RT 4.0.22

[freeside.git] / rt / t / security / CVE-2011-2084-attach-tickets.t

diff --git a/rt/t/security/CVE-2011-2084-attach-tickets.t b/rt/t/security/CVE-2011-2084-attach-tickets.t
new file mode 100644 (file)
index 0000000..d7352cb
--- /dev/null
+++ b/rt/t/security/CVE-2011-2084-attach-tickets.t
@@ -0,0 +1,64 @@
+use strict;
+use warnings;
+
+use RT::Test tests => undef;
+
+my $user = RT::Test->load_or_create_user(
+    Name            => 'user',
+    EmailAddress    => 'user@example.com',
+    Privileged      => 1,
+    Password        => 'password',
+);
+
+ok(
+    RT::Test->set_rights(
+        { Principal => 'Everyone',  Right => [qw/CreateTicket/] },
+        { Principal => 'Requestor', Right => [qw/ShowTicket/] },
+    ),
+    'set rights'
+);
+
+my $secret = "sekrit message";
+
+RT::Test->create_tickets(
+    {},
+    {
+        Subject     => 'ticket A',
+        Requestor   => $user->EmailAddress,
+        Content     => "user's ticket",
+    },
+    {
+        Subject     => 'ticket B',
+        Requestor   => 'root@localhost',
+        Content     => $secret,
+    },
+);
+
+my $ticket_b = RT::Test->last_ticket;
+
+my ($baseurl, $m) = RT::Test->started_ok;
+ok $m->login( 'user', 'password' ), 'logged in as user';
+
+$m->get_ok("$baseurl/Ticket/Display.html?id=" . $ticket_b->id);
+$m->content_contains('No permission');
+$m->warning_like(qr/no permission/i, 'no permission warning');
+
+RT::Test->clean_caught_mails;
+
+# Ticket Create is just one example of where this is vulnerable
+$m->get_ok('/Ticket/Create.html?Queue=1');
+$m->submit_form_ok({
+    form_name   => 'TicketCreate',
+    fields      => {
+        Subject         => 'ticket C',
+        AttachTickets   => $ticket_b->id,
+    },
+}, 'create a ticket');
+
+my @mail = RT::Test->fetch_caught_mails;
+ok @mail, "got some outgoing emails";
+unlike $mail[0], qr/\Q$secret\E/, "doesn't contain ticket user can't see";
+
+undef $m;
+done_testing;
+