From c82dd7ca7dd49728dd8c3cd2e0677f9328330fc9 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Mon, 1 Dec 2014 16:58:43 -0500
Subject: [PATCH 1/3] Hide utf8 warnings during attempted decoding

EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
byte strings.  This operation, under Encode::FB_DEFAULT, may generate
warnings -- lots of warnings.  This can lead to denial of service in
some situations.  This vulnerability has been assigned CVE-2014-9472.

Unfortunately, "no warnings 'utf8'" does not work to quiet them until
Encode 2.64; simply skip warnings of this type in the logging handler.
---
 lib/RT.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/RT.pm b/lib/RT.pm
index 063f7f7..ed23952 100644
--- a/lib/RT.pm
+++ b/lib/RT.pm
@@ -321,6 +321,8 @@ sub InitSignalHandlers {
 ## mechanism (see above).
 
     $SIG{__WARN__} = sub {
+        return 'IGNORE' if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
+
         # The 'wide character' warnings has to be silenced for now, at least
         # until HTML::Mason offers a sane way to process both raw output and
         # unicode strings.
-- 
2.2.2


From 3083849b807974d155ebb63b313c3508008d19fb Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Fri, 30 Jan 2015 15:03:16 -0500
Subject: [PATCH 2/3] Prevent text content from being interpreted as HTML by
 RSS clients

The ->Content method is used to obtain the data to use in the RSS
<description> tag.  However, most RSS feed readers display the contents
of the <description> tag using a HTML rendering engine; this allows
textual content to be mistakenly rendered as HTML.  This specifically
includes links, which RSS readers may not hide the "Referer" header of,
exposing the RSS feed URL and thus allowing for information disclosure.
This vulnerability has been assigned CVE-2015-1165.

Escape the textual content so that it is not interpreted as HTML by RSS
readers.  This is suprior to requesting ->Content( Type => "text/html" )
because it is guaranteed to not contain links, and thus not suffer from
the above Referer disclosure.
---
 share/html/Search/Elements/ResultsRSSView | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
index 5033c8c..2419787 100644
--- a/share/html/Search/Elements/ResultsRSSView
+++ b/share/html/Search/Elements/ResultsRSSView
@@ -121,10 +121,17 @@ $r->content_type('application/rss+xml');
     while ( my $Ticket = $Tickets->Next()) {
         my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
         $creator_str =~ s/[\r\n]//g;
+
+        # Get the plain-text content; it is interpreted as HTML by RSS
+        # readers, so it must be escaped (and is escaped _again_ when
+        # inserted into the XML).
+        my $content = $Ticket->Transactions->First->Content;
+        $content = $m->interp->apply_escapes( $content, 'h');
+
         $rss->add_item(
           title       =>  $Ticket->Subject || loc('No Subject'),
           link        => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
-          description => $Ticket->Transactions->First->Content,
+          description => $content,
           dc          => { creator => $creator_str,
                            date => $Ticket->CreatedObj->RFC2822,
                          },
-- 
2.2.2


From 705d3fd8b255448d56903999d08e95224b10e4b2 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Mon, 2 Feb 2015 12:24:56 -0500
Subject: [PATCH 3/3] Never place the temporary current user in the session

Setting $session{'CurrentUser'} to a different user opens a window
wherein if the request can be aborted, the client will be left with a
session for the other user.  This allows escalation from knowing an RSS
feed link (which is generally just information disclosure) into full
login privileges, which may allow for arbitrary execution of code.  This
vulnerability has been assigned CVE-2015-1464.
---
 share/html/Search/Elements/ResultsRSSView | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
index 2419787..4a3dddd 100644
--- a/share/html/Search/Elements/ResultsRSSView
+++ b/share/html/Search/Elements/ResultsRSSView
@@ -48,7 +48,7 @@
 <%INIT>
 use Encode ();
 
-my $old_current_user;
+my $current_user = $session{CurrentUser};
 
 if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
     my $path = $m->dhandler_arg;
@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
       unless $user->ValidateAuthString( $auth,
               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
 
-    $old_current_user = $session{'CurrentUser'};
-    my $cu               = RT::CurrentUser->new;
-    $cu->Load($user);
-    $session{'CurrentUser'} = $cu;
+    $current_user = RT::CurrentUser->new;
+    $current_user->Load($user);
 }
 
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
+my $Tickets = RT::Tickets->new($current_user);
 $Tickets->FromSQL($ARGS{'Query'});
 if ($OrderBy =~ /\|/) {
     # Multiple Sorts
@@ -140,7 +138,6 @@ $r->content_type('application/rss+xml');
     }
 
 $m->out($rss->as_string);
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
 $m->abort();
 </%INIT>
 <%ARGS>
-- 
2.2.2

