More security fixes by carakas · Pull Request #3137 · forkcms/forkcms

carakas · 2020-06-26T23:53:38Z

Type

Security

Resolves the following issues

My mailbox overflowing by pen testers that all report a different variant of the same issue

Pull request description

First of all, this is not a huge security issue as long as the people that have access to the backend can be trusted.
But since you never know when you have somebody trying out some nasty stuff or using an unsafe password and someone else gains access to an account with a limited set of rights this PR will prevent them from trying to steal admin passwords or executing code as a different user through stored xss

Also changed the default of serialised data not allowing any classes in it since it can be abused as well

TODO: update the node package after Fix xss through the delete label mathiashelin/bootstrap-tagsinput#1 has been merged

…action

…tml internally

…to them

… button of tags

src/Backend/Modules/ContentBlocks/Domain/ContentBlock/ContentBlockDataGrid.php

carakas added 26 commits June 8, 2020 07:55

Prevent somebody passing evil code as parameters to the generate url …

c9939eb

…action

Add use statement for spoon filter

f41bca4

Prevent xss issues with navigation_title

7b2ab77

Fix xss in media library datagrids

720e5fb

Fix xss in the pages index datagrid

d76c308

Escape user input used in translations that are allowed to contain html

09c462b

Make the email from the form builder safer

58b8024

Fix encoded special chars showing in the form builder overview

0062fd5

Allow special chars in the error messages of the form builder

df54127

Prevent xss in the blog datagrids

1cb9380

Prevent xss in datagrids using the nickname of a user

32ac8b6

Prevent xss in the content blocks datagrid

130500a

Fix xss in pages module from content block titles

1fab2e7

Don't allow xss in theme template names

b3babe6

Mark the template function truncate as html safe because it escapes h…

f6ac65d

…tml internally

Prevent xss in the faq datagrid

81dcd91

Prevent xss in the formbuilder name and recipients

9deef8e

Prevent xss through backend user settings

b3ff7ed

Prevent xss in dropdowns of spoon form

25faffa

Fix xss issue in profile group datagrids

3d0a4bf

Fix xss issue with search synonym datagrids

9534a4a

Fix xss in pages using template names

058c09e

Fix xss in the tags module datagrids

eae3774

Fix xss in the location module

8857471

Fix stored xss in the backend of the media library and gallery modules

5af8717

Fix xss bug in bootstrap tagsinput

da91012

carakas added the security Pull requests that address a security vulnerability label Jun 26, 2020

carakas added this to the 5.8.3 milestone Jun 26, 2020

carakas requested a review from a team as a code owner June 26, 2020 23:53

carakas changed the title ~~More security fixes~~ [WIP] More security fixes Jun 27, 2020

carakas marked this pull request as draft June 27, 2020 00:23

carakas changed the title ~~[WIP] More security fixes~~ More security fixes Jun 27, 2020

Don't allow any objects by default in the serialised data

2e13cf4

carakas force-pushed the more-security-fixes branch from 04d6bed to 2e13cf4 Compare June 27, 2020 00:27

carakas added 2 commits June 29, 2020 21:34

Fix escaping the values overwriting other functions that are applied …

711a3b8

…to them

]Update the bootstrap tagsinput package to fix xss through the delete…

ab7e278

… button of tags

carakas marked this pull request as ready for review June 30, 2020 16:04

jessedobbelaere reviewed Jul 1, 2020

View reviewed changes

src/Backend/Modules/ContentBlocks/Domain/ContentBlock/ContentBlockDataGrid.php Show resolved Hide resolved

jessedobbelaere approved these changes Jul 1, 2020

View reviewed changes

carakas merged commit ad99512 into forkcms:master Jul 2, 2020

carakas deleted the more-security-fixes branch July 2, 2020 18:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

More security fixes#3137

More security fixes#3137
carakas merged 29 commits intoforkcms:masterfrom
justcarakas:more-security-fixes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

Uh oh!

Type

Resolves the following issues

Pull request description

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants