60 lines
2.2 KiB
Plaintext
60 lines
2.2 KiB
Plaintext
$NetBSD: patch-share_html_Search_Elements_ResultsRSSView,v 1.1 2015/03/01 22:45:26 spz Exp $
|
|
|
|
fixes for CVE-2015-1165 and CVE-2015-1464 taken from the patch for RT 4.0.0
|
|
|
|
--- share/html/Search/Elements/ResultsRSSView.orig 2013-05-22 19:03:04.000000000 +0000
|
|
+++ share/html/Search/Elements/ResultsRSSView
|
|
@@ -48,7 +48,7 @@
|
|
<%INIT>
|
|
use Encode ();
|
|
|
|
-my $old_current_user;
|
|
+my $current_user = $session{CurrentUser};
|
|
|
|
if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
|
|
my $path = $m->dhandler_arg;
|
|
@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Confi
|
|
unless $user->ValidateAuthString( $auth,
|
|
$ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
|
|
|
|
- $old_current_user = $session{'CurrentUser'};
|
|
- my $cu = RT::CurrentUser->new;
|
|
- $cu->Load($user);
|
|
- $session{'CurrentUser'} = $cu;
|
|
+ $current_user = RT::CurrentUser->new;
|
|
+ $current_user->Load($user);
|
|
}
|
|
|
|
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
|
|
+my $Tickets = RT::Tickets->new($current_user);
|
|
$Tickets->FromSQL($ARGS{'Query'});
|
|
if ($OrderBy =~ /\|/) {
|
|
# Multiple Sorts
|
|
@@ -121,10 +119,17 @@ $r->content_type('application/rss+xml');
|
|
while ( my $Ticket = $Tickets->Next()) {
|
|
my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
|
|
$creator_str =~ s/[\r\n]//g;
|
|
+
|
|
+ # Get the plain-text content; it is interpreted as HTML by RSS
|
|
+ # readers, so it must be escaped (and is escaped _again_ when
|
|
+ # inserted into the XML).
|
|
+ my $content = $Ticket->Transactions->First->Content;
|
|
+ $content = $m->interp->apply_escapes( $content, 'h');
|
|
+
|
|
$rss->add_item(
|
|
title => $Ticket->Subject || loc('No Subject'),
|
|
link => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
|
|
- description => $Ticket->Transactions->First->Content,
|
|
+ description => $content,
|
|
dc => { creator => $creator_str,
|
|
date => $Ticket->CreatedObj->RFC2822,
|
|
},
|
|
@@ -133,7 +138,6 @@ $r->content_type('application/rss+xml');
|
|
}
|
|
|
|
$m->out($rss->as_string);
|
|
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
|
|
$m->abort();
|
|
</%INIT>
|
|
<%ARGS>
|