View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024186 | mantisbt | security | public | 2018-03-29 07:36 | 2018-04-13 08:34 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.12.1 | Fixed in Version | 2.12.1 | ||
Summary | 0024186: CVE-2018-1000162: XSS vulnerability in Parsedown library | ||||
Description | Parsedown 1.6.x is vulnerable to XSS attacks
This was fixed in 1.7.0 on 28-Feb-2018; 1.7.1 was released a few days later including a few additional bug fixes. | ||||
Additional Information | Some changes will be required on MantisBT side, e.g. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
@dregad, I recomment to wait a bit (at least 1.7.2) until 1.7.x is stabilized. |
|
I don't see any reason to delay - this is a security issue that is affecting us today and for which a fix is available. It would be silly not to patch it ASAP. |
|
Proposed patch as attachment for review, to avoid public disclosure in a pull request 24186.patch (2,842 bytes)
diff --cc composer.json index 179cae1,179cae1..f634264 --- a/composer.json +++ b/composer.json @@@ -8,7 -8,7 +8,7 @@@ "vboctor/disposable_email_checker": "^3.0", "adodb/adodb-php": "^5.20", "phpmailer/phpmailer": "^5.2.22", -- "erusev/parsedown": "^1.7.0", ++ "erusev/parsedown": "^1.6", "dapphp/securimage": "dev-mantis" }, "require-dev": { diff --cc composer.lock index 8f44439,8f44439..9879157 --- a/composer.lock +++ b/composer.lock @@@ -4,7 -4,7 +4,7 @@@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], -- "content-hash": "493a9911b0f5109b5f4b73997648e7be", ++ "content-hash": "acd102d3211c0308e763376e7be54d78", "packages": [ { "name": "adodb/adodb-php", @@@ -142,25 -142,25 +142,21 @@@ }, { "name": "erusev/parsedown", -- "version": "1.7.1", ++ "version": "1.6.3", "source": { "type": "git", "url": "https://github.com/erusev/parsedown.git", -- "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1" ++ "reference": "728952b90a333b5c6f77f06ea9422b94b585878d" }, "dist": { "type": "zip", -- "url": "https://api.github.com/repos/erusev/parsedown/zipball/92e9c27ba0e74b8b028b111d1b6f956a15c01fc1", -- "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1", ++ "url": "https://api.github.com/repos/erusev/parsedown/zipball/728952b90a333b5c6f77f06ea9422b94b585878d", ++ "reference": "728952b90a333b5c6f77f06ea9422b94b585878d", "shasum": "" }, "require": { -- "ext-mbstring": "*", "php": ">=5.3.0" }, -- "require-dev": { -- "phpunit/phpunit": "^4.8.35" -- }, "type": "library", "autoload": { "psr-0": { @@@ -184,7 -184,7 +180,7 @@@ "markdown", "parser" ], -- "time": "2018-03-08T01:11:30+00:00" ++ "time": "2017-05-14T14:47:48+00:00" }, { "name": "guzzlehttp/guzzle", diff --cc plugins/MantisCoreFormatting/core/MantisMarkdown.php index 6d96174,e937edd..18958bb --- a/plugins/MantisCoreFormatting/core/MantisMarkdown.php +++ b/plugins/MantisCoreFormatting/core/MantisMarkdown.php @@@ -66,9 -66,9 +66,6 @@@ class MantisMarkdown extends Parsedow # set the table class $this->table_class = 'table table-nonfluid'; -- -- # XSS protection -- $this->setSafeMode( true ); } /** |
|
@dregad I'm OK with the fix to make its way to 2.12.1. Seems like you have a reverse patch in 0024186:0059349
Why is this added? |
|
Yes, I made a mistake in the git format-patch command.
That comes from parsedown's composer.json - details on why it was added is here: https://github.com/erusev/parsedown/pull/561 |
|
CVE-2018-1000162 assigned https://github.com/erusev/parsedown/issues/590 |
|
Changing title and creating a child issue to track the Parsedown library update (0024297) separately, as it is effectively just a pre-requisite to the actual fix for the XSS (i.e. enabling safe mode) |
|
MantisBT: master-2.12 518d7529 2018-03-29 04:16 Details Diff |
Update Parsedown to 1.7.1 - Set minimum required version to 1.7.0 in composer.json - Run composer update - Updating erusev/parsedown (1.6.3 => 1.7.1) Fixes 0024186 |
Affected Issues 0024186, 0024297 |
|
mod - composer.json | Diff File | ||
mod - composer.lock | Diff File | ||
MantisBT: master-2.12 a5e043f0 2018-03-29 04:49 Details Diff |
Enable Parsedown Safe Mode for XSS protection Fixes 0024186 |
Affected Issues 0024186 |
|
mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php | Diff File |