Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Templated value in project template used in create_test_env must be escaped

Download Browse

With the change introduced in 0b965b4eb8c9e16e299f8875734ee8e581cc8f52 the values replaced in the XML are not escaped at all which might lead to security issues such as XXE. Due to some other validation the issue does not seem to be exploitable but we have no guarantee it's going to stay that way in the future. While adding some tests, it has become visible that the validation done on the values was also incorrect, the opportunity has been taken to fix that as well. Part of request #14048: Slowness at artifact creation Change-Id: I3554d96a94ef807dfb660bd58f1e3455bc9f8b3b

+75 −46
Thomas Gerbet (tgerbet) 2019-11-04 13:29
Thomas Gerbet (tgerbet) 2019-11-04 13:29
5d6b0024855464866cb407217f44de2e741e83af
b3c0d057af856ec587de77e51b02a778eb6f93e8
git #tuleap/stable/5d6b0024855464866cb407217f44de2e741e83af

Modified Files

Side by side diff
Inline diff
Name
M plugins/create_test_env/include/CreateTestEnv/CreateTestEnvironment.php +7 −2 Go to diff View file
M plugins/create_test_env/include/CreateTestEnv/CreateTestProject.php +32 −22 Go to diff View file
M plugins/create_test_env/phpunit/CreateTestEnv/CreateTestProjectTest.php +34 −22 Go to diff View file
D plugins/create_test_env/phpunit/CreateTestEnv/_fixtures/create_test_env/resources/sp-prj-2/project.xml +0 −0 Go to diff View file
M tests/lib/GlobalLanguageMock.php +2 −0 Go to diff View file