From d4f4e4cda4639c2a0e660c84b91727817c18455c Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 4 Dec 2019 11:08:48 +0530
Subject: [PATCH] Fixes #1220 XSS vulnerability is addressed
---
modules/Users/actions/SaveAjax.php | 7 +++++++
modules/Vtiger/actions/SaveAjax.php | 6 ++++++
packages/vtiger/optional/ModComments.zip | Bin 37939 -> 38879 bytes
.../modules/ModComments/actions/SaveAjax.php | 6 +++++-
4 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index 5188833bb..86fdfbe46 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -104,6 +104,13 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
$recordModel->set($fieldName,$existingRecordModel->get($fieldName));
}
}
+ if($fieldName == 'signature'){
+ $fieldValue = $request->getRaw($fieldName);
+ $purifiedContent = vtlib_purify(decode_html($fieldValue));
+ // Purify malicious html event attributes
+ $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+ $recordModel->set($fieldName,$fieldValue);
+ }
return $recordModel;
}
diff --git a/modules/Vtiger/actions/SaveAjax.php b/modules/Vtiger/actions/SaveAjax.php
index 49ec727da..af467fe72 100644
--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,6 +106,12 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
if ($fieldDataType == 'time' && $fieldValue !== null) {
$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
}
+ if($fieldName == 'notecontent' && $fieldValue !== null){
+ $fieldValue = $request->getRaw($fieldName);
+ $purifiedContent = vtlib_purify(decode_html($fieldValue));
+ // Purify malicious html event attributes
+ $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+ }
if ($fieldValue !== null) {
if (!is_array($fieldValue)) {
$fieldValue = trim($fieldValue);
diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index 81440773285a7750b449e9b874d1943b390f20c2..adafd7048a486f9e73fec17d88fd03a61e34d675 100644
GIT binary patch
delta 6301
zcmb7{3piBiAIA?fGMFUMRPN)NyI3hwL##}QqC&PI_j|cknnYnkbR@F2L>IK8>B8z_
zw_TM&sjZ|7ZP~6w|4m!T|9yvJ&YU^yv!^HOdEVdW{NC^Tp7;HJdB??{oD{cO!KP3Z
z5coWdHFx9xW9)}CqK-sxqJrZ&!GW7hJXcLcB&C+5tvl)3yKc?@o}s473TU?rRZ+B1
z4pGnN%#alwKU)Ezfj{^c4O0+A4UDg562{lv>lIrnN#kh;|9D3XLEyNFTcz<^O^%L_
zo48Rk(MDx(WeM~D%M@oI>gacrnS`Dv(FDv9<z^5k2@6O>X#fji%r8(!Q!=L$-okU3
zUMXQ9NsHHteYIZ#LEz|7X^7%d79fcE7)P5*?3U+1t)c^orKjF@FQOv|96h<jk<lCC
zBk+5{YWctI1qJZ>*enJ%1zZ8iyz|u%L=zPBB&(ygyQW}8V>^y_-LH)X=Dj%NYVdg)
zg22(_^KP+65Zy7(;v8ur=a@~89N-K_f7EK1Ll8KcoU=p)LG<|?BO+tgW?L!1@Y&N~
zXefmsa3ncn7udL_P=qvdBBLg)TnsQ?T<SfP54JcQDbPPLge~+nDg(x?1&V05Cryt3
zE&7-qS~t0z?cxZcGhQZzdhd}TwvfCg8MaXJ&F`y&K?|^gd>R+22x2(SnnUDJy>!I^
zC-kh{HATRHqscjGVBrKD8XD;#kFiQe4;EgQhb{%Mrsc5LDgsGh1v#r(20^sOd!nH-
zx#LScCJayCRfY;!7Se%{{{R-O5U`jl)5j&2nTjBKIF`P*EEgPLdNzNp!~Vu6$sl6X
z7XZWmamK4F>Q76#l(U!oYfaS`#NT}zZu#0W{`~RXR#F8POWX~q-gB-zbUy6t;hOC~
za>3psv8&Vew4?a_XTEK|ZFCdvjdTCRZ2s`5lRGl|*V#5v)0z39H%^P!iCuUuZE3?=
zFVAHuzBZW^dUJ=dT*86H<>|?_J3jlDzN1AYr5D>J*;UqG?aml_qE!90aq#J*kCZRQ
z(oUVK^UBK9JDVjgIu?a@&t^HjPv;rhCG~6$zpzh7zaVk%;`iCwrVKOj)r_0XoAw7x
znRYnO{ioU+^}Sl$9P8yvU3XYsv}YeF9daD-bK<(B>Sb!p%P~7Kv`-1mYq&a8ap8~d
z_A8MWs<l#^eD!E6${une+D7)Y$5~~|A5}Q9)P@ln=FG6IRq;#Vob2)3@NQ*TWkuZ%
zU73OIPyIbHd5!W>-`^;8@X7vq{@db>fnhKASBZV~Jk(*jx9@sUfn=Jy{!`{JK84J!
zC;Hoh+quVAe`r?Yn)=IYYW#UIv%g_eyR^%(d%q?~vgHTFvtz`YeM>g?7_2@J+<w$P
zqC%^Ee)s-eDn+S}ojq>6lc*Wo%4uv_T6=qMpnloHPmf#M=l2XV*BGg(7ABtS`TJ=?
zL;Z*5nN9aJhE;U5_A~8{T+Girp0{`Vu%pAVt7c_uS`)brgHt#m(@c!@UM0JARM1-5
zGmA9#Te_#DSq5CMcMU0a4D4`<Y&vM3ZC|cBc)w&-VeYb$5=!w=XT>l19KFgF?e(+1
zEPOVl*1aoc`44xedR|j(u)On9;`5*A^wsgoRZiKm=-#)FdK~3m9yank7hF6y=G&Sl
zK{w^~e6~kF@cxTyUh|{X#o99iwrAzFAL|w>B+;v%)YpcD<#8<-2g92lx7{C@V|urb
zdcLUIhV!|W`^4(!1bMGtqUSaSSv(3EG3Zy__l8G#vn@mRpHsGd&9}n#<$js!6R^?u
z_w?SO@7WI;OnJlQ+FmZ=i4W>)7e}TUdDN&4E%>ykbNB9B{%5vw>D-k1#zlu`t|{6k
zb<Sk_hC2((3+R$7A9z#doI9wW+YvM`McSCTWoTua7Q5#ZyK8N$kCmj4lIPpBvo%ZC
zU8NhR>DZfl=v^rapjFO37|V{`Y_%x&))klR@`x>#S;yNKFUv1%>Uw6qzB-`NU>9cz
z_iD!*O~cd5M~3a*x77u5mo7Lwo40VmZz*n_fv>b4{?HfZ`SH3%<K?@jeS(}zcJ`@#
zd^Jm^#m`nkJ;X?Q#?QsQb-cgtHoeSDOi>PCYr3p`<uJ40%9HHY$8LvYPUTdbO0f-y
z^)3E;OI8SdmF^$8a|&8Jb9;>Z<!*X$?ZYm6n>&<-Q{UtSqzBT&9(YGi;g;UtqH_4o
zyw)0uMwww=i`i2pe}|jB(@c1YJFJcszx%-K>uAyb!|U~T166*%J+}|&Q~iDTEdBoO
z{(a2njh*2q2hQgym^SBpa@F0c^5FdiwHXDoF8|~@<I-QD59gVec2K(XZeA|lc-f(>
z=>@VV@S5Ij@4@&o_iu8o8(Wh<@3dGy)3K+juwVQ|s*2lb!`k7f>Y(hh0FxKXx&o~!
z83%lKHaxQq3ytp3O@1BqCMl`v+NH0Q6>LdbROOTn+28<%N80FNN9OKS_=lZ3cKG64
z9m&O91#kxZ0#)=zwj7~|w|?PAc#Guj)X3`vw+I|9c(H6m-1sRA8&See*(@o@QG9;~
zZz)M$z5(FiZO*^_vLu!5qaz~&qvAFh$ArWXT`BK`hB&;47`O6|z5}hmTET&jH=beO
z9G@$oqR%x&rZu8@22RU3%PhGZuwVr_3tlU@4$(GcS)xR}%8BqI>QG%{69{?|zKHOB
zwaOxhHm<MN+H@jIOveiPza;D9wmQK7!3sfNc)26y3$tPj=*q&9uN%G8;JSdWcm)Pb
zSwIfzk9@2OsIXqJkUHV6LJK(ubXk|LH0nmW=T`j7GR_3@!P~knUqgXx>Ch2P6<$_Y
zJe1tcrOaqMkQ~+sriPcP0kjM6>$-dcqCBn<47df#V+y~O0A2)+oPYu7%+X1ppYq1N
z17<hphrEQnbUR4zya#$|5b6alM#8kwtpvnCOQNPjiE(leB>pXG3tYS-E&UydVDVrr
zd3Vav*bJ4>%Dp0+b5Gm>=#oySQ_V9$XK*w*=Q_{;o8@;&BD36-v{KATlGY<NSiu6b
zgrmthY$XJtBkD*bCn_{3a8sOdQe=e4=f`B^QN1K-%i{cewgKH?%?h@dxB_M3hza)|
zd`4LC=OlqMHd|rtL?943VKx65VL5?tAR0hHy)LZBQW8E|f_OGo4H`);MAdg`5w;Zy
z%Izk4J<OljGs3zDG>qU(kVXN<VImC7qu4XTQUS|~VaU?yWO{&nih+QzK@@~6tzv?}
zk@#;5{$EHC);TmKgG>-Tyq@?x3eqd2@Sl-X1uD8NLxUvBLQ#bn_$&&N>lgv9iLNxC
zAsS=<!@?|KAjpIn7Hb8*lc)wrv4U1uyBKIp)+}s)U>OWs4s3hjV=4%>g8J0^3}k|c
z3+KY$;}`^=QNay^gGgwMLPYbe2m~KeL7c@wmd%3@Vz?Cn;1epyvN*t7YlI}(jsxIG
zk{~Mpu)ZupCXTg4HSjSN1X}?n)yo#ckj32belS__ITfT)9LQ`51|nu$5ePn@3PYOg
zFbG+|6#?PXDYzkV-MBdlK%(hZ2n53{-uZ#c5eNF&SpWjj7Vcdv)`H*TAXq`%`@kp)
zK&<m_5F}z7i7SP-g1|Tm0I7@>5I|-lg}T7o7+4KlqX5E6@EDtpsD~tWf_H+#Ur_rv
zWO7eA-WRre@P-grNI_qz7M@sNk|c&w1cY~k!o9h!7Jx+EqzDLa1%Y|Qb)@Gj0Et>j
zArO=t@BD;8zi<Q~;3J(U^O3@rKHe(9&VX+eG|2LZL2L7sMNK4FN1>YmZwZAzk}61G
zl6y)b1#b$4zmOj`0*WDasAF-6SdTY@z*Gt5k;;gN^C0n&P~-8LKrQgrPk8(ICGr`-
zLqd5c^pFC1u^owbfx^>Tp2A0p8c3nG;5UzVfWlLAPUSO1%_C$u;w=E)_d&0SJtL`~
XcYv#R66c6cEl`&J0L<|13|RDkQ>#SJ
delta 5528
zcmbW53pmtSAIA@dWlS|>Trw`XCX$JgO}!DNbdhT!tqO(76cZk5R;hF$`YYADDM_id
z-B?nJB8n|rYPTy&*=}OJ)k<3LIscje%>PX0ecoq1&*1T#&+m55`JLZa+iB&}Vr7w!
zw+e#^&{v>C>H_i?$u}n8g4poYQNr-3i1_gV{u)4~gwwX<jA7dnVUi|LV!TuVfcz%2
z5iDnejoFA;y;LZ%bPifN1uYRZz8pOO)Bz$(Eu-@9Dgp2X8a4r3qCCTl3B97V@N>4K
zQ%R&KSas4-a-1;XpN6VQv#`!toG<c><!dgVaEM&OBVpJ)hK>tau5x)?o(`3xQPMny
zDT|~l#57Uut4mf0EoKgDS-6h{fQkzMj^f3H>keI1CA1uVN;8-zS%xYM9k`3?05L*~
zHLvqj0jPw3vL_iHeZ7EjLe+^{?+@3{P6!LxzyQG85C9e|3O{`Hs>q1=1p6d@EE!la
z^aMYp6E|fumi(^`;m55I#{T28qXT1I7{C#ik~%L6PoDfn7?LzsTuRACNK1(p-!Wd~
z8UfR+*95>?yqK6y3`eCw%i*WAFes5BEhS>~Zs#29fd_O2<S0hn4`VF+l$9~Yej6{j
z5Hiv5P}`7x>}WoS0fA9zalk$$j7geOJk1Jj+0EeqSc+rQokteaUa(RiJzFTol+ekl
z7#rEmZ#9Noth1CQ`omfJvb^x?TWYq<Y&f(aZUXXUG$OrocIRkPLBsoi)iG=H=<H6I
z-$_^#TWYlik&wft2o$Ekr%#q5y6e4heHP7Z02*gdrQ{GknVLE?;?_n;la$>2(#4~n
zvK5BNg-&@{CX_e%_?(y#{7<m<XrC>}rACBlHj`S8f-9J*iSP4>Oz&V0WHzY-U?*Yv
z-L>h=s2SEOSlw5ZyWij_18^DEfnw}-Va$%{*7(`@_rz;KQLuK+kh7Bb$)3id`#Cu+
zSyni-I}@uWZnc9xbYUA9Bh7~)a*Ga6k`@kTg-$TO(*XP&$dBom$^JWbaQjmSulYoL
zcZ~fXlZ2`5+SYEfRf@RF#$|S0nzLA#_@XZNbN9g~_bzsEa|10*yQ<zgj&I(1dP8Hy
zC&Ai}wGTvttf#E}a`l|+PLYe#7Hw)>D^iWgH+9%{c>BGeolYy=l+zD(8s<7^?(Oj@
z(Kfy^ZkL0fdh-~Lo<VBTVBw#yt8G=g>rI{}E}Y)@F<WDp>Z?gX?J?<<YWZ5}P75YC
znWgKUs`yxb$8&RUSnsgrMaqs^<^rJx-}Nt-$euAwgL`T_cE-%_cRpY1@%-q@jw$c`
z`$frdER*!RIvE?i%v$toqn9pOu03Jor~HzNQ3DUo^AitRu=Ue60#2h*edoYnl2vVZ
zu0zpxHqZ8Z`T1Sw$?59pw@n##+I-U?UvJAyj%!H9H_xiK*1El$bKZVJqAs7;{~x7@
z#yuyBmL5>+3rd?)>vbWIXD~vo(7(=eW1^jBpUA(-{+QuiZ`(f`OfnDDd0jt$`dP}m
z$E9<K8<}UGT-ohW1<Zf=p7;B)u)fAUoe%00GBR`De;PG#=d6n3uOYLy7+kIq<~Q?$
z_N%X3d~U9#|E#u)UtUZ~-S<t?wT_Nwf7@5>ZyVR?+<ITRZ_?4~+VtnX9>sSPwY50D
z+GpB|U+TDstaN@%4mujg-tw`hclVL}4^H#8A5NWF$ErND?e&y0gOEC*dy~^xVrI0;
z<r@yeGn20`@2=`inES|Uc*23P0X?&}6s&Nc+Oe$XO}1f8ee6x%n!pNw%b@2E7arGp
z+YnWF>h)y*9DPG8%SRV$e>T128FF%Uv!h>oR%rFSf+C-CAX-}Sll`&Ksqv}dw(+0u
zN9QIT3ifU1m28OL?CG~@pinFIgi^|sj)s_;Mb&?_UkiPq@o4M%<oMf}Eoam=G~J(A
z_-f|orBB{1ym5JQ&ATZH*Y!TEan1_-G2wmO118a7W#v>I6ngH~=KWoV?9N7OpKs}8
zeqLo5o4@u;S@Z4gS7BkItj?xuetmB`zC6(?t-1Q%`}}%Ui{l?B%()?ODEMjO;WeKt
zpN-*LwH$9ZJ9q9-yj3tWXvxF*F|Ais?>{V#HYwv<zIKlkaGVSd>~?dh=gzqP%VUEI
zmi5+_4*m6y>n1mrXU_Im|99~AGDfRan^K68_YxjUrGLiWNR#k_7h}3KMK`B3?A3aa
z5&28+bM{|TBl1qP2;wiq1Uwzz@^*Mg%jz5(zU~E)AgCeO=VPx8aEn>E@7J47yAGbN
zP@6yNQc44_-05L%QP>K%<bfymO9r?XOdolTZPWA9ZP*i1otIJXCiLwpc6;zcmwv06
zniBtm^U+Bq9KXAjGq23yn%gb+5w-jl?f9~;^$ok|w^i$m)HNc~{Ij%{j<nr4NtCqz
z(#SfOo9PvLYw`l^Pn0hn%nCZD+GJw%V#JE>sz*nZQe1otDiZq(W}Lbj+G`Y0(OqJ0
zcyX_5KzH0AK*ODQm_Tj&Un{RiRl%;9V*-FV8V)2+{5&EgKod1^wzLOP&D%!*mb${`
zJqmU(_{bC4iE4_U>UK}&=HFqPtb{GuOa>4OgjgGo628J)<$`$y<GzQSF62<_mpIb(
zh)4)u6)O!?(kx2{1iNv*P_TEFDs0V_u-&3oE8&T|Yq7VjcdZ`Y){7du?<B(Kd))}?
z$wvw5DSm=$6I1X<yeysJm;s~a!dIE@Iek6m`N;YM_#^aGqxYyA%(w|gO{<j7+*NRX
zlOG)pr1{D6MVlM4tJ2O+1Ays90F0I7>yxREo+D~A3nom{kUo2ed0E|gI0t&%0;6@1
zGMdC#*O7G2+qF<>nv$}yiXyF{FHs$AFzAMUr7I6rQh5;H?a*<j3?SDMg8ab-bORok
z0ZMj2GcXNg#@bj#cBFCDAvOaO0)uH;L|KM~nhg7v@-8ox)G_ZDVew<bDJ>!kekz5_
z2d|0YUuZZfL}UTLxQ8CoMq(D+3Ep;H^#Fee!m}+&SPXuxIOuiT1wk@lC?v2teXTv{
zb$SUgGo(XMtt99es>EMQ5IWk$CT?%z5Dq(7M9p?B8b6KVzm_C){;e*M6DTkQC{9rH
z|L1m{fjWn3V`R;s%0;*hRc!g~(!q+|YY0$d5SLqWzND!9IBkfb)42%cVmk#<@zF#m
zu2JZD?-8R&v7n+!wi$zQu|kJKMw5OCC|wl6xN4!pCFTgWQv~ADg$|yxB)w|Wg^YsG
zaScN^;%qAp9V!|;f}!t)5mxUq7X%|QgR`=N<6?&HSo2#6OG=xecyvr~RYT_kT}hsN
zB4ru}<}W!i@V*S40vAhR%RIs%%arC`de6{#!L<(E{bR%#BjKZn#WfF|b@U}!D1a2P
zxb~s5rvgY83L!--u7T*R%_5S8f=CgIYau$@6D-M>!IlZ5Ax<0GG<>F^TiFmM-87c?
z`IK##!aF_++pxSSu?aZfD8A?TfJ2YqjSNTQ4y_Q_UB@RKx&h;8sef(y+%rTi&<Vmv
z9=f4{7^xvN04a(DpMB^CmanD^=qZBnv4;*%O`u>k0uDin4B+z*-GFtH)BsyH4GmER
xbRzIUh;F7XS!@Q5MJNVYzn9Gu_(Vj9{WnoCIUi95D)YF^Tkt<N3pS%s=D)xF5mW#G
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index b5e7feecd..bb6126d2e 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -74,7 +74,11 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
public function getRecordModelFromRequest(Vtiger_Request $request) {
$recordModel = parent::getRecordModelFromRequest($request);
- $recordModel->set('commentcontent', $request->getRaw('commentcontent'));
+ $commentContent = $request->getRaw('commentcontent');
+ $purifiedContent = vtlib_purify(decode_html($commentContent));
+ // Purify malicious html event attributes
+ $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+ $recordModel->set('commentcontent', $fieldValue);
$recordModel->set('is_private', $request->get('is_private'));
return $recordModel;
--
GitLab