kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-18 10:16:49 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'hotfix/4.7.17.4'

Browse Source
This commit is contained in:
James Cole
2019-08-02 17:08:34 +02:00
parent 7d482aa24c 1b3d3de969
commit c9f4cf4f34
10 changed files with 61 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.sandstorm/changelog.md
View File

@@ -1,3 +1,7 @@
# 4.7.17.4 (API 0.9.2)
- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne).
# 4.7.17.3 (API 0.9.2)
- XSS bug in file uploads (x2), found by [@dayn1ne](https://github.com/dayn1ne).

4
.sandstorm/sandstorm-pkgdef.capnp
View File

@@ -15,8 +15,8 @@ const pkgdef :Spk.PackageDefinition = (
manifest = (
appTitle = (defaultText = "Firefly III"),
appVersion = 29,
appMarketingVersion = (defaultText = "4.7.17.3"),
appVersion = 30,
appMarketingVersion = (defaultText = "4.7.17.4"),
actions = [
# Define your "new document" handlers here.

2
.travis.yml
View File

@@ -1,7 +1,7 @@
sudo: required
language: bash
env:
- VERSION=4.7.17.3
- VERSION=4.7.17.4
dist: xenial

2
app/Http/Controllers/Rule/CreateController.php
View File

@@ -124,7 +124,7 @@ class CreateController extends Controller
*/
public function createFromBill(Request $request, Bill $bill)
{
$request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => $bill->name]));
$request->session()->flash('info', (string)trans('firefly.instructions_rule_from_bill', ['name' => e($bill->name)]));
$this->createDefaultRuleGroup();
$this->createDefaultRule();

20
app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php
View File

@@ -60,6 +60,9 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface
$config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? '');
$config['apply-rules'] = 1 === (int)$data['apply_rules'];
// sanitize FinTS URL.
$config['fints_url'] = $this->validURI($config['fints_url']) ? $config['fints_url'] : '';
$this->repository->setConfiguration($this->importJob, $config);
@@ -108,4 +111,21 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface
$this->repository->setUser($importJob->user);
}
/**
* @param string $fints_url
*
* @return bool
*/
private function validURI(string $fintsUri): bool
{
$res = filter_var($fintsUri, FILTER_VALIDATE_URL);
if (false === $res) {
return false;
}
$scheme = parse_url($fintsUri, PHP_URL_SCHEME);
return 'https' === $scheme;
}
}

5
changelog.md
View File

@@ -2,6 +2,11 @@
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
## [4.7.17.4 (API 0.9.2)] - 2019-08-02
### Security
- Several XSS issues, found by [@dayn1ne](https://github.com/dayn1ne).
## [4.7.17.3 (API 0.9.2)] - 2019-07-16
### Security

2
config/firefly.php
View File

@@ -93,7 +93,7 @@ return [
'is_demo_site' => false,
],
'encryption' => null === env('USE_ENCRYPTION') || env('USE_ENCRYPTION') === true,
'version' => '4.7.17.3',
'version' => '4.7.17.4',
'api_version' => '0.9.2',
'db_version' => 10,
'maxUploadSize' => 15242880,

6
resources/views/v1/reports/audit/report.twig
View File

@@ -42,7 +42,7 @@
<em>
{{ trans('firefly.no_audit_activity',
{
account_name: account.name,
account_name: account.name|escape,
url: url,
start: start.formatLocalized(monthAndDayFormat),
end: end.formatLocalized(monthAndDayFormat),
@@ -55,7 +55,7 @@
{{ trans('firefly.audit_end_balance',
{
account_name: account.name,
account_name: account.name|escape,
url: url,
end: auditData[account.id].end,
balance: formatAmountByAccount(account,auditData[account.id].endBalance)
@@ -65,7 +65,7 @@
<p style="padding:10px;">
{{ trans('firefly.audit_end_balance',
{
account_name: account.name,
account_name: account.name|escape,
url: url,
end: auditData[account.id].dayBefore,
balance: formatAmountByAccount(account, auditData[account.id].dayBeforeBalance)

44
resources/views/v1/transactions/convert.twig
View File

@@ -22,12 +22,12 @@
{# in case of withdrawal #}
{% if sourceType.type == "Withdrawal" %}
{{ ExpandedForm.staticText('source_account_asset', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name~'</a>') }}
{{ ExpandedForm.staticText('source_account_asset', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name|escape~'</a>') }}
{# if destination is cash, show (cash) #}
{% if destinationAccount.accountType.type == "Cash account" %}
{{ ExpandedForm.staticText('destination_account_expense', '<span class="text-success">(cash)</a>') }}
{% else %}
{{ ExpandedForm.staticText('destination_account_expense', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name~'</a>') }}
{{ ExpandedForm.staticText('destination_account_expense', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name|escape~'</a>') }}
{% endif %}
{% endif %}
@@ -38,15 +38,15 @@
{% if sourceAccount.accountType.type == "Cash account" %}
{{ ExpandedForm.staticText('source_account_revenue', '<span class="text-success">(cash)</a>') }}
{% else %}
{{ ExpandedForm.staticText('source_account_revenue', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name~'</a>') }}
{{ ExpandedForm.staticText('source_account_revenue', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name|escape~'</a>') }}
{% endif %}
{{ ExpandedForm.staticText('destination_account_asset', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name~'</a>') }}
{{ ExpandedForm.staticText('destination_account_asset', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name|escape~'</a>') }}
{% endif %}
{# in case of transfer #}
{% if sourceType.type == "Transfer" %}
{{ ExpandedForm.staticText('source_account_asset', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name~'</a>') }}
{{ ExpandedForm.staticText('destination_account_asset', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name~'</a>') }}
{{ ExpandedForm.staticText('source_account_asset', '<a href="'~route('accounts.show',[sourceAccount.id])~'">'~sourceAccount.name|escape~'</a>') }}
{{ ExpandedForm.staticText('destination_account_asset', '<a href="'~route('accounts.show',[destinationAccount.id])~'">'~destinationAccount.name|escape~'</a>') }}
{% endif %}
{# ONE #}
@@ -56,9 +56,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em>
</p>
@@ -69,7 +69,7 @@
{% if destinationAccount.accountType.type == "Cash account" %}
{{ ExpandedForm.text('source_account_revenue', '') }}
{% else %}
{{ ExpandedForm.text('source_account_revenue', destinationAccount.name) }}
{{ ExpandedForm.text('source_account_revenue', destinationAccount.name|escape) }}
{% endif %}
{% endif %}
@@ -80,9 +80,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em></p>
@@ -104,9 +104,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em>
</p>
@@ -119,7 +119,7 @@
{% if sourceAccount.accountType.type == "Cash account" %}
{{ ExpandedForm.text('destination_account_expense', '') }}
{% else %}
{{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }}
{{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }}
{% endif %}
{% endif %}
@@ -133,9 +133,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em>
</p>
@@ -157,9 +157,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em>
</p>
@@ -170,7 +170,7 @@
</em>
</p>
{{ ExpandedForm.text('destination_account_expense', destinationAccount.name) }}
{{ ExpandedForm.text('destination_account_expense', destinationAccount.name|escape) }}
{% endif %}
@@ -184,9 +184,9 @@
{
amount: positiveAmount|formatAmount,
sourceRoute: route('accounts.show', [sourceAccount.id]),
sourceName: sourceAccount.name,
sourceName: sourceAccount.name|escape,
destinationRoute: route('accounts.show', [destinationAccount.id]),
destinationName: destinationAccount.name,
destinationName: destinationAccount.name|escape,
})|raw }}
</em>
</p>
@@ -197,7 +197,7 @@
</em>
</p>
{{ ExpandedForm.text('source_account_revenue', sourceAccount.name) }}
{{ ExpandedForm.text('source_account_revenue', sourceAccount.name|escape) }}
{% endif %}

4
resources/views/v1/transactions/links/delete.twig
View File

@@ -12,14 +12,14 @@
<div class="col-lg-6 col-lg-offset-3 col-md-6 col-sm-12">
<div class="box box-danger">
<div class="box-header with-border">
<h3 class="box-title">{{ trans('firefly.delete_journal_link', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}</h3>
<h3 class="box-title">{{ trans('firefly.delete_journal_link', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}</h3>
</div>
<div class="box-body">
<p class="text-danger">
{{ trans('form.permDeleteWarning') }}
</p>
<p>
{{ trans('form.journal_link_areYouSure', {source: link.source.description, destination: link.destination.description, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}
{{ trans('form.journal_link_areYouSure', {source: link.source.description|escape, destination: link.destination.description|escape, source_link: route('transactions.show', [link.source_id]) , destination_link: route('transactions.show',link.destination_id)})|raw }}
</p>
</div>
<div class="box-footer">