From 427de0594d05a8222f55b2894311e648ba1be991 Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 16:42:16 +0200 Subject: [PATCH 1/6] Fix #2363 --- resources/views/v1/transactions/convert.twig | 44 ++++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/resources/views/v1/transactions/convert.twig b/resources/views/v1/transactions/convert.twig index ff71b59d67..051f843a40 100644 --- a/resources/views/v1/transactions/convert.twig +++ b/resources/views/v1/transactions/convert.twig @@ -22,12 +22,12 @@ {# in case of withdrawal #} {% if sourceType.type == "Withdrawal" %} - {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name~'') }} + {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name|escape~'') }} {# if destination is cash, show (cash) #} {% if destinationAccount.accountType.type == "Cash account" %} {{ ExpandedForm.staticText('destination_account_expense', '(cash)') }} {% else %} - {{ ExpandedForm.staticText('destination_account_expense', ''~destinationAccount.name~'') }} + {{ ExpandedForm.staticText('destination_account_expense', ''~destinationAccount.name|escape~'') }} {% endif %} {% endif %} @@ -38,15 +38,15 @@ {% if sourceAccount.accountType.type == "Cash account" %} {{ ExpandedForm.staticText('source_account_revenue', '(cash)') }} {% else %} - {{ ExpandedForm.staticText('source_account_revenue', ''~sourceAccount.name~'') }} + {{ ExpandedForm.staticText('source_account_revenue', ''~sourceAccount.name|escape~'') }} {% endif %} - {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name~'') }} + {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name|escape~'') }} {% endif %} {# in case of transfer #} {% if sourceType.type == "Transfer" %} - {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name~'') }} - {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name~'') }} + {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name|escape~'') }} + {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name|escape~'') }} {% endif %} {# ONE #} @@ -56,9 +56,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -69,7 +69,7 @@ {% if destinationAccount.accountType.type == "Cash account" %} {{ ExpandedForm.text('source_account_revenue', '') }} {% else %} - {{ ExpandedForm.text('source_account_revenue', destinationAccount.name) }} + {{ ExpandedForm.text('source_account_revenue', destinationAccount.name|escape) }} {% endif %} {% endif %} @@ -80,9 +80,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -104,9 +104,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -119,7 +119,7 @@ {% if sourceAccount.accountType.type == "Cash account" %} {{ ExpandedForm.text('destination_account_expense', '') }} {% else %} - {{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }} + {{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }} {% endif %} {% endif %} @@ -133,9 +133,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -157,9 +157,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -170,7 +170,7 @@

- {{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }} + {{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }} {% endif %} @@ -184,9 +184,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -197,7 +197,7 @@

- {{ ExpandedForm.text('source_account_revenue', sourceAccount.name) }} + {{ ExpandedForm.text('source_account_revenue', sourceAccount.name|escape) }} {% endif %} From 3ad4e04e2ae50e60564b60b68dfac083e5684882 Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 16:43:36 +0200 Subject: [PATCH 2/6] Fix #2364 --- resources/views/v1/transactions/links/delete.twig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/views/v1/transactions/links/delete.twig b/resources/views/v1/transactions/links/delete.twig index fad7391887..0f343125da 100644 --- a/resources/views/v1/transactions/links/delete.twig +++ b/resources/views/v1/transactions/links/delete.twig @@ -12,14 +12,14 @@
-

{{ trans('firefly.delete_journal_link', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}

+

{{ trans('firefly.delete_journal_link', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}

{{ trans('form.permDeleteWarning') }}

- {{ trans('form.journal_link_areYouSure', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }} + {{ trans('form.journal_link_areYouSure', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}

From 692b256f3f6d9eab992a72eb042844220b314054 Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 16:44:48 +0200 Subject: [PATCH 3/6] Fix #2365 --- app/Http/Controllers/Rule/CreateController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/Rule/CreateController.php b/app/Http/Controllers/Rule/CreateController.php index 03f47f7dee..464f5d4608 100644 --- a/app/Http/Controllers/Rule/CreateController.php +++ b/app/Http/Controllers/Rule/CreateController.php @@ -124,7 +124,7 @@ class CreateController extends Controller */ public function createFromBill(Request $request, Bill $bill) { - $request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => $bill->name])); + $request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => e($bill->name)])); $this->createDefaultRuleGroup(); $this->createDefaultRule(); From 2ddf48f15cbdbb475221c299872420f625c3bc3f Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 16:46:45 +0200 Subject: [PATCH 4/6] Fix #2366 --- resources/views/v1/reports/audit/report.twig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/views/v1/reports/audit/report.twig b/resources/views/v1/reports/audit/report.twig index 2a22974078..ce28483e70 100644 --- a/resources/views/v1/reports/audit/report.twig +++ b/resources/views/v1/reports/audit/report.twig @@ -42,7 +42,7 @@ {{ trans('firefly.no_audit_activity', { - account_name: account.name, + account_name: account.name|escape, url: url, start: start.formatLocalized(monthAndDayFormat), end: end.formatLocalized(monthAndDayFormat), @@ -55,7 +55,7 @@ {{ trans('firefly.audit_end_balance', { - account_name: account.name, + account_name: account.name|escape, url: url, end: auditData[account.id].end, balance: formatAmountByAccount(account,auditData[account.id].endBalance) @@ -65,7 +65,7 @@

{{ trans('firefly.audit_end_balance', { - account_name: account.name, + account_name: account.name|escape, url: url, end: auditData[account.id].dayBefore, balance: formatAmountByAccount(account, auditData[account.id].dayBeforeBalance) From e80d616ef4397e6e764f6b7b7a5b30121244933c Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 17:05:54 +0200 Subject: [PATCH 5/6] Fix #2367 --- .../FinTS/NewFinTSJobHandler.php | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php b/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php index 2c688158e0..51da2ed0f0 100644 --- a/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php +++ b/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php @@ -60,6 +60,9 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface $config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? ''); $config['apply-rules'] = 1 === (int)$data['apply_rules']; + // sanitize FinTS URL. + $config['fints_url'] = $this->validURI($config['fints_url']) ? $config['fints_url'] : ''; + $this->repository->setConfiguration($this->importJob, $config); @@ -108,4 +111,21 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface $this->repository->setUser($importJob->user); } + /** + * @param string $fints_url + * + * @return bool + */ + private function validURI(string $fintsUri): bool + { + $res = filter_var($fintsUri, FILTER_VALIDATE_URL); + if (false === $res) { + return false; + } + $scheme = parse_url($fintsUri, PHP_URL_SCHEME); + + return 'https' === $scheme; + } + + } From 1b3d3de969fab7f2323ef68de4ea4b0e2ca68625 Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 2 Aug 2019 17:08:24 +0200 Subject: [PATCH 6/6] Update version. --- .sandstorm/changelog.md | 4 ++++ .sandstorm/sandstorm-pkgdef.capnp | 4 ++-- .travis.yml | 2 +- changelog.md | 5 +++++ config/firefly.php | 2 +- 5 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.sandstorm/changelog.md b/.sandstorm/changelog.md index c1aef0fdbc..71cc706e49 100644 --- a/.sandstorm/changelog.md +++ b/.sandstorm/changelog.md @@ -1,3 +1,7 @@ +# 4.7.17.4 (API 0.9.2) + +- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne). + # 4.7.17.3 (API 0.9.2) - XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne). diff --git a/.sandstorm/sandstorm-pkgdef.capnp b/.sandstorm/sandstorm-pkgdef.capnp index c8502e36a9..9911495175 100644 --- a/.sandstorm/sandstorm-pkgdef.capnp +++ b/.sandstorm/sandstorm-pkgdef.capnp @@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = ( manifest = ( appTitle = (defaultText = "Firefly III"), - appVersion = 29, - appMarketingVersion = (defaultText = "4.7.17.3"), + appVersion = 30, + appMarketingVersion = (defaultText = "4.7.17.4"), actions = [ # Define your "new document" handlers here. diff --git a/.travis.yml b/.travis.yml index e5b4f55c95..1166e57858 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ sudo: required language: bash env: - - VERSION=4.7.17.3 + - VERSION=4.7.17.4 dist: xenial diff --git a/changelog.md b/changelog.md index f354cc7987..6ded64afbf 100644 --- a/changelog.md +++ b/changelog.md @@ -2,6 +2,11 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [4.7.17.4 (API 0.9.2)] - 2019-08-02 + +### Security +- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne). + ## [4.7.17.3 (API 0.9.2)] - 2019-07-16 ### Security diff --git a/config/firefly.php b/config/firefly.php index f732748e35..84c3f61c7c 100644 --- a/config/firefly.php +++ b/config/firefly.php @@ -93,7 +93,7 @@ return [ 'is_demo_site' => false, ], 'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true, - 'version' => '4.7.17.3', + 'version' => '4.7.17.4', 'api_version' => '0.9.2', 'db_version' => 10, 'maxUploadSize' => 15242880,