Index: branches/2017Q2/www/rt44/Makefile =================================================================== --- branches/2017Q2/www/rt44/Makefile (revision 443766) +++ branches/2017Q2/www/rt44/Makefile (revision 443767) @@ -1,207 +1,208 @@ # $FreeBSD$ PORTNAME= rt DISTVERSION= 4.4.1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ PKGNAMESUFFIX= 44 MAINTAINER= mikael.urankar@gmail.com COMMENT= Industrial-grade ticketing system written in Perl LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING CONFLICTS_INSTALL= rt40-4.0* rt42-4.2* brlcad-[0-9]* NO_ARCH= yes # See doc/web_deployment.pod for info on the choices of webserver / # webapp combinations. Note: if using apache, apache-2.4+ is # recommended. For deployment with nginx, use the SPAWN_FCGI method # or the builtin webserver with a FCGI handler. # # The builtin standalone PSGI based webserver is always available, no # matter what choice of web deployment platform, or none, that you # make. Best Practical state that this is really only suitable for # development usage, although I have heard reports of people using it # successfully for medium sized deployments. If you only want the # builtin webserver, simply deselect all of the web options. # # See doc/full_text_indexing.pod if you need to set up full text # indexes on your ticket database. PostgreSQL is # recommended in this case: the MYSQL / SphinxSearch combination # mentioned in the docs is currently unsupported in the ports, but see # http://www.infracaninophile.co.uk/articles/sphinxse.html OPTIONS_DEFINE= DEVELOPER GD GPG GRAPHVIZ SMIME DOCS OPTIONS_SINGLE= DB OPTIONS_SINGLE_DB= MYSQL PGSQL SQLITE OPTIONS_RADIO= WEB OPTIONS_RADIO_WEB= AP_MODFASTCGI AP_MODPERL LIGHTTPD SPAWN_FCGI OPTIONS_DEFAULT= AP_MODFASTCGI GD GPG MYSQL USERS?= www GROUPS?= rt www RUN_DEPENDS+= ${LOCALBASE}/bin/jsmin:devel/jsmin .include "${.CURDIR}/Makefile.cpan" RUN_DEPENDS+= ${CLI_DEPS} \ ${CORE_DEPS} \ ${DASHBOARDS_DEPS} \ ${ICAL_DEPS} \ ${MAILGATE_DEPS} \ ${USERLOGO_DEPS} \ ${HTML_DOC_DEPS} USES= cpe perl5 CPE_VENDOR= bestpractical RT_LAYOUT= FreeBSD RT_ETC_DIR?= etc/${PORTNAME}${PKGNAMESUFFIX} DOCSDIR= ${PREFIX}/share/doc/${PORTNAME}${PKGNAMESUFFIX} DATADIR= ${PREFIX}/share/${PORTNAME}${PKGNAMESUFFIX} RT_ETC_PATH= ${PREFIX}/${RT_ETC_DIR} AP_MODPERL_DESC= Deploy with apache and mod_perl AP_MODPERL_RUN_DEPENDS= ${MODPERL2_DEPS} AP_MODFASTCGI_DESC= Deploy with apache and mod_fastcgi AP_MODFASTCGI_USE= APACHE_RUN=22+ AP_MODFASTCGI_RUN_DEPENDS= ${LOCALBASE}/${APACHEMODDIR}/mod_fastcgi.so:www/mod_fastcgi \ ${FASTCGI_DEPS} LIGHTTPD_DESC= Deploy with lighttpd and mod_fastcgi LIGHTTPD_RUN_DEPENDS= ${LOCALBASE}/sbin/lighttpd:www/lighttpd \ ${FASTCGI_DEPS} SPAWN_FCGI_DESC= Deploy with spawn_fcgi SPAWN_FCGI_RUN_DEPENDS= ${LOCALBASE}/bin/spawn-fcgi:www/spawn-fcgi \ ${FASTCGI_DEPS} MYSQL_RUN_DEPENDS= ${MYSQL_DEPS} PGSQL_RUN_DEPENDS= ${PGSQL_DEPS} SQLITE_RUN_DEPENDS= ${SQLITE_DEPS} DEVELOPER_DESC= Configure for developers DEVELOPER_RUN_DEPENDS= ${DEVELOPER_DEPS} DEVELOPER_CONFIGURE_ENABLE= developer SMIME_DESC= Secure MIME support SMIME_RUN_DEPENDS= ${SMIME_DEPS} SMIME_CONFIGURE_ENABLE= smime GRAPHVIZ_RUN_DEPENDS= ${GRAPHVIZ_DEPS} GRAPHVIZ_CONFIGURE_ENABLE= graphviz GPG_DESC= Enable GnuPG support GPG_RUN_DEPENDS= ${GPG_DEPS} GPG_CONFIGURE_ENABLE= gpg GD_DESC= Enable GD Graphs and Charts GD_RUN_DEPENDS= ${GD_DEPS} GD_CONFIGURE_ENABLE= gd BUILD_DEPENDS+= ${RUN_DEPENDS} .include .if !${PORT_OPTIONS:MMYSQL} && !${PORT_OPTIONS:MPGSQL} && \ !${PORT_OPTIONS:MSQLITE} IGNORE= please select one of MYSQL, PGSQL or SQLITE .endif .if ${PORT_OPTIONS:MMYSQL} DB_TYPE= mysql .endif .if ${PORT_OPTIONS:MPGSQL} DB_TYPE= Pg .endif .if ${PORT_OPTIONS:MSQLITE} DB_TYPE= SQLite .endif .if ${PORT_OPTIONS:MPGSQL} DB_DBA_USER?= pgsql .else DB_DBA_USER?= root .endif DB_DBA_PASSWORD?= DB_USER?= rt_user DB_PASSWORD?= rt_pass DB_HOST?= localhost DB_DATABASE?= rt4 WEB_USER?= ${WWWOWN} WEB_GROUP?= ${WWWGRP} LIBS_GROUP?= wheel HAS_CONFIGURE= yes NO_BUILD= yes CONFIGURE_ARGS+= --enable-layout=${RT_LAYOUT} \ --with-web-user=${WEB_USER} \ --with-web-group=${WEB_GROUP} \ --with-libs-group=${LIBS_GROUP} \ --with-db-host=${DB_HOST} \ --with-db-port=${DB_PORT} \ --with-db-type=${DB_TYPE} \ --with-db-rt-user=${DB_USER} \ --with-db-rt-pass=${DB_PASSWORD} \ --with-db-database=${DB_DATABASE} \ --with-db-dba=${DB_DBA_USER} CONFIGURE_ENV+= PERL=${LOCALBASE}/bin/perl PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST= RT_ETC_PATH=${RT_ETC_PATH} PLIST_SUB= RT_ETC_DIR=${RT_ETC_DIR} pre-fetch: @${ECHO} "" @${ECHO} "Additional database related settings you can use:" @${ECHO} " DB_HOST=hostname The database host (localhost)" @${ECHO} " DB_PORT=port The database port" @${ECHO} " DB_DATABASE=dbname The database name (rt4)" @${ECHO} "" @${ECHO} " DB_DBA_USER=username Name of database administrator (root)" @${ECHO} " DB_DBA_PASSWORD=password Password of database administrator" @${ECHO} " DB_USER=username Name of database user for RT (rt_user)" @${ECHO} " DB_PASSWORD=password Name of database password for RT (rt_pass)" .if ${PORT_OPTIONS:MSQLITE} @${ECHO} "" @${ECHO} "SQLITE is not recommended for production use" .endif post-patch: @${RM} ${WRKSRC}/lib/RT.pm.in.orig @${REINPLACE_CMD} -e 's!%%PREFIX%%!${PREFIX}!g' ${WRKSRC}/config.layout @${REINPLACE_CMD} -e 's!%%SITE_PERL%%!${PREFIX}/${SITE_PERL_REL}!g' ${WRKSRC}/config.layout @${REINPLACE_CMD} -e 's!/path/to/your/etc!${RT_ETC_PATH}!g' ${WRKSRC}/etc/RT_SiteConfig.pm @${REINPLACE_CMD} -e 's!/bin:/usr/bin!/bin:/usr/bin:${LOCALBASE}/bin!' ${WRKSRC}/lib/RT/Interface/CLI.pm && \ ${RM} ${WRKSRC}/lib/RT/Interface/CLI.pm.bak pre-install: @${RM} ${WRKSRC}/lib/RT.pm.in post-install: @${RM} -r ${STAGEDIR}/${WWWDIR}${PKGNAMESUFFIX} ${MKDIR} ${STAGEDIR}${DOCSDIR}/upgrade (cd ${WRKSRC}/etc && \ ${COPYTREE_SHARE} upgrade ${STAGEDIR}${DOCSDIR} "! -name *\.in") .include .if ${PERL_LEVEL} >= 502200 CORE_DEPS+= p5-CGI>4.0:www/p5-CGI .endif .include Index: branches/2017Q2/www/rt44/files/patch-Makefile.in =================================================================== --- branches/2017Q2/www/rt44/files/patch-Makefile.in (revision 443766) +++ branches/2017Q2/www/rt44/files/patch-Makefile.in (revision 443767) @@ -1,100 +1,100 @@ ---- Makefile.in.orig 2016-07-18 UTC +--- Makefile.in.orig 2016-07-18 20:20:17 UTC +++ Makefile.in @@ -59,7 +59,7 @@ RT_LAYOUT = @rt_layout_name@ CONFIG_FILE_PATH = @CONFIG_FILE_PATH_R@ CONFIG_FILE = $(CONFIG_FILE_PATH)/RT_Config.pm -SITE_CONFIG_FILE = $(CONFIG_FILE_PATH)/RT_SiteConfig.pm +SITE_CONFIG_FILE = $(CONFIG_FILE_PATH)/RT_SiteConfig.pm-dist RT_VERSION_MAJOR = @RT_VERSION_MAJOR@ @@ -106,7 +106,7 @@ RT_FONT_PATH = @RT_FONT_PATH_R@ RT_LEXICON_PATH = @RT_LEXICON_PATH_R@ RT_STATIC_PATH = @RT_STATIC_PATH_R@ RT_LOCAL_PATH = @RT_LOCAL_PATH_R@ -LOCAL_PLUGIN_PATH = @RT_LOCAL_PATH_R@/plugins +LOCAL_PLUGIN_PATH = @RT_LOCAL_PATH_R@/share/rt44/plugins LOCAL_ETC_PATH = @LOCAL_ETC_PATH_R@ LOCAL_LIB_PATH = @LOCAL_LIB_PATH_R@ LOCAL_LEXICON_PATH = @LOCAL_LEXICON_PATH_R@ @@ -271,16 +271,13 @@ testdeps: depends: fixdeps fixdeps: - $(PERL) ./sbin/rt-test-dependencies --install --with-$(DB_TYPE) $(my_with_web_handlers) + $(PERL) ./sbin/rt-test-dependencies --verbose --with-$(DB_TYPE) $(my_with_web_handlers) #}}} fixperms: # Make the libraries readable chmod $(RT_READABLE_DIR_MODE) $(DESTDIR)$(RT_PATH) - chown -R $(LIBS_OWNER) $(DESTDIR)$(RT_LIB_PATH) - chgrp -R $(LIBS_GROUP) $(DESTDIR)$(RT_LIB_PATH) - chmod -R u+rwX,go-w,go+rX $(DESTDIR)$(RT_LIB_PATH) chmod $(RT_READABLE_DIR_MODE) $(DESTDIR)$(RT_BIN_PATH) @@ -302,12 +299,6 @@ fixperms: # Make the system binaries executable also cd $(DESTDIR)$(RT_SBIN_PATH) && ( chmod 0755 $(SYSTEM_BINARIES) ; chown $(BIN_OWNER) $(SYSTEM_BINARIES); chgrp $(RTGROUP) $(SYSTEM_BINARIES)) - # Make upgrade scripts executable if they are in the source. - # - ( cd etc/upgrade && find . -type f -not -name '*.in' -perm @FINDPERM@0111 -print ) | while read file ; do \ - chmod a+x "$(DESTDIR)$(RT_ETC_PATH)/upgrade/$$file" ; \ - done - # Make the web ui readable by all. chmod -R u+rwX,go-w,go+rX $(DESTDIR)$(MASON_HTML_PATH) \ $(DESTDIR)$(MASON_LOCAL_HTML_PATH) \ @@ -359,14 +350,14 @@ clean-mason-cache: rm -rf $(DESTDIR)$(MASON_DATA_PATH)/etc/* rm -rf $(DESTDIR)$(MASON_DATA_PATH)/obj/* -install: testdeps config-install dirs files-install fixperms instruct +install: config-install dirs files-install files-install: libs-install etc-install config-install bin-install sbin-install html-install doc-install font-install po-install static-install config-install: -@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 -o $(BIN_OWNER) -g $(RTGROUP) -d $(DESTDIR)$(CONFIG_FILE_PATH) -@COMMENT_INPLACE_LAYOUT@ -$(INSTALL) -m 0440 -o $(BIN_OWNER) -g $(RTGROUP) etc/RT_Config.pm $(DESTDIR)$(CONFIG_FILE) -@COMMENT_INPLACE_LAYOUT@ [ -f $(DESTDIR)$(SITE_CONFIG_FILE) ] || $(INSTALL) -m 0640 -o $(BIN_OWNER) -g $(RTGROUP) etc/RT_SiteConfig.pm $(DESTDIR)$(SITE_CONFIG_FILE) +@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 -d $(DESTDIR)$(CONFIG_FILE_PATH) +@COMMENT_INPLACE_LAYOUT@ -$(INSTALL) -m 0440 etc/RT_Config.pm $(DESTDIR)$(CONFIG_FILE) +@COMMENT_INPLACE_LAYOUT@ [ -f $(DESTDIR)$(SITE_CONFIG_FILE) ] || $(INSTALL) -m 0640 etc/RT_SiteConfig.pm $(DESTDIR)$(SITE_CONFIG_FILE) @COMMENT_INPLACE_LAYOUT@ @echo "Installed configuration. About to install RT in $(RT_PATH)" test: @@ -458,19 +449,12 @@ etc-install: @COMMENT_INPLACE_LAYOUT@ for file in $(ETC_FILES) ; do \ @COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0644 "etc/$$file" "$(DESTDIR)$(RT_ETC_PATH)/" ; \ @COMMENT_INPLACE_LAYOUT@ done -@COMMENT_INPLACE_LAYOUT@ [ -d $(DESTDIR)$(RT_ETC_PATH)/upgrade ] || $(INSTALL) -m 0755 -d $(DESTDIR)$(RT_ETC_PATH)/upgrade -@COMMENT_INPLACE_LAYOUT@ -( cd etc/upgrade && find . -type d -print ) | while read dir ; do \ -@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 -d "$(DESTDIR)$(RT_ETC_PATH)/upgrade/$$dir" ; \ -@COMMENT_INPLACE_LAYOUT@ done -@COMMENT_INPLACE_LAYOUT@ -( cd etc/upgrade && find . -type f -not -name '*.in' -print ) | while read file ; do \ -@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0644 "etc/upgrade/$$file" "$(DESTDIR)$(RT_ETC_PATH)/upgrade/$$file" ; \ -@COMMENT_INPLACE_LAYOUT@ done sbin-install: @COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 -d $(DESTDIR)$(RT_SBIN_PATH) @COMMENT_INPLACE_LAYOUT@ for file in $(SYSTEM_BINARIES) ; do \ -@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -o $(BIN_OWNER) -g $(RTGROUP) -m 0755 "sbin/$$file" "$(DESTDIR)$(RT_SBIN_PATH)/" ; \ +@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 "sbin/$$file" "$(DESTDIR)$(RT_SBIN_PATH)/" ; \ @COMMENT_INPLACE_LAYOUT@ done @@ -478,7 +462,7 @@ sbin-install: bin-install: @COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 -d $(DESTDIR)$(RT_BIN_PATH) @COMMENT_INPLACE_LAYOUT@ for file in $(BINARIES) ; do \ -@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -o $(BIN_OWNER) -g $(RTGROUP) -m 0755 "bin/$$file" "$(DESTDIR)$(RT_BIN_PATH)/" ; \ +@COMMENT_INPLACE_LAYOUT@ $(INSTALL) -m 0755 "bin/$$file" "$(DESTDIR)$(RT_BIN_PATH)/" ; \ @COMMENT_INPLACE_LAYOUT@ done Index: branches/2017Q2/www/rt44/files/patch-configure =================================================================== --- branches/2017Q2/www/rt44/files/patch-configure (revision 443766) +++ branches/2017Q2/www/rt44/files/patch-configure (revision 443767) @@ -1,11 +1,11 @@ ---- configure.orig 2014-09-11 19:03:07 UTC +--- configure.orig 2016-07-20 15:48:58 UTC +++ configure -@@ -2088,7 +2088,7 @@ +@@ -2112,7 +2112,7 @@ $as_echo "$as_me: WARNING: Layout file $ s/^#.*$//m; s/^\s+//gim; s/\s+$/\n/gim; - s/\+$/\/rt3/gim; + s/\+$/\/rt44/gim; # m4 will not let us just use $srcdir/config.layout, we need $1 s/^\s*((?:bin|sbin|libexec|data|sysconf|sharedstate|localstate|lib|include|oldinclude|info|man|html)dir)\s*:\s*(.*)$/$1=$2/gim; s/^\s*(.*?)\s*:\s*(.*)$/\(test "x\$$1" = "xNONE" || test "x\$$1" = "x") && $1=$2/gim; Index: branches/2017Q2/www/rt44/files/patch-lib_RT.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT.pm (revision 443767) @@ -0,0 +1,13 @@ +--- lib/RT.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT.pm +@@ -81,6 +81,10 @@ use vars qw($BasePath + $MasonDataDir + $MasonSessionDir); + ++# Set Email::Address module var before anything else loads. ++# This avoids an algorithmic complexity denial of service vulnerability. ++# See T#157608 and CVE-2015-7686 for more information. ++$Email::Address::COMMENT_NEST_LEVEL = 1; + + RT->LoadGeneratedData(); + Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-lib_RT_Authen_ExternalAuth_DBI.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT_Authen_ExternalAuth_DBI.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT_Authen_ExternalAuth_DBI.pm (revision 443767) @@ -0,0 +1,54 @@ +--- lib/RT/Authen/ExternalAuth/DBI.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT/Authen/ExternalAuth/DBI.pm +@@ -50,6 +50,7 @@ package RT::Authen::ExternalAuth::DBI; + + use DBI; + use RT::Authen::ExternalAuth::DBI::Cookie; ++use RT::Util; + + use warnings; + use strict; +@@ -81,6 +82,7 @@ Provides the database implementation for + 'p_field' => 'password', + + # Example of custom hashed password check ++ # (See below for security concerns with this implementation) + #'p_check' => sub { + # my ($hash_from_db, $password) = @_; + # return $hash_from_db eq function($password); +@@ -170,6 +172,17 @@ An example, where C is some ex + Importantly, the C subroutine allows for arbitrarily complex password + checking unlike C and C. + ++Please note, the use of the C operator in the C example above ++introduces a timing sidechannel vulnerability. (It was left there for clarity ++of the example.) There is a comparison function available in RT that is ++hardened against timing attacks. The comparison from the above example could ++be re-written with it like this: ++ ++ p_check => sub { ++ my ($hash_from_db, $password) = @_; ++ return RT::Util::constant_time_eq($hash_from_db, FooBar($password)); ++ }, ++ + =item p_enc_pkg, p_enc_sub + + The Perl package and subroutine used to encrypt passwords from the +@@ -298,7 +311,7 @@ sub GetAuth { + # Jump to the next external authentication service if they don't match + if(defined($db_p_salt)) { + $RT::Logger->debug("Using salt:",$db_p_salt); +- if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){ ++ unless (RT::Util::constant_time_eq(${encrypt}->($password,$db_p_salt), $pass_from_db)) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, +@@ -306,7 +319,7 @@ sub GetAuth { + return 0; + } + } else { +- if(${encrypt}->($password) ne $pass_from_db){ ++ unless (RT::Util::constant_time_eq(${encrypt}->($password), $pass_from_db)) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT_Authen_ExternalAuth_DBI.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-lib_RT_Config.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT_Config.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT_Config.pm (revision 443767) @@ -0,0 +1,17 @@ +--- lib/RT/Config.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT/Config.pm +@@ -147,6 +147,14 @@ can be set for each config optin: + our %META; + %META = ( + # General user overridable options ++ RestrictReferrerLogin => { ++ PostLoadCheck => sub { ++ my $self = shift; ++ if (defined($self->Get('RestrictReferrerLogin'))) { ++ RT::Logger->error("The config option 'RestrictReferrerLogin' is incorrect, and should be 'RestrictLoginReferrer' instead."); ++ } ++ }, ++ }, + DefaultQueue => { + Section => 'General', + Overridable => 1, Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT_Config.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-lib_RT_Interface_Web.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT_Interface_Web.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT_Interface_Web.pm (revision 443767) @@ -0,0 +1,20 @@ +--- lib/RT/Interface/Web.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT/Interface/Web.pm +@@ -1448,7 +1448,7 @@ sub IsCompCSRFWhitelisted { + # golden. This acts on the presumption that external forms may + # hardcode a username and password -- if a malicious attacker knew + # both already, CSRF is the least of your problems. +- my $AllowLoginCSRF = not RT->Config->Get('RestrictReferrerLogin'); ++ my $AllowLoginCSRF = not RT->Config->Get('RestrictLoginReferrer'); + if ($AllowLoginCSRF and defined($args{user}) and defined($args{pass})) { + my $user_obj = RT::CurrentUser->new(); + $user_obj->Load($args{user}); +@@ -1666,7 +1666,7 @@ sub MaybeShowInterstitialCSRFPage { + my $token = StoreRequestToken($ARGS); + $HTML::Mason::Commands::m->comp( + '/Elements/CSRF', +- OriginalURL => RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info, ++ OriginalURL => RT->Config->Get('WebBaseURL') . RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info, + Reason => HTML::Mason::Commands::loc( $msg, @loc ), + Token => $token, + ); Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT_Interface_Web.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-lib_RT_User.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT_User.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT_User.pm (revision 443767) @@ -0,0 +1,87 @@ +--- lib/RT/User.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT/User.pm +@@ -84,6 +84,7 @@ use RT::Principals; + use RT::ACE; + use RT::Interface::Email; + use Text::Password::Pronounceable; ++use RT::Util; + + sub _OverlayAccessible { + { +@@ -1087,11 +1088,17 @@ sub IsPassword { + # If it's a new-style (>= RT 4.0) password, it starts with a '!' + my (undef, $method, @rest) = split /!/, $stored; + if ($method eq "bcrypt") { +- return 0 unless $self->_GeneratePassword_bcrypt($value, @rest) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ $self->_GeneratePassword_bcrypt($value, @rest), ++ $stored ++ ); + # Upgrade to a larger number of rounds if necessary + return 1 unless $rest[0] < RT->Config->Get('BcryptCost'); + } elsif ($method eq "sha512") { +- return 0 unless $self->_GeneratePassword_sha512($value, @rest) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ $self->_GeneratePassword_sha512($value, @rest), ++ $stored ++ ); + } else { + $RT::Logger->warn("Unknown hash method $method"); + return 0; +@@ -1101,16 +1108,28 @@ sub IsPassword { + my $hash = MIME::Base64::decode_base64($stored); + # Decoding yields 30 byes; first 4 are the salt, the rest are substr(SHA256,0,26) + my $salt = substr($hash, 0, 4, ""); +- return 0 unless substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26) eq $hash; ++ return 0 unless RT::Util::constant_time_eq( ++ substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26), ++ $hash ++ ); + } elsif (length $stored == 32) { + # Hex nonsalted-md5 +- return 0 unless Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)), ++ $stored ++ ); + } elsif (length $stored == 22) { + # Base64 nonsalted-md5 +- return 0 unless Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)), ++ $stored ++ ); + } elsif (length $stored == 13) { + # crypt() output +- return 0 unless crypt(Encode::encode( "UTF-8", $value), $stored) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ crypt(Encode::encode( "UTF-8", $value), $stored), ++ $stored ++ ); + } else { + $RT::Logger->warning("Unknown password form"); + return 0; +@@ -1206,19 +1225,20 @@ sub GenerateAuthString { + + =head3 ValidateAuthString + +-Takes auth string and protected string. Returns true is protected string ++Takes auth string and protected string. Returns true if protected string + has been protected by user's L. See also L. + + =cut + + sub ValidateAuthString { + my $self = shift; +- my $auth_string = shift; ++ my $auth_string_to_validate = shift; + my $protected = shift; + + my $str = Encode::encode( "UTF-8", $self->AuthToken . $protected ); ++ my $valid_auth_string = substr(Digest::MD5::md5_hex($str),0,16); + +- return $auth_string eq substr(Digest::MD5::md5_hex($str),0,16); ++ return RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ); + } + + =head2 SetDisabled Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT_User.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-lib_RT_Util.pm =================================================================== --- branches/2017Q2/www/rt44/files/patch-lib_RT_Util.pm (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-lib_RT_Util.pm (revision 443767) @@ -0,0 +1,70 @@ +--- lib/RT/Util.pm.orig 2016-07-18 20:20:17 UTC ++++ lib/RT/Util.pm +@@ -54,6 +54,8 @@ use warnings; + use base 'Exporter'; + our @EXPORT = qw/safe_run_child mime_recommended_filename/; + ++use Encode qw/encode/; ++ + sub safe_run_child (&) { + my $our_pid = $$; + +@@ -150,6 +152,58 @@ sub assert_bytes { + } + + ++=head2 C ++ ++Compares two strings for equality in constant-time. Replacement for the C ++operator designed to avoid timing side-channel vulnerabilities. Returns zero ++or one. ++ ++This is intended for use in cryptographic subsystems for comparing well-formed ++data such as hashes - not for direct use with user input or as a general ++replacement for the C operator. ++ ++The two string arguments B be of equal length. If the lengths differ, ++this function will call C, as proceeding with execution would create ++a timing vulnerability. Length is defined by characters, not bytes. ++ ++This code has been tested to do what it claims. Do not change it without ++thorough statistical timing analysis to validate the changes. ++ ++Added to resolve CVE-2017-5361 ++ ++For more on timing attacks, see this Wikipedia article: ++B ++ ++=cut ++ ++sub constant_time_eq { ++ my ($a, $b) = @_; ++ ++ my $result = 0; ++ ++ # generic error message avoids potential information leaks ++ my $generic_error = "Cannot compare values"; ++ die $generic_error unless defined $a and defined $b; ++ die $generic_error unless length $a == length $b; ++ die $generic_error if ref($a) or ref($b); ++ ++ for (my $i = 0; $i < length($a); $i++) { ++ my $a_char = substr($a, $i, 1); ++ my $b_char = substr($b, $i, 1); ++ ++ # encode() is set to die on malformed ++ my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK)); ++ my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK)); ++ die $generic_error if (scalar @a_octets) != (scalar @b_octets); ++ ++ for (my $j = 0; $j < scalar @a_octets; $j++) { ++ $result |= $a_octets[$j] ^ $b_octets[$j]; ++ } ++ } ++ return 0 + not $result; ++} ++ ++ + RT::Base->_ImportOverlays(); + + 1; Property changes on: branches/2017Q2/www/rt44/files/patch-lib_RT_Util.pm ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-sbin_rt-test-dependencies =================================================================== --- branches/2017Q2/www/rt44/files/patch-sbin_rt-test-dependencies (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-sbin_rt-test-dependencies (revision 443767) @@ -0,0 +1,11 @@ +--- sbin/rt-test-dependencies.orig 2016-07-20 15:49:00 UTC ++++ sbin/rt-test-dependencies +@@ -136,7 +136,7 @@ Devel::StackTrace 1.19 + Digest::base + Digest::MD5 2.27 + Digest::SHA +-Email::Address 1.897 ++Email::Address 1.908 + Email::Address::List 0.02 + Encode 2.64 + Errno Property changes on: branches/2017Q2/www/rt44/files/patch-sbin_rt-test-dependencies ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-share_html_Dashboards_Subscription.html =================================================================== --- branches/2017Q2/www/rt44/files/patch-share_html_Dashboards_Subscription.html (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-share_html_Dashboards_Subscription.html (revision 443767) @@ -0,0 +1,11 @@ +--- share/html/Dashboards/Subscription.html.orig 2016-07-18 20:20:17 UTC ++++ share/html/Dashboards/Subscription.html +@@ -75,7 +75,7 @@ +
    + % for my $portlet (@portlets) { +
  1. +- <% loc($portlet->{description}, $fields{'Rows'}) %> ++ <% loc( RT::SavedSearch->EscapeDescription($portlet->{description}), $fields{'Rows'}) %> +
    2. + % } +
Property changes on: branches/2017Q2/www/rt44/files/patch-share_html_Dashboards_Subscription.html ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2/www/rt44/files/patch-share_html_Ticket_Attachment_dhandler =================================================================== --- branches/2017Q2/www/rt44/files/patch-share_html_Ticket_Attachment_dhandler (nonexistent) +++ branches/2017Q2/www/rt44/files/patch-share_html_Ticket_Attachment_dhandler (revision 443767) @@ -0,0 +1,18 @@ +--- share/html/Ticket/Attachment/dhandler.orig 2016-07-18 20:20:17 UTC ++++ share/html/Ticket/Attachment/dhandler +@@ -68,11 +68,13 @@ unless ( $AttachmentObj->TransactionId() + my $content = $AttachmentObj->OriginalContent; + my $content_type = $AttachmentObj->ContentType || 'text/plain'; + +-if ( RT->Config->Get('AlwaysDownloadAttachments') ) { ++my $attachment_regex = qr{^(image/svg\+xml|application/pdf)}i; ++if ( RT->Config->Get('AlwaysDownloadAttachments') || ($content_type =~ $attachment_regex) ) { + $r->headers_out->{'Content-Disposition'} = "attachment"; + } + elsif ( !RT->Config->Get('TrustHTMLAttachments') ) { +- $content_type = 'text/plain' if ( $content_type =~ /^text\/html/i ); ++ my $text_plain_regex = qr{^(text/html|application/xhtml\+xml|text/xml|application/xml)}i; ++ $content_type = 'text/plain' if ( $content_type =~ $text_plain_regex ); + } + elsif (lc $content_type eq 'text/html') { + # If we're trusting and serving HTML for display not download, try to do Property changes on: branches/2017Q2/www/rt44/files/patch-share_html_Ticket_Attachment_dhandler ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q2 =================================================================== --- branches/2017Q2 (revision 443766) +++ branches/2017Q2 (revision 443767) Property changes on: branches/2017Q2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r443703