diff --git a/.sandstorm/changelog.md b/.sandstorm/changelog.md index c1aef0fdbc..71cc706e49 100644 --- a/.sandstorm/changelog.md +++ b/.sandstorm/changelog.md @@ -1,3 +1,7 @@ +# 4.7.17.4 (API 0.9.2) + +- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne). + # 4.7.17.3 (API 0.9.2) - XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne). diff --git a/.sandstorm/sandstorm-pkgdef.capnp b/.sandstorm/sandstorm-pkgdef.capnp index c8502e36a9..9911495175 100644 --- a/.sandstorm/sandstorm-pkgdef.capnp +++ b/.sandstorm/sandstorm-pkgdef.capnp @@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = ( manifest = ( appTitle = (defaultText = "Firefly III"), - appVersion = 29, - appMarketingVersion = (defaultText = "4.7.17.3"), + appVersion = 30, + appMarketingVersion = (defaultText = "4.7.17.4"), actions = [ # Define your "new document" handlers here. diff --git a/.travis.yml b/.travis.yml index e5b4f55c95..1166e57858 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ sudo: required language: bash env: - - VERSION=4.7.17.3 + - VERSION=4.7.17.4 dist: xenial diff --git a/app/Http/Controllers/Rule/CreateController.php b/app/Http/Controllers/Rule/CreateController.php index b8030dfda4..af9e56b033 100644 --- a/app/Http/Controllers/Rule/CreateController.php +++ b/app/Http/Controllers/Rule/CreateController.php @@ -125,7 +125,7 @@ class CreateController extends Controller */ public function createFromBill(Request $request, Bill $bill) { - $request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => $bill->name])); + $request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => e($bill->name)])); $this->createDefaultRuleGroup(); $this->createDefaultRule(); diff --git a/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php b/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php index e3a1341e8a..7fa93a0189 100644 --- a/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php +++ b/app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php @@ -60,6 +60,9 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface $config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? ''); $config['apply-rules'] = 1 === (int)$data['apply_rules']; + // sanitize FinTS URL. + $config['fints_url'] = $this->validURI($config['fints_url']) ? $config['fints_url'] : ''; + $this->repository->setConfiguration($this->importJob, $config); $incomplete = false; @@ -107,4 +110,21 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface $this->repository->setUser($importJob->user); } + /** + * @param string $fints_url + * + * @return bool + */ + private function validURI(string $fintsUri): bool + { + $res = filter_var($fintsUri, FILTER_VALIDATE_URL); + if (false === $res) { + return false; + } + $scheme = parse_url($fintsUri, PHP_URL_SCHEME); + + return 'https' === $scheme; + } + + } diff --git a/changelog.md b/changelog.md index f354cc7987..6ded64afbf 100644 --- a/changelog.md +++ b/changelog.md @@ -2,6 +2,11 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [4.7.17.4 (API 0.9.2)] - 2019-08-02 + +### Security +- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne). + ## [4.7.17.3 (API 0.9.2)] - 2019-07-16 ### Security diff --git a/config/firefly.php b/config/firefly.php index d38ea17020..ff2da1d38a 100644 --- a/config/firefly.php +++ b/config/firefly.php @@ -124,29 +124,29 @@ return [ 'single_user_mode' => true, 'is_demo_site' => false, ], - 'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true, - 'version' => '4.8.0', - 'api_version' => '0.10.0', - 'db_version' => 11, - 'maxUploadSize' => 15242880, - 'send_error_message' => env('SEND_ERROR_MESSAGE', true), - 'site_owner' => env('SITE_OWNER', ''), - 'send_registration_mail' => env('SEND_REGISTRATION_MAIL', true), - 'demo_username' => env('DEMO_USERNAME', ''), - 'demo_password' => env('DEMO_PASSWORD', ''), - 'is_sandstorm' => env('IS_SANDSTORM', 'unknown'), - 'is_docker' => env('IS_DOCKER', 'unknown'), - 'bunq_use_sandbox' => env('BUNQ_USE_SANDBOX', false), - 'fixer_api_key' => env('FIXER_API_KEY', ''), - 'mapbox_api_key' => env('MAPBOX_API_KEY', ''), - 'trusted_proxies' => env('TRUSTED_PROXIES', ''), - 'search_result_limit' => env('SEARCH_RESULT_LIMIT', 50), - 'send_report_journals' => envNonEmpty('SEND_REPORT_JOURNALS', true), - 'analytics_id' => env('ANALYTICS_ID', ''), - 'disable_frame_header' => env('DISABLE_FRAME_HEADER', false), - 'login_provider' => envNonEmpty('LOGIN_PROVIDER', 'eloquent'), - 'cer_provider' => envNonEmpty('CER_PROVIDER', 'fixer'), - 'allowedMimes' => [ + 'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true, + 'version' => '4.7.17.4', + 'api_version' => '0.9.2', + 'db_version' => 10, + 'maxUploadSize' => 15242880, + 'send_error_message' => env('SEND_ERROR_MESSAGE', true), + 'site_owner' => env('SITE_OWNER', ''), + 'send_registration_mail' => env('SEND_REGISTRATION_MAIL', true), + 'demo_username' => env('DEMO_USERNAME', ''), + 'demo_password' => env('DEMO_PASSWORD', ''), + 'is_sandstorm' => env('IS_SANDSTORM', 'unknown'), + 'is_docker' => env('IS_DOCKER', 'unknown'), + 'bunq_use_sandbox' => env('BUNQ_USE_SANDBOX', false), + 'fixer_api_key' => env('FIXER_API_KEY', ''), + 'mapbox_api_key' => env('MAPBOX_API_KEY', ''), + 'trusted_proxies' => env('TRUSTED_PROXIES', ''), + 'search_result_limit' => env('SEARCH_RESULT_LIMIT', 50), + 'send_report_journals' => envNonEmpty('SEND_REPORT_JOURNALS', true), + 'analytics_id' => env('ANALYTICS_ID', ''), + 'disable_frame_header' => env('DISABLE_FRAME_HEADER', false), + 'login_provider' => envNonEmpty('LOGIN_PROVIDER', 'eloquent'), + 'cer_provider' => envNonEmpty('CER_PROVIDER', 'fixer'), + 'allowedMimes' => [ /* plain files */ 'text/plain', diff --git a/resources/views/v1/reports/audit/report.twig b/resources/views/v1/reports/audit/report.twig index 88eb8baf8a..6dd1bcbfbc 100644 --- a/resources/views/v1/reports/audit/report.twig +++ b/resources/views/v1/reports/audit/report.twig @@ -42,7 +42,7 @@ {{ trans('firefly.no_audit_activity', { - account_name: account.name, + account_name: account.name|escape, url: url, start: start.formatLocalized(monthAndDayFormat), end: end.formatLocalized(monthAndDayFormat), @@ -56,7 +56,7 @@ {{ trans('firefly.audit_end_balance', { - account_name: account.name, + account_name: account.name|escape, url: url, end: auditData[account.id].end, balance: formatAmountByAccount(account,auditData[account.id].endBalance) @@ -67,7 +67,7 @@

{{ trans('firefly.audit_end_balance', { - account_name: account.name, + account_name: account.name|escape, url: url, end: auditData[account.id].dayBefore, balance: formatAmountByAccount(account, auditData[account.id].dayBeforeBalance) diff --git a/resources/views/v1/transactions/convert.twig b/resources/views/v1/transactions/convert.twig index 0c0e00a851..0c7844e50e 100644 --- a/resources/views/v1/transactions/convert.twig +++ b/resources/views/v1/transactions/convert.twig @@ -284,14 +284,14 @@ {{ ExpandedForm.staticText('date', journal.date.formatLocalized(monthAndDayFormat)) }} #} {# in case of withdrawal #} - {# - {% if journalType.type == "Withdrawal" %} - {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name~'') }} - + + {% if sourceType.type == "Withdrawal" %} + {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name|escape~'') }} + {# if destination is cash, show (cash) #} {% if destinationAccount.accountType.type == "Cash account" %} {{ ExpandedForm.staticText('destination_account_expense', '(cash)') }} {% else %} - {{ ExpandedForm.staticText('destination_account_expense', ''~destinationAccount.name~'') }} + {{ ExpandedForm.staticText('destination_account_expense', ''~destinationAccount.name|escape~'') }} {% endif %} {% endif %} @@ -303,17 +303,16 @@ {% if sourceAccount.accountType.type == "Cash account" %} {{ ExpandedForm.staticText('source_account_revenue', '(cash)') }} {% else %} - {{ ExpandedForm.staticText('source_account_revenue', ''~sourceAccount.name~'') }} + {{ ExpandedForm.staticText('source_account_revenue', ''~sourceAccount.name|escape~'') }} {% endif %} - {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name~'') }} + {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name|escape~'') }} {% endif %} #} {# in case of transfer #} - {# - {% if journalType.type == "Transfer" %} - {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name~'') }} - {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name~'') }} + {% if sourceType.type == "Transfer" %} + {{ ExpandedForm.staticText('source_account_asset', ''~sourceAccount.name|escape~'') }} + {{ ExpandedForm.staticText('destination_account_asset', ''~destinationAccount.name|escape~'') }} {% endif %} #} @@ -328,9 +327,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -341,7 +340,7 @@ {% if destinationAccount.accountType.type == "Cash account" %} {{ ExpandedForm.text('source_account_revenue', '') }} {% else %} - {{ ExpandedForm.text('source_account_revenue', destinationAccount.name) }} + {{ ExpandedForm.text('source_account_revenue', destinationAccount.name|escape) }} {% endif %} {% endif %} #} @@ -353,9 +352,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -378,9 +377,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -393,7 +392,7 @@ {% if sourceAccount.accountType.type == "Cash account" %} {{ ExpandedForm.text('destination_account_expense', '') }} {% else %} - {{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }} + {{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }} {% endif %} {% endif %} @@ -408,9 +407,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -433,9 +432,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -446,7 +445,7 @@

- {{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }} + {{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }} {% endif %} #} @@ -461,9 +460,9 @@ { amount: positiveAmount|formatAmount, sourceRoute: route('accounts.show', [sourceAccount.id]), - sourceName: sourceAccount.name, + sourceName: sourceAccount.name|escape, destinationRoute: route('accounts.show', [destinationAccount.id]), - destinationName: destinationAccount.name, + destinationName: destinationAccount.name|escape, })|raw }}

@@ -474,7 +473,7 @@

- {{ ExpandedForm.text('source_account_revenue', sourceAccount.name) }} + {{ ExpandedForm.text('source_account_revenue', sourceAccount.name|escape) }} {% endif %} #} diff --git a/resources/views/v1/transactions/links/delete.twig b/resources/views/v1/transactions/links/delete.twig index fad7391887..0f343125da 100644 --- a/resources/views/v1/transactions/links/delete.twig +++ b/resources/views/v1/transactions/links/delete.twig @@ -12,14 +12,14 @@
-

{{ trans('firefly.delete_journal_link', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}

+

{{ trans('firefly.delete_journal_link', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}

{{ trans('form.permDeleteWarning') }}

- {{ trans('form.journal_link_areYouSure', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }} + {{ trans('form.journal_link_areYouSure', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}