From bd03b838df6b38171ac21b534605e70625a2ea6f Mon Sep 17 00:00:00 2001 From: norahmollo Date: Thu, 18 Dec 2014 09:06:40 -0400 Subject: [PATCH 1/4] PM-14992 RW-152-6 Reflected Cross Site Scripting Codigo JavaScript evaluado y ejecutado --- workflow/engine/methods/login/login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/methods/login/login.php b/workflow/engine/methods/login/login.php index c41d91393..f5ec92edf 100755 --- a/workflow/engine/methods/login/login.php +++ b/workflow/engine/methods/login/login.php @@ -36,7 +36,7 @@ $aFields = array(); if (!isset($_GET['u'])) { $aFields['URL'] = ''; } else { - $aFields['URL'] = urldecode(htmlentities($_GET['u'])); + $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u'])))))); } if (!isset($_SESSION['G_MESSAGE'])) { From dbe8219e6b4853085075886b89a7a00eb5335dae Mon Sep 17 00:00:00 2001 From: Freddy Daniel Rojas Valda Date: Fri, 19 Dec 2014 11:59:40 -0400 Subject: [PATCH 2/4] PM-1142 "Any user can reassign any case even if he/she is not assign to the task" SOLVED --- workflow/engine/classes/class.case.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/workflow/engine/classes/class.case.php b/workflow/engine/classes/class.case.php index 17dcab0ff..bce66aba5 100755 --- a/workflow/engine/classes/class.case.php +++ b/workflow/engine/classes/class.case.php @@ -6570,10 +6570,10 @@ class Cases global $RBAC; //Adding the actual user if this has the PM_REASSIGNCASE permission assigned. - if ($RBAC->userCanAccess('PM_REASSIGNCASE') == 1){ - if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)){ - $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID']; - } + if ($RBAC->userCanAccess('PM_REASSIGNCASE') == 1 && $aUser['USR_UID'] == $USR_UID) { + if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)) { + $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID']; + } } require_once 'classes/model/Users.php'; From 69d24d5f68b939807d0505cfa2cd2e0d8f45dae1 Mon Sep 17 00:00:00 2001 From: Freddy Daniel Rojas Valda Date: Fri, 19 Dec 2014 13:38:04 -0400 Subject: [PATCH 3/4] PM-1142 "Any user can reassign any case even if he/she is not assign to the task" SOLVED --- workflow/engine/classes/class.case.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflow/engine/classes/class.case.php b/workflow/engine/classes/class.case.php index bce66aba5..2a1a47f62 100755 --- a/workflow/engine/classes/class.case.php +++ b/workflow/engine/classes/class.case.php @@ -6569,8 +6569,8 @@ class Cases } global $RBAC; - //Adding the actual user if this has the PM_REASSIGNCASE permission assigned. - if ($RBAC->userCanAccess('PM_REASSIGNCASE') == 1 && $aUser['USR_UID'] == $USR_UID) { + //Adding the actual user if this has the PM_SUPERVISOR permission assigned. + if ($RBAC->userCanAccess('PM_SUPERVISOR') == 1) { if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)) { $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID']; } From 52413128bbcae8feadc5654318e3e0cb6ab1f5ac Mon Sep 17 00:00:00 2001 From: norahmollo Date: Fri, 19 Dec 2014 09:56:39 -0400 Subject: [PATCH 4/4] PM-1114 RW-152-6 Reflected Cross Site Scripting Codigo JavaScript evaluado y ejecutado --- workflow/engine/methods/login/retrivePassword.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/methods/login/retrivePassword.php b/workflow/engine/methods/login/retrivePassword.php index 09b805123..a4db15b51 100755 --- a/workflow/engine/methods/login/retrivePassword.php +++ b/workflow/engine/methods/login/retrivePassword.php @@ -8,7 +8,7 @@ G::LoadClass("system"); $rbacUser = new RbacUsers(); $user = new Users(); - +$data['USR_USERNAME'] = strip_tags($data['USR_USERNAME']); $userData = $rbacUser->getByUsername($data['USR_USERNAME']); if ($userData['USR_EMAIL'] != '' && $userData['USR_EMAIL'] === $data['USR_EMAIL'] && ($userData['USR_AUTH_TYPE'] === '' || $userData['USR_AUTH_TYPE'] == 'MYSQL') ) {