From b402f424b64a07a40ce48fdc8bc97ec33e18ddaa Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 4 Dec 2019 16:22:37 +0530
Subject: [PATCH] Fixes #1220 XSS vulnerability is addressed
---
include/utils/ListViewUtils.php | 4 ++--
modules/Users/actions/Save.php | 6 ------
modules/Users/actions/SaveAjax.php | 7 -------
modules/Vtiger/actions/Save.php | 6 ------
modules/Vtiger/actions/SaveAjax.php | 6 ------
packages/vtiger/optional/ModComments.zip | Bin 38879 -> 38880 bytes
.../modules/ModComments/actions/SaveAjax.php | 10 +++++-----
7 files changed, 7 insertions(+), 32 deletions(-)
diff --git a/include/utils/ListViewUtils.php b/include/utils/ListViewUtils.php
index 0ef21b7d7..bfb4b763b 100755
--- a/include/utils/ListViewUtils.php
+++ b/include/utils/ListViewUtils.php
@@ -675,9 +675,9 @@ function decode_html($str) {
global $default_charset;
// Direct Popup action or Ajax Popup action should be treated the same.
if ((isset($_REQUEST['action']) && $_REQUEST['action'] == 'Popup') || (isset($_REQUEST['file']) && $_REQUEST['file'] == 'Popup'))
- return html_entity_decode($str);
+ return purifyHtmlEventAttributes(html_entity_decode($str));
else
- return html_entity_decode($str, ENT_QUOTES, $default_charset);
+ return purifyHtmlEventAttributes(html_entity_decode($str, ENT_QUOTES, $default_charset));
}
function popup_decode_html($str) {
diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index 2d2088431..433479214 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -76,12 +76,6 @@ class Users_Save_Action extends Vtiger_Save_Action {
if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
$fieldValue = null;
}
- if($fieldName == 'signature' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if($fieldValue !== null) {
if(!is_array($fieldValue)) {
diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index 86fdfbe46..5188833bb 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -104,13 +104,6 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
$recordModel->set($fieldName,$existingRecordModel->get($fieldName));
}
}
- if($fieldName == 'signature'){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- $recordModel->set($fieldName,$fieldValue);
- }
return $recordModel;
}
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index 5a7c00d1b..4e3ac8e5c 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -160,12 +160,6 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
if($fieldDataType == 'time' && $fieldValue !== null){
$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
}
- if($fieldName == 'notecontent' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if($fieldValue !== null) {
if(!is_array($fieldValue) && $fieldDataType != 'currency') {
$fieldValue = trim($fieldValue);
diff --git a/modules/Vtiger/actions/SaveAjax.php b/modules/Vtiger/actions/SaveAjax.php
index af467fe72..49ec727da 100644
--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,12 +106,6 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
if ($fieldDataType == 'time' && $fieldValue !== null) {
$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
}
- if($fieldName == 'notecontent' && $fieldValue !== null){
- $fieldValue = $request->getRaw($fieldName);
- $purifiedContent = vtlib_purify(decode_html($fieldValue));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- }
if ($fieldValue !== null) {
if (!is_array($fieldValue)) {
$fieldValue = trim($fieldValue);
diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index adafd7048a486f9e73fec17d88fd03a61e34d675..fa0dae5f586572ffd459bf257c38c66c33c6f761 100644
GIT binary patch
delta 1547
zcmYk6dpy&77{|v?E)&K{XErSqu}E%*DAjTuh8b#!wn>-}hJ>M%Wu*OFiYUh=rslSx
zay!JF$|WImqo{_cc5+LcluqY)y}r-u^ZtCF=k@*m^?6w?I#MoLaSto=Fz&1)WUbKP
zBdigf`SytB+Mz{CLqx>h0T9Ud#&bIn^vVjhyuOJXhG{AM`%!G?xUUO_fJ?K$Axhb}
z0kT|$`_sv3j;#}IrJ?$6tVGCMz9qwZrt5)$Za1?$wyWk4J$klvh`ut}s<iurJm!+W
zJx{b!ykQ(Vu-odW!v66xT{_&qCt(LHJUhs#rO&J7K;wl|lF}$L8<yvc-hrPNe7)Gt
zp5xR-8ZScVNy-W}=Lx<Ywl(4L<*Gi2NGyz{{YG0x-m~rnF({FtFy1hR%&USIt6@ea
z6tW|y4eUpq$MkP*c%${?>R3?l`N|HPp7sde(hA`VO>@aoE!etzx<#>GLVsfzML}P2
zD34o<s27x!Mr`7b<VdeGN2i-HA1<tXM9zI7Jxot1N-9>fwHG8<*R)RRP8rq7%EV%I
zG7Rw_0#s2RE01U9^xa!%d3UOVlSjSeG=JmR>oj2c`Awk&gm~{Brp@gq$gOJkDfJYo
z7XHLExoUp{*Z2kf-5Gfh4ppLA*5{jTCgy*fw;G&2dQ#gnP9E2sM0L@P9>)s9D5m$U
zu%Du3JV}G`0>Q1VZ5zBsOdt5vl-Y}!=^SE{*#*WPOLrtuKFcA?^CnGA(t$n^!lBM!
zZ;|Ntk6)57`dS#m1d<^cswFizLkPQ|Ou5j%dppZm5}==sJZ0<bXvWg8bXpR>w|-YG
zV*<fd%CUCEBpaeZD}SKTRu9UIYAzT(<tMnzy}c`~w2aWQ8Geoh{me}Ms|>>tLGq0F
zgMK<CSWZVqzMJk~*5NH2wg~}++@zuY^lmFpr8n^~JCLvMGLq`i<ZxZpi3{;E=Izk%
z*b^E}CvATn<E;*@@7C`62zM(FCp{vltlZQ!caJ-7Mmc`)Ol5dC34Su8Ensul4At5g
z*Mg3eIrfBEjC@ZQ#Mr2RnS$J%YgWDH&VO%$xYf(@s!(j_yW0DD-l!|gl`?p`mq>Qq
z8hnE%{ly;{kQw}y+ubwS;pr*s^I*Z{gW%&beL5*Sh!nN%83)30o@C;CXHxvApM9Ub
z$W$)s^j_THVKF<M#k9?AcFm~)FVqH$)cnDICgE^|VVb4ou|PYgQRu|f<HPU<<^|_o
z%?C#*7hKGNTMyOfF-p3Eifo`G4xctv^jG#Nw(h)c=Iu8tzmb^QYu-~I8ldEq>f5eO
zca%LDR5GPcQwYS>@~}&m+0RLo;ZB#LPRyKaG>^Gpse4Uy#CT(()N^}b$50e?gnRF)
zd1_@*X0bL+O_=;TsNH9#J71=XQOJ$aBRLbYKbta2WYV{dr%ot#4lze{$gmzO`T=q)
zQO`1$DmIluIeToq|1i-(Ja_Q4&YyIG{$~!Lny;C5f9DvLocMA~PPZx|!Q{r353_24
zkMFDZyG`DWG(x$T)y?-^zSI3Gkg_<{hTN#umQ^k2Iv1O12SpSNH{<xxii5(2-{r4L
zp1Fl1m%pa=>03C;xh0xk(>mZW24!ySk<htvjA++*--ul-97qjC(YNGYalXBeV>qm0
z8fX2M_-1e^cKh*^{A1hx5zchrgl2DhRNVJ#EToz?Qg70XLk#z{#h0&$I@w7`$|muf
zQp6w-v<w82hNvEJjNSJ=+5YoEQrZFNuVe#{CToMkX|h0rBLsAIRb*Xq0pLz+QVI;a
zbP$NZuc9(oj#mR=DY77vg#dciJV_UAFph-=j9gb|u-`NclmHQcqx+AYeV`kl<?%!F
zKmyQ0`k@y|Xb_){23&$ySrJT&5C^l<u|V1XSTutG<c9pZ56d_Rz-hnOk*4|Wz4ag}
x69srh{Pc}LMkX3?i22Fl;MtfR-~T0-g#hg0fBDu~c#$PAJ8Q3a-}%+t{}%|z$Fl$c
delta 1564
zcmYL~do<I19LLvha$TiWZiOte+;1(nD7Q2*rct)ktcfW}4^vscT#7Opzu7E#G;~3+
zBA14gLc*kyQCL^ETu&*to*s`!-*Z0SbKbAd>zvPjpHE*g&|3@$o?us?yyJ1O#iszh
zz-|R?zZ^g>Rz#EnY?)L)90ptX?)!9ye!wU)${q#?Og36YbbJlL3}GUwZY5dDu`PCZ
z8A$o5HN3^<VDTQzfM3;)czU<kuG9tS{77mgwIYnc=JKCmr@y}wgTGWCtJ;RHMx_Qf
zmjZW}RezGl*zP=p+_`SZ7*q*vi#1Y=ykegle@YNL6Oc6~8yXeQbBJ=tuW0N`nCe|$
zI4_)d|LzBT)=1t}tYOCIZxq)ruW`u;=~Lb5IvHPL;1DG_9a5dXS&vOmv!7(@m?)b9
zzRGR&C%F{qRXHrLJA&ql&)Q(J%^oL@SWJzh+x4s|mvMhr_ZV~{sBM;PdV4B;J;bVP
zoXV?y-6v`|R$ZtaQ%ge2dh*|rkGB50Ec(lmiM+A)wv(-LFb%70Cs6likc%aR!(-mG
z{Jgudx(efc)1#6wmJk_wsX5D;$egd*#S5p>2Dk;w<_Xu@P0~i5XRu}By!76q9uYaH
z=-Z>MM?|-Lzt@ABph*C7lh%it#L>!=B6;_lZyra=xFN>@W*AUU$~-O6_q}pNbi?sz
zp0;RPANPWKMobSD-#oUwXd;>{Y;qF3Orz@Yt*3ihMB5~DsC|Z-8XS7L<lFnm%8Kvx
zO0{pa=F~T9b5Rc0Yf=+$vC_`Xxj5f!H0AGWp*v4Vlfj@>#zyGDQ@Hj#*(On9h87p&
z#fZaDo>zDT@m#3wuE%P#&6$q58WWwFdpRk)Gc)158`yQTsbqA%r>H_@*7~Egz^glK
z&()3<glFq2F|P)e&wPMZ`$lXiaAmH9(!RcvxF`<f7!t~l@V12QD(VevL!yc2j(7Qe
zF)#Yt608y2AGa$*>h$Px)<z);dn*J%G!|%~oE=iz)7m+%X3{YtRh3a_OP&#cy_OFm
zkv@-(ZxIGsybJoJKdO;FTmm0Ho3QfdJ-d<m7qs-0*%d@eIO%Ep=c!9>U6m#!bGbS`
z?f|{3LSTO^&JbUuIb}7yU7VEkBH(^B0%TNx!tFUq`!deTl^dTs{K`6)jgax~@`J0D
zXX~Z32bwYDjZkN%yj!*1B=_99_qPx&Wr*tuU*pP(oDMW1jN&#sn&Z(885G%k)$9{)
zCr(>#PkGVc&dfb}26OS2$bNS!r?&f}&7nd{zWxRB4zRI(c#}cthU;?<ldX5DPF6Xp
zV2QQW69!I99n^k%b%aLv@!UdK*HKCg#Aco!(fl!}qR`}Tw|rxeq5PT$yw7(_zID_N
zB+?lhC~lkF_YXQNu^W1sEj_qv3ip!p?lJ5rCrG?+XD$XI_UgV)QDe7=QzV7~ifuli
zBdyNQ+&L>mYB-q^PestW{EkUyb)HcNb6%OX6v4Il2COF2_v-_k+di){E}_R--sFva
zM~$>M>AdzCIyhe7|KyV+WkloYTp6M>X*3=6Nhl5}9<O4pHK|XY_Rx)1@0zUET*FqW
zyW_Fu;g{gIX69M#@NRTl9WT7jnP1xv+fIFke(5(6!S~vlVk2xhHFMrV$wg9N&lv^!
zW7Kh_27<ZJ!aydUV%)#Gn`#43xI#K#`O$_Je7s%v)KKVfR8+yUhx2exHyPQ`eCfkX
zDHu#)1q{YgD|v%EyJKOoEpaG-<tYDWu|eb{1E`y|5~#vKrYTC$C{7<bczGpcovH>X
zdoCh5C?a(q5Q$%i#gGgnz@rwd4QXnC=nt0jHh{)1DMG2gu?1nt4kZ{ZU|C2F@bF#2
ziN62YjNcedTEs-)5qZg&A?rcjY&`%Uwtz(8(oiNF3l#hx5s+NE2XHlfp?f^tA5e~1
z5<Mf(zlS0qO^ycOPhY}B&VFDIV<CbJi!`ntfQ?ydx^nT$W}r;2z4Xh3e-FVwchlYB
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index bb6126d2e..402aeb954 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -74,11 +74,11 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
public function getRecordModelFromRequest(Vtiger_Request $request) {
$recordModel = parent::getRecordModelFromRequest($request);
- $commentContent = $request->getRaw('commentcontent');
- $purifiedContent = vtlib_purify(decode_html($commentContent));
- // Purify malicious html event attributes
- $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
- $recordModel->set('commentcontent', $fieldValue);
+// $commentContent = $request->getRaw('commentcontent');
+// $purifiedContent = vtlib_purify(decode_html($commentContent));
+// // Purify malicious html event attributes
+// $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+ $recordModel->set('commentcontent', $request->getRaw('commentcontent'));
$recordModel->set('is_private', $request->get('is_private'));
return $recordModel;
--
GitLab