From 2b71ea108a1f8097262abc4928b20259c7aadde2 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Tue, 27 Jul 2021 11:36:40 +0200
Subject: [PATCH 1/3] Setup memory_limit check : clearer message Now the
 current value is displayed as entered in the PHP conf And the recommended
 value is displayed in a friendly format (32M instead of raw bytes value)

---
 setup/setuputils.class.inc.php | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/setup/setuputils.class.inc.php b/setup/setuputils.class.inc.php
index a759ee1c1..f02a16239 100644
--- a/setup/setuputils.class.inc.php
+++ b/setup/setuputils.class.inc.php
@@ -60,7 +60,7 @@ class SetupUtils
 	// -- First recent version that is not yet validated by Combodo (warning)
 	const PHP_NOT_VALIDATED_VERSION = '7.5.0';
 
-	const MIN_MEMORY_LIMIT = 33554432; // 32 * 1024 * 1024 - we can use expressions in const since PHP 5.6 but we are in the setup !
+	const MIN_MEMORY_LIMIT = '32M';
 	const SUHOSIN_GET_MAX_VALUE_LENGTH = 2048;
 
 	/**
@@ -267,25 +267,20 @@ class SetupUtils
 
 		// Check some more ini settings here, needed for file upload
 		$sMemoryLimit = trim(ini_get('memory_limit'));
-		if (empty($sMemoryLimit))
-		{
+		if (empty($sMemoryLimit)) {
 			// On some PHP installations, memory_limit does not exist as a PHP setting!
 			// (encountered on a 5.2.0 under Windows)
 			// In that case, ini_set will not work, let's keep track of this and proceed anyway
 			$aResult[] = new CheckResult(CheckResult::WARNING, "No memory limit has been defined in this instance of PHP");
-		}
-		else
-		{
+		} else {
 			// Check that the limit will allow us to load the data
 			//
-			$iMemoryLimit = utils::ConvertToBytes($sMemoryLimit);
-			if (!utils::IsMemoryLimitOk($iMemoryLimit, self::MIN_MEMORY_LIMIT))
-			{
-				$aResult[] = new CheckResult(CheckResult::ERROR, "memory_limit ($iMemoryLimit) is too small, the minimum value to run the application is ".self::MIN_MEMORY_LIMIT.".");
-			}
-			else
-			{
-				SetupPage::log("Info - memory_limit is $iMemoryLimit, ok.");
+			$iCurrentMemoryLimit = utils::ConvertToBytes($sMemoryLimit);
+			$iMinMemoryLimit = utils::ConvertToBytes(self::MIN_MEMORY_LIMIT);
+			if (!utils::IsMemoryLimitOk($iCurrentMemoryLimit, $iMinMemoryLimit)) {
+				$aResult[] = new CheckResult(CheckResult::ERROR, "memory_limit ($sMemoryLimit) is too small, the minimum value to run the application is ".self::MIN_MEMORY_LIMIT.".");
+			} else {
+				SetupPage::log("Info - memory_limit is $sMemoryLimit, ok.");
 			}
 		}
 

From 27217815d1749746f0232eaeb1ca9f9d5cbe56b5 Mon Sep 17 00:00:00 2001
From: Molkobain <lajarige.guillaume@free.fr>
Date: Mon, 16 Aug 2021 09:37:36 +0200
Subject: [PATCH 2/3] =?UTF-8?q?N=C2=B02510=20-=20Fix=20expand/collapse=20b?=
 =?UTF-8?q?uttons=20of=20log=20entries=20in=20a=20list?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/itopwebpage.class.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/itopwebpage.class.inc.php b/application/itopwebpage.class.inc.php
index a46794da3..1fdd9e647 100644
--- a/application/itopwebpage.class.inc.php
+++ b/application/itopwebpage.class.inc.php
@@ -624,7 +624,7 @@ JS
 	ShowDebug();
 	$('#logOffBtn>ul').popupmenu();
 	
-	$('.caselog_header').click( function () { $(this).toggleClass('open').next('.caselog_entry,.caselog_entry_html').toggle(); });
+	$('body').on('click', '.caselog_header', function () { $(this).toggleClass('open').next('.caselog_entry,.caselog_entry_html').toggle(); });
 	
 	$(document).ajaxSend(function(event, jqxhr, options) {
 		jqxhr.setRequestHeader('X-Combodo-Ajax', 'true');

From 92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 Mon Sep 17 00:00:00 2001
From: Molkobain <lajarige.guillaume@free.fr>
Date: Wed, 18 Aug 2021 15:57:18 +0200
Subject: [PATCH 3/3] =?UTF-8?q?N=C2=B04129=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/config.class.inc.php                                 | 8 ++++++++
 .../portal/src/controllers/objectcontroller.class.inc.php | 5 +++++
 pages/ajax.render.php                                     | 7 ++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/core/config.class.inc.php b/core/config.class.inc.php
index 42f4276a5..2f7508bae 100644
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -1161,6 +1161,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		),
+		'security.disable_inline_documents_sandbox' => array(
+			'type' => 'bool',
+			'description' => 'If true then the sandbox for documents displayed in a browser tab will be disabled; enabling scripts and other interactive content. Note that setting this to true will open the application to potential XSS attacks!',
+			'default' => false,
+			'value' => false,
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		),
 	);
 
 	public function IsProperty($sPropCode)
diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
index 461d0e853..41190d62c 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
@@ -1295,6 +1295,11 @@ class ObjectController extends AbstractController
         $aHeaders['Content-Type'] = $oDocument->GetMimeType();
         $aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"';
 
+	    // N°4129 - Prevent XSS attacks & other script executions
+	    if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
+		    $aHeaders['Content-Security-Policy'] = 'sandbox';
+	    }
+
         return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
     }
 
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index 41373f279..766dfbf3e 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -902,7 +902,12 @@ try
 			$sField = utils::ReadParam('field', '');
 			if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
 			{
-				$oPage->add_header('X-Frame-Options:'); // resets header, see N°3416
+				// Resets header, see N°3416
+				$oPage->add_header('X-Frame-Options:');
+				// N°4129 - Prevent XSS attacks & other script executions
+				if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
+					$oPage->add_header('Content-Security-Policy: sandbox;');
+				}
 				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline');
 			}
 			break;