Commit e47c6fbb authored by Thomas Sibley's avatar Thomas Sibley Committed by Alex Vandiver
Browse files

Prevent linking directly to CF values when the value is a data: URI

You can still create data: URIs in a linked CF with the value as part of
the URI, but the whole value can't be a data: URI itself.

This resolves part of CVE-2011-2083.
parent e8c2f511
......@@ -364,11 +364,11 @@ sub _FillInTemplateURL {
# special case, whole value should be an URL
if ( $url =~ /^__CustomField__/ ) {
my $value = $self->Content;
# protect from javascript: URLs
if ( $value =~ /^\s*javascript:/i ) {
# protect from potentially malicious URLs
if ( $value =~ /^\s*(?:javascript|data):/i ) {
my $object = $self->Object;
$RT::Logger->error(
"Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
"Potentially dangerous URL type in custom field '". $self->CustomFieldObj->Name ."'"
." on ". ref($object) ." #". $object->id
);
return undef;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment