X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;ds=sidebyside;f=rt%2Flib%2FRT%2FObjectCustomFieldValue_Overlay.pm;h=18db8bfb49b49475d518bf1b15b1991d29a61fb6;hb=d32f4c43b0fde5c18b8c2ee8f3d4cb9c6861a403;hp=37ad0567b8835ed87f5ae5200daca91f13c838b3;hpb=b4b0c7e72d7eaee2fbfc7022022c9698323203dd;p=freeside.git diff --git a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm index 37ad0567b..18db8bfb4 100644 --- a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm +++ b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm @@ -1,40 +1,40 @@ # BEGIN BPS TAGGED BLOCK {{{ -# +# # COPYRIGHT: -# -# This software is Copyright (c) 1996-2009 Best Practical Solutions, LLC -# -# +# +# This software is Copyright (c) 1996-2013 Best Practical Solutions, LLC +# +# # (Except where explicitly superseded by other copyright notices) -# -# +# +# # LICENSE: -# +# # This work is made available to you under the terms of Version 2 of # the GNU General Public License. A copy of that license should have # been provided with this software, but in any event can be snarfed # from www.gnu.org. -# +# # This work is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301 or visit their web page on the internet at # http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. -# -# +# +# # CONTRIBUTION SUBMISSION POLICY: -# +# # (The following paragraph is not intended to limit the rights granted # to you to modify and distribute this software under the terms of # the GNU General Public License and is only of importance to you if # you choose to contribute your changes and enhancements to the # community by submitting them to Best Practical Solutions, LLC.) -# +# # By intentionally submitting any modifications, corrections or # derivatives to this work, or any other work intended for use with # Request Tracker, to Best Practical Solutions, LLC, you confirm that @@ -43,7 +43,7 @@ # royalty-free, perpetual, license to use, copy, create derivative # works based on those contributions, and sublicense and distribute # those contributions and any derivatives thereof. -# +# # END BPS TAGGED BLOCK }}} package RT::ObjectCustomFieldValue; @@ -150,6 +150,20 @@ sub LoadByObjectContentAndCustomField { ); } +=head2 CustomFieldObj + +Returns the CustomField Object which has the id returned by CustomField + +=cut + +sub CustomFieldObj { + my $self = shift; + my $CustomField = RT::CustomField->new( $self->CurrentUser ); + $CustomField->SetContextObject( $self->Object ); + $CustomField->Load( $self->__Value('CustomField') ); + return $CustomField; +} + =head2 Content @@ -161,6 +175,9 @@ content, try "LargeContent" sub Content { my $self = shift; my $content = $self->SUPER::Content; + + return undef unless $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField'); + if ( !(defined $content && length $content) && $self->ContentType && $self->ContentType eq 'text/plain' ) { return $self->LargeContent; } else { @@ -234,6 +251,23 @@ sub _FillInTemplateURL { my $self = shift; my $url = shift; + return undef unless defined $url && length $url; + + # special case, whole value should be an URL + if ( $url =~ /^__CustomField__/ ) { + my $value = $self->Content; + # protect from potentially malicious URLs + if ( $value =~ /^\s*(?:javascript|data):/i ) { + my $object = $self->Object; + $RT::Logger->error( + "Potentially dangerous URL type in custom field '". $self->CustomFieldObj->Name ."'" + ." on ". ref($object) ." #". $object->id + ); + return undef; + } + $url =~ s/^__CustomField__/$value/; + } + # default value, uri-escape for my $key (keys %placeholders) { $url =~ s{__${key}__}{