From 531161db0902154fed433bb33bdb2cabd61ae6dc Mon Sep 17 00:00:00 2001 From: James Cole Date: Tue, 16 Jul 2019 19:21:58 +0200 Subject: [PATCH 1/4] Fixes #2338 --- app/Http/Controllers/AttachmentController.php | 22 +++++++++++++++---- app/Http/Middleware/SecureHeaders.php | 8 +++++-- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/app/Http/Controllers/AttachmentController.php b/app/Http/Controllers/AttachmentController.php index 7b58dbaf23..b0c88f9894 100644 --- a/app/Http/Controllers/AttachmentController.php +++ b/app/Http/Controllers/AttachmentController.php @@ -78,7 +78,7 @@ class AttachmentController extends Controller /** * Destroy attachment. * - * @param Request $request + * @param Request $request * @param Attachment $attachment * * @return \Illuminate\Http\RedirectResponse|\Illuminate\Routing\Redirector @@ -131,7 +131,7 @@ class AttachmentController extends Controller /** * Edit an attachment. * - * @param Request $request + * @param Request $request * @param Attachment $attachment * * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View @@ -178,7 +178,7 @@ class AttachmentController extends Controller * Update attachment. * * @param AttachmentFormRequest $request - * @param Attachment $attachment + * @param Attachment $attachment * * @return RedirectResponse */ @@ -211,13 +211,27 @@ class AttachmentController extends Controller * @return LaravelResponse * @throws FireflyException */ - public function view(Attachment $attachment): LaravelResponse + public function view(Request $request, Attachment $attachment): LaravelResponse { if ($this->repository->exists($attachment)) { $content = $this->repository->getContent($attachment); + // prevent XSS by adding a new secure header. + $csp = [ + "default-src 'none'", + "object-src 'none'", + "script-src 'none'", + "style-src 'none'", + "base-uri 'none'", + "font-src 'none'", + "connect-src 'none'", + "img-src 'none'", + "manifest-src 'none'", + ]; + return response()->make( $content, 200, [ + 'Content-Security-Policy' => implode('; ', $csp), 'Content-Type' => $attachment->mime, 'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"', ] diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php index e7e9bfc3ae..6859e734f8 100644 --- a/app/Http/Middleware/SecureHeaders.php +++ b/app/Http/Middleware/SecureHeaders.php @@ -36,7 +36,7 @@ class SecureHeaders * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user). * * @param \Illuminate\Http\Request $request - * @param \Closure $next + * @param \Closure $next * * @return mixed */ @@ -85,7 +85,11 @@ class SecureHeaders if (false === $disableFrameHeader || null === $disableFrameHeader) { $response->header('X-Frame-Options', 'deny'); } - $response->header('Content-Security-Policy', implode('; ', $csp)); + + // content security policy may be set elsewhere. + if (!$response->headers->has('Content-Security-Policy')) { + $response->header('Content-Security-Policy', implode('; ', $csp)); + } $response->header('X-XSS-Protection', '1; mode=block'); $response->header('X-Content-Type-Options', 'nosniff'); $response->header('Referrer-Policy', 'no-referrer'); From 17a66b3056096244a2198a7351847d26cb7b37c5 Mon Sep 17 00:00:00 2001 From: James Cole Date: Tue, 16 Jul 2019 19:22:14 +0200 Subject: [PATCH 2/4] Fixes #2337 --- resources/views/v1/attachments/edit.twig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/views/v1/attachments/edit.twig b/resources/views/v1/attachments/edit.twig index 1c663ccdb8..d80bde0fba 100644 --- a/resources/views/v1/attachments/edit.twig +++ b/resources/views/v1/attachments/edit.twig @@ -18,8 +18,8 @@

{{ 'mandatoryFields'|_ }}

- {{ ExpandedForm.staticText('filename',attachment.filename) }} - {{ ExpandedForm.staticText('mime',attachment.mime) }} + {{ ExpandedForm.staticText('filename',attachment.filename|escape) }} + {{ ExpandedForm.staticText('mime',attachment.mime|escape) }} {{ ExpandedForm.staticText('size',attachment.size|filesize) }}
From f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7 Mon Sep 17 00:00:00 2001 From: James Cole Date: Tue, 16 Jul 2019 19:22:35 +0200 Subject: [PATCH 3/4] Fixes #2339 --- resources/views/v1/search/index.twig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/views/v1/search/index.twig b/resources/views/v1/search/index.twig index 90b174b21e..dd6b19b880 100644 --- a/resources/views/v1/search/index.twig +++ b/resources/views/v1/search/index.twig @@ -31,7 +31,7 @@

- {{ trans('firefly.search_for_query', {query: query})|raw}} + {{ trans('firefly.search_for_query', {query: query|escape})|raw}}

{% if modifiers|length > 0 %}

{{ trans('firefly.modifiers_applies_are') }}

From a9f34e9dd18ec4f46fdcfee5d577c2b93228b407 Mon Sep 17 00:00:00 2001 From: James Cole Date: Tue, 16 Jul 2019 19:22:45 +0200 Subject: [PATCH 4/4] Update version. --- .sandstorm/changelog.md | 7 ++++++- .sandstorm/sandstorm-pkgdef.capnp | 4 ++-- .travis.yml | 2 +- changelog.md | 9 ++++++++- config/firefly.php | 2 +- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/.sandstorm/changelog.md b/.sandstorm/changelog.md index 13b38d665b..c1aef0fdbc 100644 --- a/.sandstorm/changelog.md +++ b/.sandstorm/changelog.md @@ -1,5 +1,10 @@ +# 4.7.17.3 (API 0.9.2) + +- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne). +- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne). + # 4.7.17.2 (API 0.9.2) -- XSS bug in budget title. +- XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne). # 4.7.17 (API 0.9.2) - Support for Norwegian! diff --git a/.sandstorm/sandstorm-pkgdef.capnp b/.sandstorm/sandstorm-pkgdef.capnp index cdec1b1794..c8502e36a9 100644 --- a/.sandstorm/sandstorm-pkgdef.capnp +++ b/.sandstorm/sandstorm-pkgdef.capnp @@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = ( manifest = ( appTitle = (defaultText = "Firefly III"), - appVersion = 28, - appMarketingVersion = (defaultText = "4.7.17.2"), + appVersion = 29, + appMarketingVersion = (defaultText = "4.7.17.3"), actions = [ # Define your "new document" handlers here. diff --git a/.travis.yml b/.travis.yml index 6716f0f425..e5b4f55c95 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ sudo: required language: bash env: - - VERSION=4.7.17.2 + - VERSION=4.7.17.3 dist: xenial diff --git a/changelog.md b/changelog.md index 9ad4d37c3b..f354cc7987 100644 --- a/changelog.md +++ b/changelog.md @@ -2,9 +2,16 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [4.7.17.3 (API 0.9.2)] - 2019-07-16 + +### Security +- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne). +- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne). + ## [4.7.17.2 (API 0.9.2)] - 2019-07-15 -- XSS bug in budget title. +### Security +- XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne). ## [4.7.17 (API 0.9.2)] - 2019-03-17 diff --git a/config/firefly.php b/config/firefly.php index 9c481fe5f4..f732748e35 100644 --- a/config/firefly.php +++ b/config/firefly.php @@ -93,7 +93,7 @@ return [ 'is_demo_site' => false, ], 'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true, - 'version' => '4.7.17.2', + 'version' => '4.7.17.3', 'api_version' => '0.9.2', 'db_version' => 10, 'maxUploadSize' => 15242880,