From 3cf7c3ef441822c889356fd1812ebf2944a59851 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 25 Aug 2020 10:45:55 +0100 Subject: gentoo resync : 25.08.2020 --- .../files/zabbix-3.0.31-fix-cve-2020-15803.patch | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch (limited to 'net-analyzer/zabbix/files') diff --git a/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch b/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch new file mode 100644 index 000000000000..0cca60315581 --- /dev/null +++ b/net-analyzer/zabbix/files/zabbix-3.0.31-fix-cve-2020-15803.patch @@ -0,0 +1,83 @@ +diff --git a/frontends/php/include/classes/screens/CScreenUrl.php b/frontends/php/include/classes/screens/CScreenUrl.php +index e35c5f1..1df396e 100644 +--- a/frontends/php/include/classes/screens/CScreenUrl.php ++++ b/frontends/php/include/classes/screens/CScreenUrl.php +@@ -29,18 +29,10 @@ class CScreenUrl extends CScreenBase { + public function get() { + // prevent from resolving macros in configuration page + if ($this->mode != SCREEN_MODE_PREVIEW && $this->mode != SCREEN_MODE_SLIDESHOW) { +- return $this->getOutput( +- CHtmlUrlValidator::validate($this->screenitem['url'], false) +- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'], +- 'auto') +- : makeMessageBox(false, [[ +- 'type' => 'error', +- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url']) +- ]] +- ) +- ); ++ return $this->getOutput($this->prepareElement()); + } +- elseif ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) { ++ ++ if ($this->screenitem['dynamic'] == SCREEN_DYNAMIC_ITEM && $this->hostid == 0) { + return $this->getOutput((new CTableInfo())->setNoDataMessage(_('No host selected.'))); + } + +@@ -54,14 +46,28 @@ class CScreenUrl extends CScreenBase { + + $this->screenitem['url'] = $url ? $url : $this->screenitem['url']; + +- return $this->getOutput( +- CHtmlUrlValidator::validate($this->screenitem['url'], false) +- ? new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'], 'auto') +- : makeMessageBox(false, [[ +- 'type' => 'error', +- 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url']) +- ]] +- ) +- ); ++ return $this->getOutput($this->prepareElement()); ++ } ++ ++ /** ++ * @return CTag ++ */ ++ public function prepareElement() { ++ if (CHtmlUrlValidator::validate($this->screenitem['url'], false)) { ++ $item = new CIFrame($this->screenitem['url'], $this->screenitem['width'], $this->screenitem['height'], ++ 'auto' ++ ); ++ ++ if (ZBX_IFRAME_SANDBOX !== false) { ++ $item->setAttribute('sandbox', ZBX_IFRAME_SANDBOX); ++ } ++ ++ return $item; ++ } ++ ++ return makeMessageBox(false, [[ ++ 'type' => 'error', ++ 'message' => _s('Provided URL "%1$s" is invalid.', $this->screenitem['url']) ++ ]]); + } + } +diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php +index a67a625..c6a437c 100644 +--- a/frontends/php/include/defines.inc.php ++++ b/frontends/php/include/defines.inc.php +@@ -1284,6 +1284,14 @@ if (function_exists('bcscale')) { + bcscale(7); + } + ++/** ++ * The sandbox attribute enables an extra set of restrictions for the content in the iframe. Default is set to empty ++ * string, which means all restrictions are applied. To disable, set to FALSE. To set a specific set of restrictions, ++ * write a custom string. ++ * https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html#attr-iframe-sandbox ++ */ ++define('ZBX_IFRAME_SANDBOX', ''); ++ + // HTTP headers + /* + * Value of HTTP X-Frame-options header. -- cgit v1.2.3