From c82dd7ca7dd49728dd8c3cd2e0677f9328330fc9 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Mon, 1 Dec 2014 16:58:43 -0500
Subject: [PATCH 1/3] Hide utf8 warnings during attempted decoding

EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
byte strings.  This operation, under Encode::FB_DEFAULT, may generate
warnings -- lots of warnings.  This can lead to denial of service in
some situations.  This vulnerability has been assigned CVE-2014-9472.

Unfortunately, "no warnings 'utf8'" does not work to quiet them until
Encode 2.64; simply skip warnings of this type in the logging handler.
---
 lib/RT.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/RT.pm b/lib/RT.pm
index 063f7f7..ed23952 100644
--- a/lib/RT.pm
+++ b/lib/RT.pm
@@ -321,6 +321,8 @@ sub InitSignalHandlers {
 ## mechanism (see above).
 
     $SIG{__WARN__} = sub {
+        return 'IGNORE' if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
+
         # The 'wide character' warnings has to be silenced for now, at least
         # until HTML::Mason offers a sane way to process both raw output and
         # unicode strings.
-- 
2.2.2


From 3083849b807974d155ebb63b313c3508008d19fb Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Fri, 30 Jan 2015 15:03:16 -0500
Subject: [PATCH 2/3] Prevent text content from being interpreted as HTML by
 RSS clients

The ->Content method is used to obtain the data to use in the RSS
<description> tag.  However, most RSS feed readers display the contents
of the <description> tag using a HTML rendering engine; this allows
textual content to be mistakenly rendered as HTML.  This specifically
includes links, which RSS readers may not hide the "Referer" header of,
exposing the RSS feed URL and thus allowing for information disclosure.
This vulnerability has been assigned CVE-2015-1165.

Escape the textual content so that it is not interpreted as HTML by RSS
readers.  This is suprior to requesting ->Content( Type => "text/html" )
because it is guaranteed to not contain links, and thus not suffer from
the above Referer disclosure.
---
 share/html/Search/Elements/ResultsRSSView | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
index 5033c8c..2419787 100644
--- a/share/html/Search/Elements/ResultsRSSView
+++ b/share/html/Search/Elements/ResultsRSSView
@@ -121,10 +121,17 @@ $r->content_type('application/rss+xml');
     while ( my $Ticket = $Tickets->Next()) {
         my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
         $creator_str =~ s/[\r\n]//g;
+
+        # Get the plain-text content; it is interpreted as HTML by RSS
+        # readers, so it must be escaped (and is escaped _again_ when
+        # inserted into the XML).
+        my $content = $Ticket->Transactions->First->Content;
+        $content = $m->interp->apply_escapes( $content, 'h');
+
         $rss->add_item(
           title       =>  $Ticket->Subject || loc('No Subject'),
           link        => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
-          description => $Ticket->Transactions->First->Content,
+          description => $content,
           dc          => { creator => $creator_str,
                            date => $Ticket->CreatedObj->RFC2822,
                          },
-- 
2.2.2
