1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From e4946c5a125dce828dda6ff7bd60d3be10d64fb3 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sat, 12 Apr 2025 23:53:40 +1200
Subject: Improve fix to CVE-2025-30087
After releasing the fix for CVE-2025-30087, Best Practical became aware that the
new linking restrictions were too strict in some cases, causing legitimate
links to stop working. This is most pronounced for users running RTIR, where
many links stop working. This patch should resolve that.
Patch-Name: upstream_4.4.6_cve:_patchset_2025-04-11.diff
Author: Best Practical <support@bestpractical.com>
Forwarded: not-needed
Applied: 4.4.8
---
lib/RT/Interface/Web.pm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ea11a90d..45ae4f1c 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -4712,12 +4712,13 @@ if (RT->Config->Get('ShowTransactionImages') or RT->Config->Get('ShowRemoteImage
our %RESTRICTIVE_SCRUBBER_RULES = (
a => {
+ %SCRUBBER_ALLOWED_ATTRIBUTES,
href => sub {
my ( $self, $tag, $attr, $href ) = @_;
return $href unless $href;
# Allow internal RT macros like __WebPath__, etc.
- return $href if $href =~ qr{^(?:/|__Web(?:Path|HomePath|BaseURL|URL)__)}i;
+ return $href if $href !~ /^\w+:/ && $href =~ $SCRUBBER_ALLOWED_ATTRIBUTES{'href'};
my $uri = URI->new($href);
unless ( $uri->can("host") && $uri->host ) {
@@ -4775,7 +4776,7 @@ sub _NewScrubber {
);
$scrubber->deny(qw[*]);
$scrubber->allow(@SCRUBBER_ALLOWED_TAGS);
- $scrubber->rules( $args{Restrictive} ? %RESTRICTIVE_SCRUBBER_RULES : %SCRUBBER_RULES );
+ $scrubber->rules( %SCRUBBER_RULES, $args{Restrictive} ? %RESTRICTIVE_SCRUBBER_RULES : () );
# Scrubbing comments is vital since IE conditional comments can contain
# arbitrary HTML and we'd pass it right on through.
|
