From 705d3fd8b255448d56903999d08e95224b10e4b2 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@bestpractical.com>
Date: Mon, 2 Feb 2015 12:24:56 -0500
Subject: [PATCH 3/3] Never place the temporary current user in the session

Setting $session{'CurrentUser'} to a different user opens a window
wherein if the request can be aborted, the client will be left with a
session for the other user.  This allows escalation from knowing an RSS
feed link (which is generally just information disclosure) into full
login privileges, which may allow for arbitrary execution of code.  This
vulnerability has been assigned CVE-2015-1464.
---
 share/html/Search/Elements/ResultsRSSView | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
index 2419787..4a3dddd 100644
--- a/share/html/Search/Elements/ResultsRSSView
+++ b/share/html/Search/Elements/ResultsRSSView
@@ -48,7 +48,7 @@
 <%INIT>
 use Encode ();
 
-my $old_current_user;
+my $current_user = $session{CurrentUser};
 
 if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
     my $path = $m->dhandler_arg;
@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
       unless $user->ValidateAuthString( $auth,
               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
 
-    $old_current_user = $session{'CurrentUser'};
-    my $cu               = RT::CurrentUser->new;
-    $cu->Load($user);
-    $session{'CurrentUser'} = $cu;
+    $current_user = RT::CurrentUser->new;
+    $current_user->Load($user);
 }
 
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
+my $Tickets = RT::Tickets->new($current_user);
 $Tickets->FromSQL($ARGS{'Query'});
 if ($OrderBy =~ /\|/) {
     # Multiple Sorts
@@ -140,7 +138,6 @@ $r->content_type('application/rss+xml');
     }
 
 $m->out($rss->as_string);
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
 $m->abort();
 </%INIT>
 <%ARGS>
-- 
2.2.2

