Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix xss #2060

Merged
merged 8 commits into from
Oct 26, 2020
Merged

Fix xss #2060

merged 8 commits into from
Oct 26, 2020

Conversation

kevinpapst
Copy link
Member

@kevinpapst kevinpapst commented Oct 26, 2020
edited
Loading

Description

Fixing multiple possible XSS attacks in the backend.

This was (in a default setup) not possible to be executed by normal users, but only accounts with elevated permissions.
The users had to have permissions to edit activities/projects/customers.

Thanks to SektionEins who reported the problem in a secure manner and allowed me to publish a new Kimai version before making the information public.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I verified that my code applies to the guidelines (composer code-check)
  • I updated the documentation (see here)
  • I agree that this code is used in Kimai and will be published under the MIT license

@kevinpapst
added content escaping, fix xss
8e34cb5
@kevinpapst
rebuild assets
1c90100
@kevinpapst
Merge branch 'master' into fix-xss
ff3b6c8 
# Conflicts:
#	public/build/app.4754599e.js
#	public/build/entrypoints.json
#	public/build/manifest.json
@kevinpapst
rebuild after merge
96e2bae
@kevinpapst
Merge branch 'master' into fix-xss
4fcf359 
# Conflicts:
#	public/build/entrypoints.json
#	public/build/manifest.json
@kevinpapst
rebuild assets
2fd159b
@codecov
Copy link

codecov bot commented Oct 26, 2020
edited
Loading

Codecov Report

Merging #2060 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master    #2060   +/-   ##
=========================================
  Coverage     93.27%   93.28%           
- Complexity     5790     5792    +2     
=========================================
  Files           530      530           
  Lines         17542    17547    +5     
=========================================
+ Hits          16363    16368    +5     
  Misses         1179     1179
Impacted Files Coverage Δ Complexity Δ
src/Twig/Extensions.php 100.00% <100.00%> (ø) 20.00 <2.00> (+2.00)
src/Twig/MarkdownExtension.php 100.00% <100.00%> (ø) 14.00 <0.00> (ø)

@kevinpapst kevinpapst added this to the 1.11 milestone Oct 26, 2020
@kevinpapst kevinpapst added the bug label Oct 26, 2020
@kevinpapst kevinpapst marked this pull request as ready for review October 26, 2020 10:35
@kevinpapst kevinpapst merged commit 6db21d7 into master Oct 26, 2020
@kevinpapst kevinpapst deleted the fix-xss branch October 26, 2020 10:35
@github-actions github-actions bot locked and limited conversation to collaborators Oct 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
1.11
Development

Successfully merging this pull request may close these issues.
1 participant
@kevinpapst