request #45999 Ensure `extract()` is not called on untrusted inputs

Infos

Artifact ID#45999

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-12-23 12:24

Submitted on2025-12-22 16:23

Rank47725

Details

Summary *

Ensure `extract()` is not called on untrusted inputs

Original Submission

Spotted by Psalm taint analysis. In \Tuleap_Template is called on possibly untrusted data. This should be avoided to not give malicious users a way to influence the execution context.

Note there is no security impact, as the existing code does not pass untrusted information.

CategoryOther

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2025-12-23

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #45999

Git commit

tuleap/tuleap/stable

fix: request #45999 Ensure `extract()` is not called on untrusted inputs 681f555753

Thomas Gerbet (tgerbet) , 2025-12-23 08:33

Merge commit 'refs/changes/17/36517/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD dd854d3f00

Nicolas Terray (nterray) , 2025-12-23 11:55

Show items referenced by request #45999

Referenced by request #45999

Artifact

rel #45975 17.2

Git commit

tuleap/tuleap/stable

fix: request #45999 Ensure `extract()` is not called on untrusted inputs 681f555753

Thomas Gerbet (tgerbet) , 2025-12-23 08:33

Follow-ups

Nicolas Terray (nterray)

2025-12-23 12:24

Connected artifacts
- Added Fixed in: rel #45975

Tracker Workflow Manager (forge__tracker_workflow_manager)

2025-12-23 11:55

request fixed by @tgerbet with git #tuleap/stable/681f555753241fc393e692e29d146a28c9d012a0.

Status changed from Under implementation to Closed
Close date set to 2025-12-23

Public

Referencing request #45999

Git commit

tuleap/tuleap/stable

Referenced by request #45999

Artifact

Git commit

tuleap/tuleap/stable

Follow-ups