RT 4.0.22

1 files changed, 48 insertions, 0 deletions

diff --git a/rt/t/security/CVE-2011-2083-cf-urls.t b/rt/t/security/CVE-2011-2083-cf-urls.t
new file mode 100644
index 000000000..b1e1f3b0f
--- /dev/null
+++ b/rt/t/security/CVE-2011-2083-cf-urls.t
@@ -0,0 +1,48 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+
+my ($base, $m) = RT::Test->started_ok;
+
+my $link = RT::Test->load_or_create_custom_field(
+    Name            => 'link',
+    Type            => 'Freeform',
+    MaxValues       => 1,
+    Queue           => 0,
+    LinkValueTo     => '__CustomField__',
+);
+
+my $include = RT::Test->load_or_create_custom_field(
+    Name                    => 'include',
+    Type                    => 'Freeform',
+    MaxValues               => 1,
+    Queue                   => 0,
+    IncludeContentForValue  => '__CustomField__',
+);
+
+my $data_uri = 'data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+';
+my $xss      = q{')-eval(decodeURI('alert("xss")'))-('};
+
+my $ticket = RT::Ticket->new(RT->SystemUser);
+$ticket->Create(
+    Queue                       => 'General',
+    Subject                     => 'ticket A',
+    'CustomField-'.$link->id    => $data_uri,
+    'CustomField-'.$include->id => $xss,
+);
+ok $ticket->Id, 'created ticket';
+
+ok $m->login('root', 'password'), "logged in";
+$m->get_ok($base . "/Ticket/Display.html?id=" . $ticket->id);
+
+# look for lack of link to data:text/html;base64,...
+ok !$m->find_link(text => $data_uri), "no data: link";
+ok !$m->find_link(url  => $data_uri), "no data: link";
+
+# look for unescaped JS
+$m->content_lacks($xss, 'escaped js');
+
+$m->warning_like(qr/Potentially dangerous URL type/, "found warning about dangerous link");
+undef $m;
+done_testing;