Headline
CVE-2023-30607: Do not perform deletion before user input is validated in `FieldConfi… · Icinga/icingaweb2-module-jira@7f0c53b
icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds.
Expand Up @@ -31,9 +31,6 @@ class FieldConfigForm extends CompatForm /** @var string */ protected $templateName;
/** @var bool Hack used for delete button */ protected $callOnSuccess;
/** @var string */ protected $fieldId;
Expand All @@ -47,8 +44,9 @@ public function __construct(RestApi $jira, string $templateName, $fieldId = null $this->templateName = $templateName;
if ($fieldId !== null) { // obtain field key in case the fieldId is field label if (! array_key_exists($fieldId, $this->fields)) { $this->fieldId = array_search($fieldId, $this->fields); $this->fieldId = array_search($fieldId, $this->fields) ?: $fieldId; } else { $this->fieldId = $fieldId; } Expand Down Expand Up @@ -118,6 +116,7 @@ protected function assemble() ‘Callback’ => function ($value, $validator) { /** @var CallbackValidator $validator */ $templateFieldKeys = $this->templateConfig->getSection($this->templateName)->keys();
$selected = $this->fields[$value];
if ( Expand Down Expand Up @@ -337,23 +336,31 @@ protected function assemble() $this->getElement(‘submit’) ->getWrapper() ->prepend($deleteButton); } }
if ($deleteButton->hasBeenPressed()) { $templateFields = $this->templateConfig->getSection($this->templateName)->toArray();
$field = isset($templateFields[$this->fieldId]) ? $this->fieldId : $this->fields[$this->fieldId];
unset($templateFields[$field]); public function hasBeenSubmitted() { if ($this->getPressedSubmitElement() !== null && $this->getPressedSubmitElement()->getName() === ‘delete’) { return true; }
$this->templateConfig->setSection($this->templateName, $templateFields); $this->templateConfig->saveIni(); $this->getSubmitButton()->setValue($this->getSubmitButton()->getButtonLabel()); return parent::hasBeenSubmitted(); }
$this->callOnSuccess = false; public function isValid() { if ($this->getPressedSubmitElement()->getName() === ‘delete’) { $csrfElement = $this->getElement(‘CSRFToken’);
return; if (! $csrfElement->isValid()) { return false; }
return true; }
return parent::isValid(); }
/** Expand All @@ -375,8 +382,15 @@ public function optionalEnum($enum, $nullLabel = null)
public function onSuccess() { if ($this->callOnSuccess === false) { $this->getPressedSubmitElement()->setValue($this->getElement(‘delete’)->getLabel()); if ($this->getPressedSubmitElement()->getName() === ‘delete’) { $templateFields = $this->templateConfig->getSection($this->templateName)->toArray();
$field = isset($templateFields[$this->fieldId]) ? $this->fieldId : $this->fields[$this->fieldId];
unset($templateFields[$field]);
$this->templateConfig->setSection($this->templateName, $templateFields); $this->templateConfig->saveIni();
return; } Expand Down