|
[-]
[+]
|
Changed |
otrs.changes
|
|
|
|
[-]
[+]
|
Changed |
otrs.spec
^
|
|
|
|
[-]
[+]
|
Changed |
otrs-3.0.17.tar.bz2/ARCHIVE
^
|
| @@ -56,7 +56,7 @@
30d824b8a56fbb8072c97b06dba140f4::bin/otrs.UnlockTickets.pl
2b92690032f5835def37a09c7bb25726::bin/otrs.xml2sql.pl
989b08b205c22705c5ce1ec3fe40ab9e::bin/otrs.XMLMaster.pl
-5ef5cba8bf804f00a9efa885ce60aa92::CHANGES
+7e946bf55473c37d0c483d677269e4cb::CHANGES
73f1eb20517c55bf9493b7dd6e480788::COPYING
63ad7a2aaeec9877004ade71f2800a29::COPYING-Third-Party
ad5c561982eb8d596942964a33340221::CREDITS
@@ -607,7 +607,7 @@
12831b72c5feace828bebce85d837ce1::Kernel/System/GenericAgent/NotifyAgentGroupWithWritePermission.pm
6694417d287346d8ddb87aa619f12ca6::Kernel/System/GenericAgent.pm
afc160c263fe11e615861a79e63316d6::Kernel/System/Group.pm
-ef8b9812ecfc6ae2ac44b586d30170ff::Kernel/System/HTMLUtils.pm
+1943803cc14722e064cca39b17b5fe88::Kernel/System/HTMLUtils.pm
e5b56d9d93876104235a32164ef29ccd::Kernel/System/JSON.pm
2990e0f26c4894483b68dc4faae20542::Kernel/System/LinkObject/Ticket.pm
fcad7ce0855e755320034259f871ff64::Kernel/System/LinkObject.pm
@@ -726,7 +726,7 @@
5a6d7539bea6c59d9cb1aab53a8010cc::README
ac104452dfe7e76d0ab5daf95fd41bcd::README.database
5b910924a27de33a8edee417d158991a::README.webserver
-9130579bbd82a8e78d3d0e36118f603a::RELEASE
+7f97048a79be502a2a34c95444ce43b0::RELEASE
05edb7657cc65f98f33d02d4e3b73eb5::scripts/apache2-httpd.include.conf
38feeeb4ca6fa1cdb6e535cb0c5dc4ef::scripts/apache2-perl-startup.pl
318accebbe8a84c2b079a9d5c52656d3::scripts/auto_build/description.txt
@@ -859,7 +859,7 @@
1d4c7af01c1112400cedd7e6143adf31::scripts/test/FileTemp.t
2a975b552815051cdff9fbf4e87cc2d5::scripts/test/GenericAgent.t
d718df3ef4ab2918821ed664596f7aa3::scripts/test/Group.t
-4bd10ca084c7196a5f03710d7bcd1294::scripts/test/HTMLUtils.t
+16fe0b748136033964b2a1961ea2e2a5::scripts/test/HTMLUtils.t
f94d8315535bb69acc30152c8cb0135b::scripts/test/JSON.t
7fe413d0ba3216bc2bc0574cec7293e6::scripts/test/Language.t
a1bef12ed6e2d2face305ac77d184ab8::scripts/test/Layout.t
|
|
[-]
[+]
|
Changed |
otrs-3.0.17.tar.bz2/CHANGES
^
|
| @@ -2,13 +2,16 @@
# CHANGES - change log of OTRS
# Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
# --
-# $Id: CHANGES,v 1.1758.2.256 2012/08/28 09:02:25 mg Exp $
+# $Id: CHANGES,v 1.1758.2.258 2012/09/20 07:49:09 mg Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
+3.0.17 2012-10-16
+ - 2012-09-13 Improved HTML security filter to better find javascript source URLs.
+
3.0.16 2012-08-30
- 2012-08-28 Improved HTML security filter to detect tag nesting.
- 2012-08-24 Fixed bug#8611 - Ticket count is wrong in QueueView.
|
|
[-]
[+]
|
Changed |
otrs-3.0.17.tar.bz2/Kernel/System/HTMLUtils.pm
^
|
| @@ -2,7 +2,7 @@
# Kernel/System/HTMLUtils.pm - creating and modifying html strings
# Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
# --
-# $Id: HTMLUtils.pm,v 1.27.2.5 2012/08/28 08:20:14 mg Exp $
+# $Id: HTMLUtils.pm,v 1.27.2.6 2012/09/13 08:08:02 mg Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
@@ -15,7 +15,7 @@
use warnings;
use vars qw($VERSION);
-$VERSION = qw($Revision: 1.27.2.5 $) [1];
+$VERSION = qw($Revision: 1.27.2.6 $) [1];
=head1 NAME
@@ -1022,10 +1022,14 @@
# remove javascript in a href links or src links
$Replaced += $Tag =~ s{
- ((\s|;)(background|url|src|href)=)('|"|)(javascript.+?)('|"|)(\s|$TagEnd)
+ ((?:\s|;)(?:background|url|src|href)=)
+ ('|"|) # delimiter, can be empty
+ (?:\s*javascript.*?) # javascript, followed by anything but the delimiter
+ \2 # delimiter again
+ (\s|$TagEnd)
}
{
- "$1\"\"$7";
+ "$1\"\"$3";
}sgxime;
# remove link javascript tags
@@ -1036,7 +1040,7 @@
# remove MS CSS expressions (JavaScript embedded in CSS)
$Replaced += $Tag =~ s{
- \sstyle=("|')[^\1]*?expression[(][^\1]*?\1($TagEnd|\s)
+ \sstyle=("|')[^\1]*?expression[(].*?\1($TagEnd|\s)
}
{
$2;
@@ -1092,6 +1096,6 @@
=head1 VERSION
-$Revision: 1.27.2.5 $ $Date: 2012/08/28 08:20:14 $
+$Revision: 1.27.2.6 $ $Date: 2012/09/13 08:08:02 $
=cut
|
|
[-]
[+]
|
Changed |
otrs-3.0.17.tar.bz2/RELEASE
^
|
| @@ -1,4 +1,4 @@
PRODUCT = OTRS
-VERSION = 3.0.16
-BUILDDATE = Tue Aug 28 10:11:39 CEST 2012
+VERSION = 3.0.17
+BUILDDATE = Thu Sep 20 10:17:18 CEST 2012
BUILDHOST = otrsbuild.otrs.com
|
|
|
Changed |
otrs-3.0.17.tar.bz2/doc/manual/de/otrs_admin_book.pdf
^
|
|
|
Changed |
otrs-3.0.17.tar.bz2/doc/manual/en/otrs_admin_book.pdf
^
|
|
[-]
[+]
|
Changed |
otrs-3.0.17.tar.bz2/scripts/test/HTMLUtils.t
^
|
| @@ -2,7 +2,7 @@
# HTMLUtils.t - HTMLUtils tests
# Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
# --
-# $Id: HTMLUtils.t,v 1.36.2.5 2012/08/28 08:20:14 mg Exp $
+# $Id: HTMLUtils.t,v 1.36.2.7 2012/09/20 07:32:13 mg Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
@@ -1192,6 +1192,70 @@
},
Name => 'Safety - Nested script tags'
},
+ {
+ Input => <<EOF,
+<img src="/img1.png"/>
+<iframe src=" javascript:alert('XSS Exploit');"></iframe>
+<img src="/img2.png"/>
+EOF
+ Result => {
+ Output => <<EOF,
+<img src="/img1.png"/>
+<iframe src=""></iframe>
+<img src="/img2.png"/>
+EOF
+ Replace => 1,
+ },
+ Name => 'Safety - javascript source with space'
+ },
+ {
+ Input => <<EOF,
+<img src="/img1.png"/>
+<iframe src=' javascript:alert("XSS Exploit");'></iframe>
+<img src="/img2.png"/>
+EOF
+ Result => {
+ Output => <<EOF,
+<img src="/img1.png"/>
+<iframe src=""></iframe>
+<img src="/img2.png"/>
+EOF
+ Replace => 1,
+ },
+ Name => 'Safety - javascript source with space'
+ },
+ {
+ Input => <<EOF,
+<img src="/img1.png"/>
+<iframe src=javascript:alert('XSS_Exploit');></iframe>
+<img src="/img2.png"/>
+EOF
+ Result => {
+ Output => <<EOF,
+<img src="/img1.png"/>
+<iframe src=""></iframe>
+<img src="/img2.png"/>
+EOF
+ Replace => 1,
+ },
+ Name => 'Safety - javascript source without delimiters'
+ },
+ {
+ Input => <<EOF,
+<img src="/img1.png"/>
+<iframe src="" data-src="javascript:alert('XSS Exploit');"></iframe>
+<img src="/img2.png"/>
+EOF
+ Result => {
+ Output => <<EOF,
+<img src="/img1.png"/>
+<iframe src="" data-src="javascript:alert('XSS Exploit');"></iframe>
+<img src="/img2.png"/>
+EOF
+ Replace => 0,
+ },
+ Name => 'Safety - javascript source in data tag, keep'
+ },
);
for my $Test (@Tests) {
|
