Merge pull request #27348 from seamuslee001/master

5.65
civicrm · Sep 7, 2023 · 6c20e56 · 6c20e56
2 parents 97c041d + 8ac7112
commit 6c20e56
Show file tree

Hide file tree

Showing 21 changed files with 96 additions and 45 deletions.
diff --git a/CRM/Campaign/Page/DashBoard.php b/CRM/Campaign/Page/DashBoard.php
@@ -318,7 +318,7 @@ public static function getSurveySummary($params = []) {
         $surveysData[$sid]['is_default'] = boolval($surveysData[$sid]['is_default']);
 
         if ($surveysData[$sid]['result_id']) {
-          $resultSet = '<a href= "javascript:displayResultSet( ' . $sid . ',' . "'" . $surveysData[$sid]['title'] . "'" . ', ' . $surveysData[$sid]['result_id'] . ' )" title="' . ts('view result set', ['escape' => 'htmlattribute']) . '">' . ts('Result Set') . '</a>';
+          $resultSet = '<a href= "javascript:displayResultSet( ' . $sid . ', ' . htmlspecialchars(json_encode($surveysData[$sid]['title'])) . ', ' . $surveysData[$sid]['result_id'] . ' )" title="' . ts('view result set', ['escape' => 'htmlattribute']) . '">' . ts('Result Set') . '</a>';
           $surveysData[$sid]['result_id'] = $resultSet;
         }
         else {

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
@@ -1130,14 +1130,21 @@ public static function processImageParams(
    * Extract contact id from url for deleting contact image.
    */
   public static function processImage() {
-
     $action = CRM_Utils_Request::retrieve('action', 'String');
+    $pcp = CRM_Utils_Request::retrieve('pcp', 'String');
     $cid = CRM_Utils_Request::retrieve('cid', 'Positive');
     // retrieve contact id in case of Profile context
     $id = CRM_Utils_Request::retrieve('id', 'Positive');
+    $formName = $pcp ? 'CRM_PCP_Form_PCPAccount' : ($cid ? 'CRM_Contact_Form_Contact' : 'CRM_Profile_Form_Edit');
     $cid = $cid ?: $id;
     if ($action & CRM_Core_Action::DELETE) {
       if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
+        // $controller is not used at all but we need the CRM_Core_Controller object as in it's constructor
+        // It retrieves the qfKey from GET or POST and then passes it to CRM_Core_Key::validate the generated key and redirects to a standard error message if fails
+        $controller = new CRM_Core_Controller_Simple($formName, ts('New Contact'), NULL, TRUE, FALSE);
+        if (!CRM_Contact_BAO_Contact::_checkAccess('Contact', 'update', ['id' => $cid], NULL)) {
+          CRM_Utils_System::permissionDenied();
+        }
         CRM_Contact_BAO_Contact::deleteContactImage($cid);
         CRM_Core_Session::setStatus(ts('Contact image deleted successfully'), ts('Image Deleted'), 'success');
         $session = CRM_Core_Session::singleton();
@@ -3311,7 +3318,9 @@ public static function buildOptions($fieldName, $context = NULL, $props = []) {
     switch ($fieldName) {
       case 'contact_sub_type':
         if (!empty($props['contact_type'])) {
-          $params['condition'] = "parent_id = (SELECT id FROM civicrm_contact_type WHERE name='{$props['contact_type']}')";
+          $params['condition'] = CRM_Core_DAO::composeQuery('parent_id = (SELECT id FROM civicrm_contact_type WHERE name = %1)', [
+            1 => [$props['contact_type'], 'String'],
+          ]);
         }
         break;
 

diff --git a/CRM/Contact/Form/Contact.php b/CRM/Contact/Form/Contact.php
@@ -783,14 +783,15 @@ public function buildQuickForm() {
         CRM_Core_Action::DELETE => [
           'name' => ts('Delete Contact Image'),
           'url' => 'civicrm/contact/image',
-          'qs' => 'reset=1&cid=%%id%%&action=delete',
+          'qs' => 'reset=1&cid=%%id%%&action=delete&&qfKey=%%key%%',
           'extra' => 'onclick = "' . htmlspecialchars("if (confirm($deleteExtra)) this.href+='&confirmed=1'; else return false;") . '"',
         ],
       ];
       $deleteURL = CRM_Core_Action::formLink($deleteURL,
         CRM_Core_Action::DELETE,
         [
           'id' => $this->_contactId,
+          'key' => $this->controller->_key,
         ],
         ts('more'),
         FALSE,

diff --git a/CRM/Core/BAO/UFGroup.php b/CRM/Core/BAO/UFGroup.php
@@ -1843,7 +1843,7 @@ public static function buildProfile(
         CRM_Core_Action::DELETE => [
           'name' => ts('Delete Contact Image'),
           'url' => 'civicrm/contact/image',
-          'qs' => 'reset=1&id=%%id%%&gid=%%gid%%&action=delete',
+          'qs' => 'reset=1&id=%%id%%&gid=%%gid%%&action=delete&qfKey=%%key%%',
           'extra' => 'onclick = "' . htmlspecialchars("if (confirm($deleteExtra)) this.href+='&confirmed=1'; else return false;") . '"',
         ],
       ];
@@ -1852,6 +1852,7 @@ public static function buildProfile(
         [
           'id' => $form->get('id'),
           'gid' => $form->get('gid'),
+          'key' => $form->controller->_key,
         ],
         ts('more'),
         FALSE,

diff --git a/CRM/Core/OptionGroup.php b/CRM/Core/OptionGroup.php
@@ -160,9 +160,12 @@ public static function &values(
       $query .= $condition;
     }
 
-    $query .= " ORDER BY v.{$orderBy}";
+    $query .= " ORDER BY %2";
 
-    $p = [1 => [$name, 'String']];
+    $p = [
+      1 => [$name, 'String'],
+      2 => ['v.' . $orderBy, 'MysqlOrderBy'],
+    ];
     $dao = CRM_Core_DAO::executeQuery($query, $p);
 
     $var = self::valuesCommon($dao, $flip, $grouping, $localize, $labelColumnName);

diff --git a/CRM/Core/PseudoConstant.php b/CRM/Core/PseudoConstant.php
@@ -1534,13 +1534,13 @@ public static function renderOptionsFromTablePseudoconstant($pseudoconstant, &$p
       $wheres[] = '(domain_id = ' . CRM_Core_Config::domainID() . ' OR  domain_id is NULL)';
     }
     $queryParams = [
-      1 => [$params['keyColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES],
-      2 => [$params['labelColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES],
-      3 => [$pseudoconstant['table'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES],
+      1 => [$params['keyColumn'], 'MysqlColumnNameOrAlias'],
+      2 => [$params['labelColumn'], 'MysqlColumnNameOrAlias'],
+      3 => [$pseudoconstant['table'], 'MysqlColumnNameOrAlias'],
     ];
     // Add orderColumn param
     if (!empty($params['orderColumn'])) {
-      $queryParams[4] = [$params['orderColumn'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES];
+      $queryParams[4] = [$params['orderColumn'], 'MysqlOrderBy'];
       $order = 'ORDER BY %4';
     }
     // Support no sorting if $params[orderColumn] is FALSE

diff --git a/CRM/Event/BAO/Event.php b/CRM/Event/BAO/Event.php
@@ -183,7 +183,7 @@ public static function self_hook_civicrm_pre(\Civi\Core\Event\PreEvent $event) {
       foreach ($groupTree as $values) {
         $query = "DELETE FROM %1 WHERE entity_id = %2";
         CRM_Core_DAO::executeQuery($query, [
-          1 => [$values['table_name'], 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES],
+          1 => [$values['table_name'], 'MysqlColumnNameOrAlias'],
           2 => [$event->id, 'Integer'],
         ]);
       }

diff --git a/CRM/PCP/Form/PCPAccount.php b/CRM/PCP/Form/PCPAccount.php
@@ -125,14 +125,15 @@ public function setDefaultValues() {
           CRM_Core_Action::DELETE => [
             'name' => ts('Delete Contact Image'),
             'url' => 'civicrm/contact/image',
-            'qs' => 'reset=1&cid=' . $this->_contactID . '&action=delete',
+            'qs' => 'reset=1&cid=%%id%%&action=delete&qfKey=%%key%%&pcp=1',
             'extra' => 'onclick = "' . htmlspecialchars("if (confirm($deleteExtra)) this.href+='&confirmed=1'; else return false;") . '"',
           ],
         ];
         $deleteURL = CRM_Core_Action::formLink($deleteURL,
           CRM_Core_Action::DELETE,
           [
             'id' => $this->_contactID,
+            'key' => $this->controller->_key,
           ],
           ts('more'),
           FALSE,

diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php
@@ -472,7 +472,7 @@ public static function crmURL($params) {
   public static function setTitle($title, $pageTitle = NULL) {
     self::$title = $title;
     $config = CRM_Core_Config::singleton();
-    return $config->userSystem->setTitle($title, $pageTitle);
+    return $config->userSystem->setTitle(CRM_Utils_String::purifyHtml($title), CRM_Utils_String::purifyHtml($pageTitle));
   }
 
   /**

diff --git a/api/v3/Activity.php b/api/v3/Activity.php
@@ -443,15 +443,15 @@ function _civicrm_api3_activity_get_formatResult($params, $activities, $options)
 
       case 'file_id':
         $dao = CRM_Core_DAO::executeQuery("SELECT entity_id, file_id FROM civicrm_entity_file WHERE entity_table = 'civicrm_activity' AND entity_id IN (%1)",
-          [1 => [implode(',', array_keys($activities)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]]);
+          [1 => [implode(',', array_keys($activities)), 'CommaSeparatedIntegers']]);
         while ($dao->fetch()) {
           $activities[$dao->entity_id]['file_id'][] = $dao->file_id;
         }
         break;
 
       case 'case_id':
         $dao = CRM_Core_DAO::executeQuery("SELECT activity_id, case_id FROM civicrm_case_activity WHERE activity_id IN (%1)",
-          [1 => [implode(',', array_keys($activities)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]]);
+          [1 => [implode(',', array_keys($activities)), 'CommaSeparatedIntegers']]);
         while ($dao->fetch()) {
           $activities[$dao->activity_id]['case_id'][] = $dao->case_id;
           $caseIds[$dao->case_id] = $dao->case_id;

diff --git a/api/v3/Case.php b/api/v3/Case.php
@@ -649,7 +649,7 @@ function _civicrm_api3_case_read(&$cases, $options) {
   // Bulk-load activities
   if (!empty($options['return']['activities'])) {
     $query = "SELECT case_id, activity_id FROM civicrm_case_activity WHERE case_id IN (%1)";
-    $params = [1 => [implode(',', array_keys($cases)), 'String', CRM_Core_DAO::QUERY_FORMAT_NO_QUOTES]];
+    $params = [1 => [implode(',', array_keys($cases)), 'CommaSeparatedIntegers']];
     $dao = CRM_Core_DAO::executeQuery($query, $params);
     while ($dao->fetch()) {
       $cases[$dao->case_id]['activities'][] = $dao->activity_id;

diff --git a/composer.json b/composer.json
@@ -235,7 +235,7 @@
         "url": "https://github.com/civicrm/jqueryui/archive/1.13.2-civicrm.zip"
       },
       "jquery-validation": {
-        "url": "https://github.com/jquery-validation/jquery-validation/archive/1.19.3.zip",
+        "url": "https://github.com/jquery-validation/jquery-validation/archive/1.19.5.zip",
         "ignore": [".*", "node_modules", "bower_components", "test", "demo", "lib"]
       },
       "json-formatter": {

diff --git a/composer.lock b/composer.lock
diff --git a/js/Common.js b/js/Common.js
@@ -544,8 +544,8 @@ if (!CRM.vars) CRM.vars = {};
     }
     var markup = '<div class="crm-entityref-links crm-entityref-links-static">';
     _.each(staticItems, function(link) {
-      markup += ' <a class="crm-hover-button" href="#' + link.id + '">' +
-        '<i class="crm-i ' + link.icon + '" aria-hidden="true"></i> ' +
+      markup += ' <a class="crm-hover-button" href="#' + _.escape(link.id) + '">' +
+        '<i class="crm-i ' + _.escape(link.icon) + '" aria-hidden="true"></i> ' +
         _.escape(link.label) + '</a>';
     });
     markup += '</div>';
@@ -604,7 +604,7 @@ if (!CRM.vars) CRM.vars = {};
           }
         },
         formatInputTooShort: function() {
-          var txt = $.fn.select2.defaults.formatInputTooShort.call(this);
+          var txt = _.escape($.fn.select2.defaults.formatInputTooShort.call(this));
           txt += getStaticOptionMarkup(staticItems);
           return txt;
         }
@@ -745,12 +745,12 @@ if (!CRM.vars) CRM.vars = {};
       }
       else {
         selectParams.formatInputTooShort = function() {
-          var txt = $el.data('select-params').formatInputTooShort || $.fn.select2.defaults.formatInputTooShort.call(this);
+          var txt = _.escape($el.data('select-params').formatInputTooShort || $.fn.select2.defaults.formatInputTooShort.call(this));
           txt += entityRefFiltersMarkup($el) + renderEntityRefCreateLinks($el);
           return txt;
         };
         selectParams.formatNoMatches = function() {
-          var txt = $el.data('select-params').formatNoMatches || $.fn.select2.defaults.formatNoMatches;
+          var txt = _.escape($el.data('select-params').formatNoMatches || $.fn.select2.defaults.formatNoMatches);
           txt += entityRefFiltersMarkup($el) + renderEntityRefCreateLinks($el);
           return txt;
         };
@@ -844,14 +844,14 @@ if (!CRM.vars) CRM.vars = {};
   CRM.utils.formatSelect2Result = function (row) {
     var markup = '<div class="crm-select2-row">';
     if (row.image !== undefined) {
-      markup += '<div class="crm-select2-image"><img src="' + row.image + '"/></div>';
+      markup += '<div class="crm-select2-image"><img src="' + _.escape(row.image) + '"/></div>';
     }
     else if (row.icon_class) {
-      markup += '<div class="crm-select2-icon"><div class="crm-icon ' + row.icon_class + '-icon"></div></div>';
+      markup += '<div class="crm-select2-icon"><div class="crm-icon ' + _.escape(row.icon_class) + '-icon"></div></div>';
     }
-    markup += '<div><div class="crm-select2-row-label '+(row.label_class || '')+'">' +
-      (row.color ? '<span class="crm-select-item-color" style="background-color: ' + row.color + '"></span> ' : '') +
-      (row.icon ? '<i class="crm-i ' + row.icon + '" aria-hidden="true"></i> ' : '') +
+    markup += '<div><div class="crm-select2-row-label ' + _.escape(row.label_class || '') + '">' +
+      (row.color ? '<span class="crm-select-item-color" style="background-color: ' + _.escape(row.color) + '"></span> ' : '') +
+      (row.icon ? '<i class="crm-i ' + _.escape(row.icon) + '" aria-hidden="true"></i> ' : '') +
       _.escape((row.prefix !== undefined ? row.prefix + ' ' : '') + row.label + (row.suffix !== undefined ? ' ' + row.suffix : '')) +
       '</div>' +
       '<div class="crm-select2-row-description">';
@@ -863,7 +863,7 @@ if (!CRM.vars) CRM.vars = {};
   };
 
   function formatEntityRefSelection(row) {
-    return (row.color ? '<span class="crm-select-item-color" style="background-color: ' + row.color + '"></span> ' : '') +
+    return (row.color ? '<span class="crm-select-item-color" style="background-color: ' + _.escape(row.color) + '"></span> ' : '') +
       _.escape((row.prefix !== undefined ? row.prefix + ' ' : '') + row.label + (row.suffix !== undefined ? ' ' + row.suffix : ''));
   }
 
@@ -893,8 +893,8 @@ if (!CRM.vars) CRM.vars = {};
       }
     }
     _.each(createLinks, function(link) {
-      markup += ' <a class="crm-add-entity crm-hover-button" href="' + link.url + '">' +
-        '<i class="crm-i ' + (link.icon || 'fa-plus-circle') + '" aria-hidden="true"></i> ' +
+      markup += ' <a class="crm-add-entity crm-hover-button" href="' + _.escape(link.url) + '">' +
+        '<i class="crm-i ' + _.escape(link.icon || 'fa-plus-circle') + '" aria-hidden="true"></i> ' +
         _.escape(link.label) + '</a>';
     });
     markup += '</div>';

diff --git a/release-notes/5.65.0.md b/release-notes/5.65.0.md
@@ -3,6 +3,7 @@
 Released September 6, 2023
 
 - **[Synopsis](#synopsis)**
+- **[Security advisories](#security)**
 - **[Features](#features)**
 - **[Bugs resolved](#bugs)**
 - **[Miscellany](#misc)**
@@ -20,6 +21,19 @@ Released September 6, 2023
 | **Fix problems installing or upgrading to a previous version?** | **yes** |
 | **Introduce features?**                                         | **yes** |
 | **Fix bugs?**                                                   | **yes** |
+| **Fix security vulnerabilities?**                               | **yes** |
+
+## <a name="security"></a>Security advisories
+
+* **[CIVI-SA-2023-07](https://civicrm.org/advisory/civi-sa-2023-07-smarty-math-rce): Smarty Math RCE**
+* **[CIVI-SA-2023-08](https://civicrm.org/advisory/civi-sa-2023-08-kcfinder-xss): KCFinder XSS**
+* **[CIVI-SA-2023-09](https://civicrm.org/advisory/civi-sa-2023-09-getfields-sqli): GetFields SQLI**
+* **[CIVI-SA-2023-10](https://civicrm.org/advisory/civi-sa-2023-10-multiple-potential-sqli): Multiple Potential SQLI**
+* **[CIVI-SA-2023-11](https://civicrm.org/advisory/civi-sa-2023-11-select2-xss): Select2 XSS**
+* **[CIVI-SA-2023-12](https://civicrm.org/advisory/civi-sa-2023-12-jquery-validation-dos): jQuery Validation DoS**
+* **[CIVI-SA-2023-13](https://civicrm.org/advisory/civi-sa-2023-13-survey-xss): Survey XSS**
+* **[CIVI-SA-2023-14](https://civicrm.org/advisory/civi-sa-2023-14-contact-image-csrf): Contact Image CSRF**
+* **[CIVI-SA-2023-15](https://civicrm.org/advisory/civi-sa-2023-15-civievent-xss): CiviEvent XSS**
 
 ## <a name="features"></a>Features
 
@@ -205,8 +219,8 @@ Released September 6, 2023
 - **Change default input format for credit card expiration month to NN
   ([26768](https://github.com/civicrm/civicrm-core/pull/26768))**
 
-  Changes the input format for credit card expiration month to the three letter
-  abbreviation to more closely match whats on the credit card.
+  Changes the input format for credit card expiration month from the three letter
+  abbreviation to the two digit month to more closely match whats on the credit card.
 
 ### CiviMail
 
@@ -795,11 +809,12 @@ Most authors also reviewed code for this release; in addition, the following
 reviewers contributed their comments:
 
 Agileware - Justin Freeman; Australian Greens - John Twyman; Bob Silvern;
-Circle Interactive - Pradeep Nayak; Humanists UK - Andrew West; JMA Consulting -
-Joe Murray, Monish Deb; Korlon - Stuart Gaston; Megaphone Technology
-Consulting - Brienne Kordis; Richard Baugh; Richard van Oosterhout; Semper IT -
-Karin Gerritsen; Tadpole Collective - Kevin Cristiano; Third Sector Design -
-William Mortada; xavi-xaloc
+BrightMinded Ltd - Bradley Taylor; Circle Interactive - Pradeep Nayak;
+Humanists UK - Andrew West; JMA Consulting - Joe Murray, Monish Deb; Korlon -
+Stuart Gaston; Megaphone Technology Consulting - Brienne Kordis; Ranjit Pahan;
+Richard Baugh; Richard van Oosterhout; Semper IT - Karin Gerritsen; RIPS
+Technologies - Dennis Brinkrolf; Tadpole Collective - Kevin Cristiano; Third
+Sector Design - William Mortada; Uepal - Jean-Marie Heitz; xavi-xaloc
 
 ## <a name="feedback"></a>Feedback
 

diff --git a/templates/CRM/Event/Form/Selector.tpl b/templates/CRM/Event/Form/Selector.tpl
@@ -40,10 +40,10 @@
             <td>{$form.$cbName.html}</td>
         {/if}
   <td class="crm-participant-contact_type">{$row.contact_type}</td>
-      <td class="crm-participant-sort_name"><a href="{crmURL p='civicrm/contact/view' q="reset=1&cid=`$row.contact_id`"}" title="{ts}View contact record{/ts}">{$row.sort_name}</a></td>
+      <td class="crm-participant-sort_name"><a href="{crmURL p='civicrm/contact/view' q="reset=1&cid=`$row.contact_id`"}" title="{ts}View contact record{/ts}">{$row.sort_name|smarty:nodefaults|purify}</a></td>
     {/if}
 
-    <td class="crm-participant-event_title"><a href="{crmURL p='civicrm/event/info' q="id=`$row.event_id`&reset=1"}" title="{ts}View event info page{/ts}">{$row.event_title}</a>
+    <td class="crm-participant-event_title"><a href="{crmURL p='civicrm/event/info' q="id=`$row.event_id`&reset=1"}" title="{ts}View event info page{/ts}">{$row.event_title|smarty:nodefaults|purify}</a>
         {if !empty($contactId)}<br /><a href="{crmURL p='civicrm/event/search' q="reset=1&force=1&event=`$row.event_id`"}" title="{ts}List participants for this event (all statuses){/ts}">({ts}participants{/ts})</a>{/if}
     </td>
     {assign var="participant_id" value=$row.participant_id}

diff --git a/templates/CRM/Event/Page/ManageEvent.tpl b/templates/CRM/Event/Page/ManageEvent.tpl
@@ -55,7 +55,7 @@
           <tr id="event-{$row.id}" class="crm-entity {if NOT $row.is_active} disabled{/if}">
           <td class="crm-event_{$row.id}">
             <a href="{crmURL p='civicrm/event/info' q="id=`$row.id`&reset=1"}"
-               title="{ts}View event info page{/ts}" class="bold">{$row.title}</a>&nbsp;&nbsp;({ts}ID:{/ts} {$row.id})<br/>
+               title="{ts}View event info page{/ts}" class="bold">{$row.title|smarty:nodefaults|purify}</a>&nbsp;&nbsp;({ts}ID:{/ts} {$row.id})<br/>
                <span><b>{$row.repeat}</b></span>
           </td>
           <td class="crm-event-city">{$row.city}</td>

diff --git a/templates/CRM/Report/Form/Event/Income.tpl b/templates/CRM/Report/Form/Event/Income.tpl
@@ -31,7 +31,7 @@
                           {if $keys == 'Title'}
                               <tr>
                                         <th>{$keys}</th>
-                                        <th colspan="3">{$values}</th>
+                                        <th colspan="3">{$values|smarty:nodefaults|purify}</th>
                                     </tr>
                                 {else}
                                     <tr class="{cycle values="odd-row,even-row"} crm-report crm-report_event_summary" id="crm-report_{$eventID}_summary_{$keys}">

diff --git a/templates/CRM/Report/Form/Layout/Table.tpl b/templates/CRM/Report/Form/Layout/Table.tpl
@@ -130,7 +130,7 @@
                                 <span class="nowrap">{$row.$field|crmMoney}</span>
                            {/if}
                         {else}
-                            {$row.$field}
+                            {$row.$field|smarty:nodefaults|purify}
                         {/if}
 
                         {if array_key_exists($fieldLink, $row) && $row.$fieldLink}</a>{/if}