1 files changed, 126 insertions, 0 deletions

diff --git a/rt/t/security/CVE-2011-2084-modifyscrips-templates.t b/rt/t/security/CVE-2011-2084-modifyscrips-templates.t
new file mode 100644
index 0000000..f68706e
--- /dev/null
+++ b/rt/t/security/CVE-2011-2084-modifyscrips-templates.t
@@ -0,0 +1,126 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+
+sub set_fails {
+    my $col  = shift;
+    my $obj  = shift;
+    my $to   = ref $_[0] ? +shift->Id : shift;
+    my $from = $obj->$col;
+    my $meth = "Set$col";
+
+    my ($ok, $msg) = $obj->$meth($to);
+    ok !$ok, "$meth denied: $msg";
+    is $obj->$col, $from, "$col left alone";
+}
+
+sub set_ok {
+    my $col  = shift;
+    my $obj  = shift;
+    my $to   = ref $_[0] ? +shift->Id : shift;
+    my $from = $obj->$col;
+    my $meth = "Set$col";
+
+    my ($ok, $msg) = $obj->$meth($to);
+    ok $ok, "$meth allowed: $msg";
+    is $obj->$col, $to, "$col updated";
+}
+
+my $qa = RT::Test->load_or_create_queue( Name => 'Queue A' );
+my $qb = RT::Test->load_or_create_queue( Name => 'Queue B' );
+ok $qa->id, "created Queue A";
+ok $qb->id, "created Queue B";
+
+my $user = RT::Test->load_or_create_user( Name => 'testuser' );
+my $cu   = RT::CurrentUser->new( $user );
+ok $user->id, "created testuser";
+
+diag "ModifyScrips";
+{
+    my $scrip = RT::Scrip->new( RT->SystemUser );
+    my ($scrip_id, $msg) = $scrip->Create(
+        Description     => 'Testing',
+        Queue           => $qa->Id,
+        ScripCondition  => 'User Defined',
+        ScripAction     => 'User Defined',
+        Template        => 'Blank',
+        CustomIsApplicableCode  => 'if ($self->TicketObj->Subject =~ /fire/) { return (1);} else { return(0)}',
+        CustomPrepareCode       => '1;',
+        CustomCommitCode        => 'warn "scrip fired!";',
+    );
+    ok $scrip_id, $msg;
+
+    RT::Test->set_rights(
+        { Principal => $user, Right => 'ShowScrips' },
+        { Principal => $user, Right => 'ModifyScrips', Object => $qa },
+    );
+
+    $scrip = RT::Scrip->new( $cu );
+    $scrip->Load( $scrip_id );
+    ok $scrip->id, "loaded scrip as test user";
+    is $scrip->Queue, $qa->Id, 'queue is A';
+
+    ok +($scrip->SetName('Testing ModifyScrips'));
+
+    set_fails( Queue => $scrip => $qb );
+    set_fails( Queue => $scrip => 0 );
+    set_fails( Queue => $scrip => undef );
+    set_fails( Queue => $scrip => '' );
+
+    RT::Test->add_rights( Principal => $user, Right => 'ModifyScrips', Object => $qb );
+
+    set_ok( Queue => $scrip => $qb );
+    set_fails( Queue => $scrip => 0 );
+    set_fails( Queue => $scrip => undef );
+    set_fails( Queue => $scrip => '' );
+
+    RT::Test->add_rights( Principal => $user, Right => 'ModifyScrips' );
+
+    set_ok( Queue => $scrip => 0 );
+
+    set_fails( Template => $scrip => 2 );
+
+    RT::Test->add_rights( Principal => $user, Right => 'ShowTemplate' );
+
+    set_ok( Template => $scrip => 2 );
+    is $scrip->TemplateObj->Name, 'Autoreply', 'template name is right';
+}
+
+diag "ModifyTemplate";
+{
+    RT::Test->set_rights(
+        { Principal => $user, Right => 'ShowTemplate' },
+        { Principal => $user, Right => 'ModifyTemplate', Object => $qa },
+    );
+
+    my $template = RT::Template->new( RT->SystemUser );
+    my ($id, $msg) = $template->Create(
+        Queue   => $qa->Id,
+        Name    => 'Testing',
+        Type    => 'Perl',
+        Content => "\n\nThis is a test template.\n",
+    );
+    ok $id, $msg;
+
+    $template = RT::Template->new( $cu );
+    $template->Load( $id );
+    ok $template->id, "loaded template as test user";
+    is $template->Queue, $qa->Id, 'queue is A';
+
+    ok +($template->SetName('Testing ModifyTemplate'));
+
+    set_fails( Queue => $template => $qb );
+    set_fails( Queue => $template => 0 );
+
+    RT::Test->add_rights( Principal => $user, Right => 'ModifyTemplate', Object => $qb );
+
+    set_ok( Queue => $template => $qb );
+    set_fails( Queue => $template => 0 );
+
+    RT::Test->add_rights( Principal => $user, Right => 'ModifyTemplate' );
+
+    set_ok( Queue => $template => 0 );
+}
+
+done_testing;