IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag '4.7.17.6' into develop

Browse Source 
4.7.17.6

# Conflicts:
#	.travis.yml
#	app/Http/Controllers/Import/JobConfigurationController.php
#	app/Http/Controllers/Transaction/SingleController.php
#	config/firefly.php
This commit is contained in:
James Cole 2019-08-03 05:11:58 +02:00
commit 43dbad4e4c
No known key found for this signature in database
GPG Key ID: C16961E655E74B5E
12 changed files with 39 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.sandstorm/changelog.md
View File

@ -1,3 +1,7 @@
# 4.7.17.6 (API 0.9.2)
- XSS issue in liability account redirect, found by [@0x2500](https://github.com/0x2500).
# 4.7.17.5 (API 0.9.2)
- Several XSS issues, found by [@0x2500](https://github.com/0x2500).

4
.sandstorm/sandstorm-pkgdef.capnp
View File

@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = (
manifest = (
appTitle = (defaultText = "Firefly III"),
appVersion = 31,
appMarketingVersion = (defaultText = "4.7.17.5"),
appVersion = 32,
appMarketingVersion = (defaultText = "4.7.17.6"),
actions = [
# Define your "new document" handlers here.

6
app/Http/Controllers/Admin/LinkController.php
View File

@ -91,7 +91,7 @@ class LinkController extends Controller
public function delete(Request $request, LinkType $linkType)
{
if (!$linkType->editable) {
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => $linkType->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => e($linkType->name)]));
return redirect(route('admin.links.index'));
}
@ -148,7 +148,7 @@ class LinkController extends Controller
public function edit(Request $request, LinkType $linkType)
{
if (!$linkType->editable) {
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => $linkType->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => e($linkType->name)]));
return redirect(route('admin.links.index'));
}
@ -247,7 +247,7 @@ class LinkController extends Controller
public function update(LinkTypeFormRequest $request, LinkType $linkType)
{
if (!$linkType->editable) {
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => $linkType->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_edit_link_type', ['name' => e($linkType->name)]));
return redirect(route('admin.links.index'));
}

18
app/Http/Controllers/CurrencyController.php
View File

@ -78,7 +78,7 @@ class CurrencyController extends Controller
/** @var User $user */
$user = auth()->user();
if (!$this->userRepository->hasRole($user, 'owner')) {
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
return redirect(route('currencies.index'));
}
@ -132,7 +132,7 @@ class CurrencyController extends Controller
$user = auth()->user();
if (!$this->userRepository->hasRole($user, 'owner')) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
Log::channel('audit')->info(sprintf('Tried to visit page to delete currency %s but is not site owner.', $currency->code));
return redirect(route('currencies.index'));
@ -140,7 +140,7 @@ class CurrencyController extends Controller
}
if ($this->repository->currencyInUse($currency)) {
$request->session()->flash('error', (string)trans('firefly.cannot_delete_currency', ['name' => $currency->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_delete_currency', ['name' => e($currency->name)]));
Log::channel('audit')->info(sprintf('Tried to visit page to delete currency %s but currency is in use.', $currency->code));
return redirect(route('currencies.index'));
@ -168,7 +168,7 @@ class CurrencyController extends Controller
$user = auth()->user();
if (!$this->userRepository->hasRole($user, 'owner')) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
Log::channel('audit')->info(sprintf('Tried to delete currency %s but is not site owner.', $currency->code));
return redirect(route('currencies.index'));
@ -176,7 +176,7 @@ class CurrencyController extends Controller
}
if ($this->repository->currencyInUse($currency)) {
$request->session()->flash('error', (string)trans('firefly.cannot_delete_currency', ['name' => $currency->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_delete_currency', ['name' => e($currency->name)]));
Log::channel('audit')->info(sprintf('Tried to delete currency %s but is in use.', $currency->code));
return redirect(route('currencies.index'));
@ -204,7 +204,7 @@ class CurrencyController extends Controller
$user = auth()->user();
if (!$this->userRepository->hasRole($user, 'owner')) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
Log::channel('audit')->info(sprintf('Tried to disable currency %s but is not site owner.', $currency->code));
return redirect(route('currencies.index'));
@ -212,7 +212,7 @@ class CurrencyController extends Controller
}
if ($this->repository->currencyInUse($currency)) {
$request->session()->flash('error', (string)trans('firefly.cannot_disable_currency', ['name' => $currency->name]));
$request->session()->flash('error', (string)trans('firefly.cannot_disable_currency', ['name' => e($currency->name)]));
Log::channel('audit')->info(sprintf('Tried to disable currency %s but is in use.', $currency->code));
return redirect(route('currencies.index'));
@ -252,7 +252,7 @@ class CurrencyController extends Controller
$user = auth()->user();
if (!$this->userRepository->hasRole($user, 'owner')) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
Log::channel('audit')->info(sprintf('Tried to edit currency %s but is not owner.', $currency->code));
return redirect(route('currencies.index'));
@ -393,7 +393,7 @@ class CurrencyController extends Controller
}
if (!$this->userRepository->hasRole($user, 'owner')) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => config('firefly.site_owner')]));
$request->session()->flash('error', (string)trans('firefly.ask_site_owner', ['owner' => e(config('firefly.site_owner'))]));
Log::channel('audit')->info('Tried to update (POST) currency without admin rights.', $data);
return redirect(route('currencies.index'));

4
app/Http/Controllers/Import/JobConfigurationController.php
View File

@ -77,7 +77,7 @@ class JobConfigurationController extends Controller
$allowed = ['has_prereq', 'need_job_config'];
if (null !== $importJob && !in_array($importJob->status, $allowed, true)) {
Log::error(sprintf('Job has state "%s", but we only accept %s', $importJob->status, json_encode($allowed)));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => $importJob->status]));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => e($importJob->status)]));
return redirect(route('import.index'));
}
@ -127,7 +127,7 @@ class JobConfigurationController extends Controller
// catch impossible status:
$allowed = ['has_prereq', 'need_job_config'];
if (null !== $importJob && !in_array($importJob->status, $allowed, true)) {
session()->flash('error', (string)trans('import.bad_job_status', ['status' => $importJob->status]));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => e($importJob->status)]));
return redirect(route('import.index'));
}

6
app/Http/Controllers/Import/PrerequisitesController.php
View File

@ -76,7 +76,7 @@ class PrerequisitesController extends Controller
$allowed = ['new'];
if (null !== $importJob && !in_array($importJob->status, $allowed, true)) {
Log::error(sprintf('Job has state "%s" but this Prerequisites::index() only accepts %s', $importJob->status, json_encode($allowed)));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => $importJob->status]));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => e($importJob->status)]));
return redirect(route('import.index'));
}
@ -129,7 +129,7 @@ class PrerequisitesController extends Controller
$allowed = ['new'];
if (null !== $importJob && !in_array($importJob->status, $allowed, true)) {
Log::error(sprintf('Job has state "%s" but this Prerequisites::post() only accepts %s', $importJob->status, json_encode($allowed)));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => $importJob->status]));
session()->flash('error', (string)trans('import.bad_job_status', ['status' => e($importJob->status)]));
return redirect(route('import.index'));
}
@ -148,7 +148,7 @@ class PrerequisitesController extends Controller
Log::debug(sprintf('Result of storePrerequisites has message count: %d', $result->count()));
if ($result->count() > 0) {
$request->session()->flash('error', $result->first());
$request->session()->flash('error', e($result->first()));
// redirect back to job, if has job:
return redirect(route('import.prerequisites.index', [$importProvider, $importJob->key ?? '']))->withInput();

4
app/Http/Controllers/PiggyBankController.php
View File

@ -321,7 +321,7 @@ class PiggyBankController extends Controller
'error',
(string)trans(
'firefly.cannot_add_amount_piggy',
['amount' => app('amount')->formatAnything($currency, $amount, false), 'name' => $piggyBank->name]
['amount' => app('amount')->formatAnything($currency, $amount, false), 'name' => e($piggyBank->name)]
)
);
@ -364,7 +364,7 @@ class PiggyBankController extends Controller
'error',
(string)trans(
'firefly.cannot_remove_from_piggy',
['amount' => app('amount')->formatAnything($currency, $amount, false), 'name' => $piggyBank->name]
['amount' => app('amount')->formatAnything($currency, $amount, false), 'name' => e($piggyBank->name)]
)
);

10
app/Http/Controllers/ProfileController.php
View File

@ -90,7 +90,7 @@ class ProfileController extends Controller
$loginProvider = config('firefly.login_provider');
if ('eloquent' !== $loginProvider) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => $loginProvider]));
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
return redirect(route('profile.index'));
// @codeCoverageIgnoreEnd
@ -116,7 +116,7 @@ class ProfileController extends Controller
$loginProvider = config('firefly.login_provider');
if ('eloquent' !== $loginProvider) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => $loginProvider]));
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
return redirect(route('profile.index'));
// @codeCoverageIgnoreEnd
@ -201,7 +201,7 @@ class ProfileController extends Controller
$loginProvider = config('firefly.login_provider');
if ('eloquent' !== $loginProvider) {
// @codeCoverageIgnoreStart
$request->session()->flash('warning', trans('firefly.delete_local_info_only', ['login_provider' => $loginProvider]));
$request->session()->flash('warning', trans('firefly.delete_local_info_only', ['login_provider' => e($loginProvider)]));
// @codeCoverageIgnoreEnd
}
$title = auth()->user()->email;
@ -297,7 +297,7 @@ class ProfileController extends Controller
$loginProvider = config('firefly.login_provider');
if ('eloquent' !== $loginProvider) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => $loginProvider]));
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
return redirect(route('profile.index'));
// @codeCoverageIgnoreEnd
@ -351,7 +351,7 @@ class ProfileController extends Controller
$loginProvider = config('firefly.login_provider');
if ('eloquent' !== $loginProvider) {
// @codeCoverageIgnoreStart
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => $loginProvider]));
$request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
return redirect(route('profile.index'));
// @codeCoverageIgnoreEnd

4
app/Support/Http/Controllers/UserNavigation.php
View File

@ -130,7 +130,7 @@ trait UserNavigation
/** @var Transaction $transaction */
$transaction = $account->transactions()->first();
if (null === $transaction) {
app('session')->flash('error', trans('firefly.account_missing_transaction', ['name' => $account->name, 'id' => $account->id]));
app('session')->flash('error', trans('firefly.account_missing_transaction', ['name' => e($account->name), 'id' => $account->id]));
Log::error(sprintf('Expected a transaction. Account #%d has none. BEEP, error.', $account->id));
return redirect(route('index'));
@ -141,7 +141,7 @@ trait UserNavigation
$opposingTransaction = $journal->transactions()->where('transactions.id', '!=', $transaction->id)->first();
if (null === $opposingTransaction) {
app('session')->flash('error', trans('firefly.account_missing_transaction', ['name' => $account->name, 'id' => $account->id]));
app('session')->flash('error', trans('firefly.account_missing_transaction', ['name' => e($account->name), 'id' => $account->id]));
Log::error(sprintf('Expected an opposing transaction. Account #%d has none. BEEP, error.', $account->id));
}

5
changelog.md
View File

@ -2,6 +2,11 @@
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
## [4.7.17.6 (API 0.9.2)] - 2019-08-02
### Security
- XSS issue in liability account redirect, found by [@0x2500](https://github.com/0x2500).
## [4.7.17.5 (API 0.9.2)] - 2019-08-02
### Security

2
resources/views/v1/form/assetAccountCheckList.twig
View File

@ -12,7 +12,7 @@
{% else %}
{{ Form.checkbox(name~'[]', id, false, options) }}
{% endif %}
{{ account }}
{{ account|escape }}
</label>
</div>
{% endfor %}

2
resources/views/v1/import/bunq/choose-accounts.twig
View File

@ -64,7 +64,7 @@
{% endif %}
{% endfor %}
{% if account.status != 'ACTIVE' %}
<li>{{ trans('import.bunq_account_status_'~account.status) }}</li>
<li>{{ trans('import.bunq_account_status_'~account.status|escape) }}</li>
{% endif %}
{% if account.type == 'MonetaryAccountSavings' %}
<li>{{ trans('import.bunq_savings_goal', {'amount': account.savingsGoal.currency ~' '~account.savingsGoal.value,'percentage' : account.savingsGoal.percentage}) }}</li>