Merge tag '4.7.17.3' into develop

4.7.17.3

# Conflicts:
#	changelog.md
#	config/firefly.php

.sandstorm/changelog.md

@@ -1,5 +1,10 @@
+# 4.7.17.3 (API 0.9.2)
+
+- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne).
+- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne).
+
 # 4.7.17.2 (API 0.9.2)
-- XSS bug in budget title.
+- XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne).
 
 # 4.7.17 (API 0.9.2)
 - Support for Norwegian!

.sandstorm/sandstorm-pkgdef.capnp

@@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = (
 
   manifest = (
     appTitle = (defaultText = "Firefly III"),
-    appVersion = 28,
-    appMarketingVersion = (defaultText = "4.7.17.2"),
+    appVersion = 29,
+    appMarketingVersion = (defaultText = "4.7.17.3"),
 
     actions = [
       # Define your "new document" handlers here.

.travis.yml

@@ -1,7 +1,7 @@
 sudo: required
 language: bash
 env:
-  - VERSION=4.7.17.2
+  - VERSION=4.7.17.3
 
 dist: xenial
 

app/Http/Controllers/AttachmentController.php

@@ -78,7 +78,7 @@ class AttachmentController extends Controller
     /**
      * Destroy attachment.
      *
-     * @param Request    $request
+     * @param Request $request
      * @param Attachment $attachment
      *
      * @return \Illuminate\Http\RedirectResponse|\Illuminate\Routing\Redirector
@@ -131,7 +131,7 @@ class AttachmentController extends Controller
     /**
      * Edit an attachment.
      *
-     * @param Request    $request
+     * @param Request $request
      * @param Attachment $attachment
      *
      * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View
@@ -178,7 +178,7 @@ class AttachmentController extends Controller
      * Update attachment.
      *
      * @param AttachmentFormRequest $request
-     * @param Attachment            $attachment
+     * @param Attachment $attachment
      *
      * @return RedirectResponse
      */
@@ -211,13 +211,27 @@ class AttachmentController extends Controller
      * @return LaravelResponse
      * @throws FireflyException
      */
-    public function view(Attachment $attachment): LaravelResponse
+    public function view(Request $request, Attachment $attachment): LaravelResponse
     {
         if ($this->repository->exists($attachment)) {
             $content = $this->repository->getContent($attachment);
 
+            // prevent XSS by adding a new secure header.
+            $csp = [
+                "default-src 'none'",
+                "object-src 'none'",
+                "script-src 'none'",
+                "style-src 'none'",
+                "base-uri 'none'",
+                "font-src 'none'",
+                "connect-src 'none'",
+                "img-src 'none'",
+                "manifest-src 'none'",
+            ];
+
             return response()->make(
                 $content, 200, [
+                            'Content-Security-Policy' => implode('; ', $csp),
                             'Content-Type'        => $attachment->mime,
                             'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"',
                         ]

app/Http/Middleware/SecureHeaders.php

@@ -87,7 +87,11 @@ class SecureHeaders
         if (false === $disableFrameHeader || null === $disableFrameHeader) {
             $response->header('X-Frame-Options', 'deny');
         }
-        $response->header('Content-Security-Policy', implode('; ', $csp));
+
+        // content security policy may be set elsewhere.
+        if (!$response->headers->has('Content-Security-Policy')) {
+            $response->header('Content-Security-Policy', implode('; ', $csp));
+        }
         $response->header('X-XSS-Protection', '1; mode=block');
         $response->header('X-Content-Type-Options', 'nosniff');
         $response->header('Referrer-Policy', 'no-referrer');

changelog.md

@@ -2,8 +2,15 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.7.17.3 (API 0.9.2)] - 2019-07-16
+
+### Security
+- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne).
+- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne).
+
 ## [4.7.17.2 (API 0.9.2)] - 2019-07-15
 
+### Security
 - XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne).
 
 ## [4.7.17 (API 0.9.2)] - 2019-03-17

resources/views/v1/attachments/edit.twig

@@ -18,8 +18,8 @@
                         <h3 class="box-title">{{ 'mandatoryFields'|_ }}</h3>
                     </div>
                     <div class="box-body">
-                        {{ ExpandedForm.staticText('filename',attachment.filename) }}
-                        {{ ExpandedForm.staticText('mime',attachment.mime) }}
+                        {{ ExpandedForm.staticText('filename',attachment.filename|escape) }}
+                        {{ ExpandedForm.staticText('mime',attachment.mime|escape) }}
                         {{ ExpandedForm.staticText('size',attachment.size|filesize) }}
                     </div>
                 </div>

resources/views/v1/search/index.twig

@@ -31,7 +31,7 @@
                         </div>
                     </form>
                     <p>
-                        {{ trans('firefly.search_for_query', {query: query})|raw}}
+                        {{ trans('firefly.search_for_query', {query: query|escape})|raw}}
                     </p>
                     {% if modifiers|length > 0 %}
                         <p>{{ trans('firefly.modifiers_applies_are') }}</p>