kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-09-30 02:26:58 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'hotfix/4.7.17.3'

Browse Source
This commit is contained in:
James Cole
2019-07-16 19:22:58 +02:00
parent a70b7cc7b9 a9f34e9dd1
commit 7d482aa24c
9 changed files with 45 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.sandstorm/changelog.md
View File

@@ -1,5 +1,10 @@
# 4.7.17.3 (API 0.9.2)
- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne).
- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne).
# 4.7.17.2 (API 0.9.2) # 4.7.17.2 (API 0.9.2)
- XSS bug in budget title. - XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne).
# 4.7.17 (API 0.9.2) # 4.7.17 (API 0.9.2)
- Support for Norwegian! - Support for Norwegian!

4
.sandstorm/sandstorm-pkgdef.capnp
View File

@@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = (
manifest = ( manifest = (
appTitle = (defaultText = "Firefly III"), appTitle = (defaultText = "Firefly III"),
appVersion = 28, appVersion = 29,
appMarketingVersion = (defaultText = "4.7.17.2"), appMarketingVersion = (defaultText = "4.7.17.3"),
actions = [ actions = [
# Define your "new document" handlers here. # Define your "new document" handlers here.

2
.travis.yml
View File

@@ -1,7 +1,7 @@
sudo: required sudo: required
language: bash language: bash
env: env:
- VERSION=4.7.17.2 - VERSION=4.7.17.3
dist: xenial dist: xenial

16
app/Http/Controllers/AttachmentController.php
View File

@@ -211,13 +211,27 @@ class AttachmentController extends Controller
* @return LaravelResponse * @return LaravelResponse
* @throws FireflyException * @throws FireflyException
*/ */
public function view(Attachment $attachment): LaravelResponse public function view(Request $request, Attachment $attachment): LaravelResponse
{ {
if ($this->repository->exists($attachment)) { if ($this->repository->exists($attachment)) {
$content = $this->repository->getContent($attachment); $content = $this->repository->getContent($attachment);
// prevent XSS by adding a new secure header.
$csp = [
"default-src 'none'",
"object-src 'none'",
"script-src 'none'",
"style-src 'none'",
"base-uri 'none'",
"font-src 'none'",
"connect-src 'none'",
"img-src 'none'",
"manifest-src 'none'",
];
return response()->make( return response()->make(
$content, 200, [ $content, 200, [
'Content-Security-Policy' => implode('; ', $csp),
'Content-Type' => $attachment->mime, 'Content-Type' => $attachment->mime,
'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"', 'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"',
] ]

4
app/Http/Middleware/SecureHeaders.php
View File

@@ -85,7 +85,11 @@ class SecureHeaders
if (false === $disableFrameHeader || null === $disableFrameHeader) { if (false === $disableFrameHeader || null === $disableFrameHeader) {
$response->header('X-Frame-Options', 'deny'); $response->header('X-Frame-Options', 'deny');
} }
// content security policy may be set elsewhere.
if (!$response->headers->has('Content-Security-Policy')) {
$response->header('Content-Security-Policy', implode('; ', $csp)); $response->header('Content-Security-Policy', implode('; ', $csp));
}
$response->header('X-XSS-Protection', '1; mode=block'); $response->header('X-XSS-Protection', '1; mode=block');
$response->header('X-Content-Type-Options', 'nosniff'); $response->header('X-Content-Type-Options', 'nosniff');
$response->header('Referrer-Policy', 'no-referrer'); $response->header('Referrer-Policy', 'no-referrer');

9
changelog.md
View File

@@ -2,9 +2,16 @@
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/). This project adheres to [Semantic Versioning](http://semver.org/).
## [4.7.17.3 (API 0.9.2)] - 2019-07-16
### Security
- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne).
- XSS bug in search, found by [@dayn1ne](https://github.com/dayn1ne).
## [4.7.17.2 (API 0.9.2)] - 2019-07-15 ## [4.7.17.2 (API 0.9.2)] - 2019-07-15
- XSS bug in budget title. ### Security
- XSS bug in budget title, found by [@dayn1ne](https://github.com/dayn1ne).
## [4.7.17 (API 0.9.2)] - 2019-03-17 ## [4.7.17 (API 0.9.2)] - 2019-03-17

2
config/firefly.php
View File

@@ -93,7 +93,7 @@ return [
'is_demo_site' => false, 'is_demo_site' => false,
], ],
'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true, 'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true,
'version' => '4.7.17.2', 'version' => '4.7.17.3',
'api_version' => '0.9.2', 'api_version' => '0.9.2',
'db_version' => 10, 'db_version' => 10,
'maxUploadSize' => 15242880, 'maxUploadSize' => 15242880,

4
resources/views/v1/attachments/edit.twig
View File

@@ -18,8 +18,8 @@
<h3 class="box-title">{{ 'mandatoryFields'|_ }}</h3> <h3 class="box-title">{{ 'mandatoryFields'|_ }}</h3>
</div> </div>
<div class="box-body"> <div class="box-body">
{{ ExpandedForm.staticText('filename',attachment.filename) }} {{ ExpandedForm.staticText('filename',attachment.filename|escape) }}
{{ ExpandedForm.staticText('mime',attachment.mime) }} {{ ExpandedForm.staticText('mime',attachment.mime|escape) }}
{{ ExpandedForm.staticText('size',attachment.size|filesize) }} {{ ExpandedForm.staticText('size',attachment.size|filesize) }}
</div> </div>
</div> </div>

2
resources/views/v1/search/index.twig
View File

@@ -31,7 +31,7 @@
</div> </div>
</form> </form>
<p> <p>
{{ trans('firefly.search_for_query', {query: query})|raw}} {{ trans('firefly.search_for_query', {query: query|escape})|raw}}
</p> </p>
{% if modifiers|length > 0 %} {% if modifiers|length > 0 %}
<p>{{ trans('firefly.modifiers_applies_are') }}</p> <p>{{ trans('firefly.modifiers_applies_are') }}</p>