Skip to content
Snippets Groups Projects
  1. Nov 19, 2019
    • Peter Rotich's avatar
      Arbitrary Method Invocation · 4dfb77ca
      Peter Rotich authored
      This commit addresses possible Arbitrary Method Invocation via AJAX file upload.
      
      To save some memory osTicket uses callback method to fetch the content of a
      file on mail fetch. $file['data'] was overloaded as a callback by simply
      checking if the content is callable, resulting in method invocation when
      content of the uploaded file is a callable.
      
      The address the issue we're not using locally set callback parameter / method.
      4dfb77ca
  2. Aug 13, 2019
    • JediKev's avatar
      issue: Image Attachment View · eb1a4eaf
      JediKev authored
      This enhances security patch (33ed10) to allow image attachments to be
      opened in a new tab if the setting is enabled. This adds a new setting to
      the Agent Profile labeled "Image Attachment View" that determines how image
      attachments are handled. The two options are "Download" and "Inline" with
      "Download" being the default. If the option is set to "Download" all image
      attachments will be forced to download. If the option is set to "Inline" all
      image attachments will open in a new tab when you right click + open in new
      tab.
      eb1a4eaf
  3. Jul 24, 2019
    • JediKev's avatar
      security: HTML File Browser Execution (Windows: Firefox/IE) · 33ed106b
      JediKev authored
      This addresses an issue reported by Aishwarya Iyer where attached HTML files
      are executed in the browser instead of forcing download in Firefox and IE
      for Windows specifically. This is caused by an incorrect
      `Content-Disposition` set in the `AttachmentFile::download` function.
      Instead of attachments having a disposition of `attachment` (which forces
      download) they have a disposition of `inline` (which displays the file
      contents in the browser). This updates the download function to use whatever
      disposition is passed (for S3 plugin), if none it defaults to `attachment`.
      In addition, this overwrites the disposition and sets it to `attachment`
      after the `$bk->sendRedirectURL()` so that S3 attachments still work and the
      issue of an attacker passing their own disposition is mitigated.
      33ed106b
  4. Jun 13, 2019
    • Peter Rotich's avatar
      Remove File Type Override · 539d343d
      Peter Rotich authored
      Remove file type overwrite previously used to force downloads. This
      addresses potential XSS where an attacker could pass "image" resulting in
      the file being displayed in line.
      539d343d
  5. Nov 19, 2018
    • JediKev's avatar
      feature: Complete Thread Variable · ffcd4b5e
      JediKev authored
      Support using %{ticket.thread} to export the entire ticket thread
      correspondence between agents and end users (owner + collaborators).
      ffcd4b5e
  6. Oct 03, 2018
    • aydreeihn's avatar
      File Disposition · 0c6e9acc
      aydreeihn authored
      This commit ensures that we use the correct disposition for downloading files.
      0c6e9acc
  7. Oct 02, 2018
    • aydreeihn's avatar
      Attachment Names Issue · 86946d58
      aydreeihn authored
      This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)
      86946d58
  8. Oct 01, 2018
    • aydreeihn's avatar
      Attachment Names Issue · 08c0ac71
      aydreeihn authored
      This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)
      08c0ac71
  9. Jul 18, 2018
    • Jared Hancock's avatar
      Revert "issue: Orphaned File Query Rewrite" · b778736f
      Jared Hancock authored
      An index was added to the v1.11 branch to support the ORM query. Because the
      index cannot be applied to v1.10, the query was rewritten for the 1.10.x
      branch to provide better performance without changes to the database. When
      1.10.x was merged into 1.11.x the rewritten SQL accidentally showed up. This
      reverts that merge to use the original ORM query.
      b778736f
  10. Jul 17, 2018
    • JediKev's avatar
      issue: Orphaned File Query Rewrite · e5dd24e0
      JediKev authored
      This addresses an issue that was introduced by a previous attempt to
      address the orphaned file query. The previous attempt addressed the
      original issue but slowed database performance so this addresses the
      performance issue.
      e5dd24e0
  11. Jul 12, 2018
    • JediKev's avatar
      issue: Orphaned File Query Rewrite · 719baf32
      JediKev authored
      This addresses an issue that was introduced by a previous attempt to
      address the orphaned file query. The previous attempt addressed the
      original issue but slowed database performance so this addresses the
      performance issue.
      719baf32
  12. May 15, 2018
    • JediKev's avatar
      issue: Files - deleteOrphans() · b05dcbda
      JediKev authored
      This addresses the issue where files were being deleted before being sent
      out in Agent responses. This was due to a bug in the query that gets the
      orphaned files. This query was getting files created within the last 24
      hours not after the last 24 hours. The query also had another bug that
      would use the time from PHP instead of MySQL which could cause issues.
      This updates the query as per @greezybacon's suggestions to delete
      orphaned files that were created more than 24 hours ago.
      b05dcbda
  13. Apr 25, 2018
    • JediKev's avatar
      issue: Files - deleteOrphans() · a3e04e82
      JediKev authored
      This addresses the issue where files were being deleted before being sent
      out in Agent responses. This was due to a bug in the query that gets the
      orphaned files. This query was getting files created within the last 24
      hours not after the last 24 hours. The query also had another bug that
      would use the time from PHP instead of MySQL which could cause issues.
      This updates the query as per @greezybacon's suggestions to delete
      orphaned files that were created more than 24 hours ago.
      a3e04e82
  14. Mar 22, 2018
    • Peter Rotich's avatar
      Make FAQ & Pages Attachments Viewable · cefe6848
      Peter Rotich authored
      Commit c4579277 introduced an extra administrative security feature to
      restrict files access to signed in users only, even  if a user has a valid
      & signed download URL. The feature, however, did not take into account
      public images & files associated with FAQs and pages such as
      landing/thank-you pages.
      
      This commit addresses the shortcoming by adding a reference ID (attachment ID)
      to the download/access URL, that can be used to deduce the model/object type
      that the file request is associated with. The technique will allow us in the
      future to enforce ACL at the file level depending on privacy settings and
      the security clearance of the user (agent).
      cefe6848
  15. Mar 25, 2016
  16. Mar 24, 2016
  17. Mar 20, 2016
    • Jared Hancock's avatar
      login: Make the backdrop customizable · 463de2e9
      Jared Hancock authored
      This duplicates the custom logo code to allow for custom login backdrops. A
      new page is added to the "Company" settings page which allows for management
      of the uploaded custom backdrops.
      463de2e9
  18. Mar 18, 2016
    • Jared Hancock's avatar
      orm: Migrate create functionality to the constructor · 1ba40e35
      Jared Hancock authored
      Previously, the create method was used to create a new instance of an orm
      model (which would later result in an INSERT when persisted); however, some
      classes require or utilize varying parameters to their create() method,
      which PHP7 considers an error. Methods in subclasses must be defined with a
      calling signature compatible with the parent class.
      
      This patch shifts the concept of model creation to the constructor. Now, the
      constructor of ORM models is required to be compatible with that of
      ModelBase class. Now that most models do not define a constructor, this is
      much easier to control, and much more logical.
      
      Also, remove an issue where assignments on a relationship field to an
      instance of a super class of the foreign model would raise an error. This
      was previously addressed by re-classing the instance in the
      ModelInstanceManager::getOrBuild(); however that design would create
      multiple instances of the same object in memory, which defeats one of the
      primary design concepts of the ORM. This patch addresses the issue by
      allowing super-classes of the declared foreign model in relationship
      assignments.
      1ba40e35
    • Jared Hancock's avatar
      php: Support PHP 7, require at least 5.4 · 9616a61d
      Jared Hancock authored
      This commit attempts to remove all coding standard warnings emitted by PHP
      7.0.
      9616a61d
  19. Dec 18, 2015
  20. Sep 28, 2015
  21. Aug 28, 2015
    • ericLemanissier's avatar
      reduce memory usage when storing file in DB · 9789b4ec
      ericLemanissier authored
      When saving an attached file in the database, Passing the whole content of the file to bin2hex leads to allocating the memory for the whole hex encoded file while the binary content of the file is still in memory. This leads easily to Out of memory error on limited resources servers. Calling bin2hex on each chunk of the file greatly limits the memory usage.
      9789b4ec
  22. Jul 22, 2015
  23. Jul 21, 2015
  24. Jul 10, 2015
    • Jared Hancock's avatar
      upgrade: Defer migrating attachments from v1.6 · 6d30aa28
      Jared Hancock authored
      This patch suggests that old attachments in the `upload_dir` can be located
      and left alone when upgrading away from osTicket v1.6. Later, via the `file`
      command line applet, the attachments can be migrated into the database, or
      to the new filesystem plugin after it is installed with:
      
          php manage.php file migrate --backend=6 --to=D
      
      This allows attachment migration to be retried in the event it failed for
      any reason.
      6d30aa28
  25. Jun 03, 2015
    • Jared Hancock's avatar
      Make several optimizations to ticket-view page · 091fe701
      Jared Hancock authored
      * Log events for AJAX collaborator list edits
      * Avoid extra selects for inline image handling
      * Avoid using htmLawed to add target="_blank" and class="no-pjax" to links
        in the ticket thread
      * Cache instances of IntlDateFormatter; seems expensive to set up
      * Cache filetypes Yaml in APC if available
      * Cache I18n::getDefaltLanguage() in the request
      * Avoid extraneous usage of Model::_inspect and Model::$meta
      * Add aggregated query support to the ORM
      * Lazily compile SQL query for InstrumentedLists
      * Apply `select_related` setting when setting up InstrumentedList instances
      * Slight optimization in SqlCompiler::getField
      * Avoid double compiling Sql annotations in the ORDER BY clause
      * Cache Thread::getEntries
      * Break out event types for ThreadEvent for more legible code
      * Eliminate one query from Ticket::loadDynamicData
      * Fix ticket number bolding if already answered
      * Use dependent subqueries for ticket statistics in the queue page, which is
        significantly faster for large data sets (like hundreds of attachments or
        thread entries)
      * Fixup sidebar layout on client knowledge base pages
      091fe701
  26. May 13, 2015
  27. Feb 12, 2015
    • Jared Hancock's avatar
      Collaborators for threads, lock as a utility · 67d55198
      Jared Hancock authored
      This patch includes a slight database migration, and adjusts the
      functionality of a few core components.
      
        * Move collaborators from the ticket to the thread.
          This concept allows collaborators on any object which has a thread,
          including tasks.
      
        * Add flags to the thread entry
          This will allow flagging thread entries for different purposes.
          Initially this can be used to flag the original message of a thread in
          case a ticket / thread is created without an initial message.
      
        * Lock becomes more of a utility
          The lock is now disconnected from the ticket and is a separate utility.
          Separately, the ticket and task objects can have a reference to a lock
          object. Furthermore, when submitting some activities to tickets, the
          lock is verified to be owned by the respective agent, and the lock code
          must match a current lock code. The code is rotated on each acquire()
          call to guard against double submissions.
      
        * Collaborator is an ORM model
          The TicketUser class is broken up now so that the collaborator instance
          can exist apart from a ticket. Email message ids are now generated for
          collaborators without respect for a ticket so that collaborators can be
          properly supported on any thread.
      67d55198
  28. Feb 10, 2015
  29. Feb 06, 2015
  30. Jan 09, 2015
    • Jared Hancock's avatar
      98caa704
    • Jared Hancock's avatar
      oops: Fix download of files with no signature · e02ab9ae
      Jared Hancock authored
      Files upgraded from versions of osTicket prior to 1.9.1 did not have a
      `signature` field in the database. For caching purposes in generating the
      Etag HTTP header, the getSignature function cascades through the getKey
      method. This may be inconsistent in the signed URL creation.
      
      This patch adds a cascade flag to the getSignature method so the cascading
      will not happen unless specifically requested.
      e02ab9ae
  31. Jan 06, 2015
  32. Dec 31, 2014
    • Jared Hancock's avatar
      files: Provide unified download script · d9cf38bc
      Jared Hancock authored
      This script adds a single download script, 'file.php', which provides access
      to files of all types to all users. It uses a HMAC signature system with an
      expires time, which allows signed URLs to be sent to external users.
      
      This also fixes an issue with the Http::cacheable() method, where the
      last-modified and Etag headers were not properly compared, which resulted in
      permanent cache misses by the client.
      d9cf38bc
  33. Dec 22, 2014
  34. Dec 11, 2014
    • Peter Rotich's avatar
      Use generic attachment table · 380a7e04
      Peter Rotich authored
      Use generic attachment table for all attachments system-wide.
      Drop thread entry attachment table
      380a7e04
    • Peter Rotich's avatar
      Make threads generic · 150d4ff4
      Peter Rotich authored
      Detach conversation thread from ticket to make it more generic. Any object
      can now have its own thread complete with entry type and attachments.
      150d4ff4
    • Peter Rotich's avatar
      Use generic attachment table · 0c7f4396
      Peter Rotich authored
      Use generic attachment table for all attachments system-wide.
      Drop thread entry attachment table
      0c7f4396
    • Peter Rotich's avatar
      Make threads generic · 84d34e0c
      Peter Rotich authored
      Detach conversation thread from ticket to make it more generic. Any object
      can now have its own thread complete with entry type and attachments.
      84d34e0c
  35. Oct 28, 2014
Loading