patch includes a slight database migration, and adjusts the functionality of a few core components. * Move collaborators from the ticket to the thread. This concept allows collaborators on any object which has a thread, including tasks. * Add flags to the thread entry This will allow flagging thread entries for different purposes. Initially this can be used to flag the original message of a thread in case a ticket / thread is created without an initial message. * Lock becomes more of a utility The lock is now disconnected from the ticket and is a separate utility. Separately, the ticket and task objects can have a reference to a lock object. Furthermore, when submitting some activities to tickets, the lock is verified to be owned by the respective agent, and the lock code must match a current lock code. The code is rotated on each acquire() call to guard against double submissions. * Collaborator is an ORM model The TicketUser class is broken up now so that the collaborator instance can exist apart from a ticket. Email message ids are now generated for collaborators without respect for a ticket so that collaborators can be properly supported on any thread.
-
- Feb 10, 2015
-
-
Jared Hancock authored
This patch converts the central file and threading classes over to use the ORM.
-
- Feb 06, 2015
-
-
Jared Hancock authored
-
- Jan 09, 2015
-
-
Jared Hancock authored
-
Jared Hancock authored
Files upgraded from versions of osTicket prior to 1.9.1 did not have a `signature` field in the database. For caching purposes in generating the Etag HTTP header, the getSignature function cascades through the getKey method. This may be inconsistent in the signed URL creation. This patch adds a cascade flag to the getSignature method so the cascading will not happen unless specifically requested.
-
- Jan 06, 2015
-
-
Jared Hancock authored
-
- Dec 31, 2014
-
-
Jared Hancock authored
This script adds a single download script, 'file.php', which provides access to files of all types to all users. It uses a HMAC signature system with an expires time, which allows signed URLs to be sent to external users. This also fixes an issue with the Http::cacheable() method, where the last-modified and Etag headers were not properly compared, which resulted in permanent cache misses by the client.
-
- Dec 22, 2014
-
-
Jared Hancock authored
-
- Dec 11, 2014
-
-
Peter Rotich authored
Use generic attachment table for all attachments system-wide. Drop thread entry attachment table
-
Peter Rotich authored
Detach conversation thread from ticket to make it more generic. Any object can now have its own thread complete with entry type and attachments.
-
Peter Rotich authored
Use generic attachment table for all attachments system-wide. Drop thread entry attachment table
-
Peter Rotich authored
Detach conversation thread from ticket to make it more generic. Any object can now have its own thread complete with entry type and attachments.
-
- Oct 28, 2014
-
-
Jared Hancock authored
-