View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005627 | Composr alpha bug reports | [Composr] core | public | 2024-02-27 15:37 | 2024-08-04 22:49 |
| Reporter | WpE | Assigned To | Patrick Schmalstig | ||
| Severity | Security-hole | ||||
| Status | resolved | Resolution | fixed | ||
| Summary | 0005627: Not all error messages are being sanitised by _sanitise_error_msg | ||||
| Description | The COULD_NOT_SAVE_FILE string (and other things) use the full file path of the file that could not be saved. This is a security problem because full paths could be exposed to regular members in attached messages. | ||||
| Additional Information | WpE originally reported this issue indirectly when reporting another issue. Therefore I'm assigning WpE as the reporter. | ||||
| Tags | Roadmap: v11 | ||||
| Sponsorship open | |||||
|
|
Actually this goes far beyond COULD_NOT_SAVE_FILE, e.g. intelligent_write_error. And special considerations must be made (e.g. warn_exit needs the full path so it can log it to the server / PHP error logs. But that means it will also show the full path in the error on the UI.) |
|
|
This is supposed to be handled by the _sanitise_error_msg function. |
|
|
Ah, thank you. That makes things a lot easier. |
|
|
Bug also exists in v11 |
|
|
Automated response: Not all error messages are being sanitised by _sanitise_error_msg The COULD_NOT_SAVE_FILE string (and other things) use the full file path of the file that could not be saved. This is a security problem because full paths could be exposed to regular members in attached messages. I am not 100% certain this patch will fix all cases, but it does move the _sanitise_error_msg function to global3 (from failure) to help better ensure its availability. And I added its missing use in attach_message. **The patch below is only for v11** |
|
|
Fixed in Git commit 1c17234396 (https://gitlab.com/composr-foundation/composr/commit/1c17234396 - link will become active once code pushed to GitLab) |
|
|
hotfix-5627, 2024-06-07 4pm.tar (512,512 bytes) |
|
|
A hotfix (a TAR of files to upload) has been uploaded to this issue. Only apply this hotfix if you absolutely need it and cannot wait until the next release of the software (releases are more reliable and strictly tested). As of the software version 11, the recommended way to apply a hotfix is by following the same steps as an upgrade (https://baseurl/upgrader.php, use the hotfix on step 5). The upgrader will automatically skip files belonging to addons you do not have installed or that are newer on disk than in the hotfix. Otherwise, you can manually extract and replace these files (do not replace if your on-disk file is newer than the one in the hotfix). Always take backups of your site or at least files you are replacing before applying a hotfix. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
|
|
Patrick, this can be marked done? |
|
|
I think so. I'm not 100% sure I caught all the cases that needed it but I haven't found any more since the hotfix. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-02-27 15:37 | Patrick Schmalstig | New Issue | |
| 2024-02-27 15:37 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-02-27 15:37 | Patrick Schmalstig | Assigned To | => Patrick Schmalstig |
| 2024-02-27 15:38 | Patrick Schmalstig | Additional Information Updated | View Revisions |
| 2024-02-27 15:38 | Patrick Schmalstig | Additional Information Updated | View Revisions |
| 2024-02-27 15:38 | Patrick Schmalstig | Reporter | Patrick Schmalstig => WpE |
| 2024-02-27 15:45 | Patrick Schmalstig | Note Added: 0008368 | |
| 2024-02-27 17:12 | Chris Graham | Note Added: 0008369 | |
| 2024-02-27 20:01 | Patrick Schmalstig | Note Added: 0008370 | |
| 2024-02-27 20:01 | Patrick Schmalstig | Note Edited: 0008370 | View Revisions |
| 2024-02-27 20:02 | Patrick Schmalstig | Summary | COULD_NOT_SAVE_FILE exposes full file path => Not all error messages are being sanitised by _sanitise_error_msg |
| 2024-02-27 20:02 | Patrick Schmalstig | Description Updated | View Revisions |
| 2024-02-28 20:18 | Patrick Schmalstig | Note Added: 0008371 | |
| 2024-06-07 16:45 | Patrick Schmalstig | Note Edited: 0008829 | View Revisions |
| 2024-08-04 21:54 | Chris Graham | Note Added: 0009082 | |
| 2024-08-04 21:54 | Chris Graham | Tag Attached: Roadmap: v11 | |
| 2024-08-04 22:49 | Patrick Schmalstig | Status | assigned => resolved |
| 2024-08-04 22:49 | Patrick Schmalstig | Resolution | open => fixed |
| 2024-08-04 22:49 | Patrick Schmalstig | Note Added: 0009095 |
