Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 8357:abf1297e7a94
bug(security): fix XSS exploit in devel and responsive templates
Replace all occurances of:
tal:content="structure context/MUMBLE/plain"
with
tal:content="context/MUMBLE/plain"
This seems to have been an old way to handle display of a field when
the user did not have edit rights. It does not occur in current (later
than 2009) classic tracker templates. But probably was unsed in
earlier classic templates since devel, reponsive and the roundup issue
tracker templates were based on classic.
Add CVE placeholder to security.txt and link to fix directions added
to upgrading.txt. Add note in announcement.txt and CHANGES.txt
Add a details element around the table of contents in the upgrading
guide. It was getting long.
Updated a missed XSS issue in the roundup tracker template. Live site
is already fixed.
XSS bug reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 13:38:08 -0400 |
| parents | 226a4f391ae2 |
| children | d98cb4730a4a |
comparison
equal
deleted
inserted
replaced
| 8356:63390dcfcfe9 | 8357:abf1297e7a94 |
|---|---|
| 89 templates to use html (HTML5). If you are affected by this, please | 89 templates to use html (HTML5). If you are affected by this, please |
| 90 send email to the roundup-users mailing list (roundup-users at | 90 send email to the roundup-users mailing list (roundup-users at |
| 91 lists.sourceforge.net). Version 2.3.0 is the last version to support | 91 lists.sourceforge.net). Version 2.3.0 is the last version to support |
| 92 XHTML. | 92 XHTML. |
| 93 | 93 |
| 94 Contents: | 94 .. raw:: html |
| 95 | |
| 96 <details> | |
| 97 <summary>Contents:</summary> | |
| 95 | 98 |
| 96 .. contents:: | 99 .. contents:: |
| 97 :local: | 100 :local: |
| 98 | 101 |
| 102 .. raw:: html | |
| 103 | |
| 104 </details> | |
| 105 | |
| 99 .. index:: Upgrading; 2.4.0 to 2.5.0 | 106 .. index:: Upgrading; 2.4.0 to 2.5.0 |
| 100 | 107 |
| 101 Migrating from 2.4.0 to 2.5.0 | 108 Migrating from 2.4.0 to 2.5.0 |
| 102 ============================= | 109 ============================= |
| 110 | |
| 111 .. _CVE-2025-pending: | |
| 112 | |
| 113 XSS security issue with devel and responsive templates (required) | |
| 114 ----------------------------------------------------------------- | |
| 115 | |
| 116 The devel and responsive templates prior to Roundup 2.5 used this | |
| 117 construct:: | |
| 118 | |
| 119 tal:content="structure context/MUMBLE/plain" | |
| 120 | |
| 121 Where ``MUMBLE`` is a property of your issues (e.g. title). | |
| 122 | |
| 123 This construct allows a URL with a carefully crafted query parameter | |
| 124 to execute arbitrary JavaScript. | |
| 125 | |
| 126 You should check all your trackers. The classic template has not used | |
| 127 this construct since at least 2009, but your tracker's templates may | |
| 128 use the offending construct anyway. | |
| 129 | |
| 130 This fix will apply if your tracker is based on the responsive or | |
| 131 devel template. Check the TEMPLATE-INFO.txt file in your tracker | |
| 132 home. The template name is the first component of the ``Name`` | |
| 133 field. For example a Name like:: | |
| 134 | |
| 135 Name: responsive-bugtracker | |
| 136 | |
| 137 Name: devel-bugtracker | |
| 138 | |
| 139 shows that tracker is based on the responsive or devel templates. | |
| 140 | |
| 141 .. _cve-2025-pending-fixed: | |
| 142 | |
| 143 To fix this, remove the ``structure`` declaration when it is used with | |
| 144 a plain representation. So fixing the code by replacing the example | |
| 145 above with:: | |
| 146 | |
| 147 tal:content="context/MUMBLE/plain" | |
| 148 | |
| 149 prevents the attack. | |
| 150 | |
| 151 To check for this issue, search for ``structure`` followed by | |
| 152 ``/plain`` in all your html templates. If you are on a Linux/Unix | |
| 153 system you can search the html subdirectory of your tracker with the | |
| 154 following:: | |
| 155 | |
| 156 grep 'structure.*/plain' *.html | |
| 157 | |
| 158 which should return any lines with issues. | |
| 159 | |
| 160 .. warning:: | |
| 161 | |
| 162 Backup the files in the ``html`` subdirectory of your tracker in case | |
| 163 an edit goes wrong. | |
| 164 | |
| 165 You can fix this issue using the GNU sed command:: | |
| 166 | |
| 167 sed -i.bak -e '/structure.*\/plain/s/structure.//' *.html | |
| 168 | |
| 169 to edit the files in place and remove the structure keyword. It will | |
| 170 create a ``.bak`` file with the original contents of the file. If you | |
| 171 are on windows, some text editors support search and replace using a | |
| 172 regular expression. | |
| 173 | |
| 174 If the construct is split across lines:: | |
| 175 | |
| 176 tal:content="structure | |
| 177 context/MUMBLE/plain" | |
| 178 | |
| 179 the commands above will miss the construct. So you should also search | |
| 180 the html files using ``grep /plain *.html`` and verify that all of the | |
| 181 ``context/MUMBLE/plain`` include ``tal:content`` as in the `fixed | |
| 182 example above <#cve-2025-pending-fixed>`_. Any lines that have | |
| 183 ``context/MUMBLE/plain`` without ``tal:content=`` before it need to be | |
| 184 manually verified/fixed. | |
| 185 | |
| 186 The distributed devel and responsive templates do not split the | |
| 187 construct across lines, but if you changed the files it may be split. | |
| 103 | 188 |
| 104 Deprecation Notices (required) | 189 Deprecation Notices (required) |
| 105 ------------------------------ | 190 ------------------------------ |
| 106 | 191 |
| 107 * Support for SQLite version 2 has been removed in 2.5.0. | 192 * Support for SQLite version 2 has been removed in 2.5.0. |