Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Transport/TransportInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Transport/TransportInterface.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Transport;@@ -18,8 +12,7 @@ /** * Send a mail message *- * @param \Laminas\Mail\Message $message- * @return+ * @return void */ public function send(Mail\Message $message); }
Based on the provided code diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no File: include/laminas-mail/src/Transport/TransportInterface.php Lines: Entire diff Old Code: Included copyright/license header and less specific return type documentation Fixed Code: Removed header comments and clarified return type as void Additional Details: This appears to be a documentation/cleanup change rather than a security fix. The main changes are removing boilerplate comments and making the return type documentation more specific. No security vulnerabilities were identified in this diff. The changes are primarily related to: 1. Removing standard license/copyright headers (common in open source projects) 2. Improving method documentation by explicitly stating the return type as void Neither of these changes indicate a security vulnerability was fixed. The modification to the interface documentation (changing "@return" to "@return void") improves code clarity but doesn't relate to security.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Exception/BadMethodCallException.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Exception/BadMethodCallException.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Exception;
Based on the provided diff, I'll analyze it for security vulnerabilities:
Vulnerability Existed: no
No specific vulnerability [include/laminas-mail/vendor/laminas/laminas-validator/src/Exception/BadMethodCallException.php] [Lines 1-10]
[Old Code]
<?php
/**
* @see https://github.com/laminas/laminas-validator for the canonical source repository
* @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License
*/
[Fixed Code]
<?php
The changes shown in the diff only remove documentation comments (license, copyright, and repository information) from the file. This modification doesn't appear to address any security vulnerability but rather seems to be a cleanup or standardization change. There's no functional code change that would impact security.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Codabar.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Codabar.php@@ -1,12 +1,9 @@ <?php-/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */+namespace Laminas\Validator\Barcode;-namespace Laminas\Validator\Barcode;+use function strpbrk;+use function substr; class Codabar extends AbstractAdapter {@@ -22,33 +19,37 @@ /** * Checks for allowed characters+ * * @see Laminas\Validator\Barcode.AbstractAdapter::checkChars()+ *+ * @param string $value+ * @return bool */ public function hasValidCharacters($value) {- if (strpbrk($value, 'ABCD')) {+ if (strpbrk($value, 'ABCD') !== false) { $first = $value[0];- if (! strpbrk($first, 'ABCD')) {+ if (strpbrk($first, 'ABCD') === false) { // Missing start char return false; } $last = substr($value, -1, 1);- if (! strpbrk($last, 'ABCD')) {+ if (strpbrk($last, 'ABCD') === false) { // Missing stop char return false; } $value = substr($value, 1, -1);- } elseif (strpbrk($value, 'TN*E')) {+ } elseif (strpbrk($value, 'TN*E') !== false) { $first = $value[0];- if (! strpbrk($first, 'TN*E')) {+ if (strpbrk($first, 'TN*E') === false) { // Missing start char return false; } $last = substr($value, -1, 1);- if (! strpbrk($last, 'TN*E')) {+ if (strpbrk($last, 'TN*E') === false) { // Missing stop char return false; }@@ -56,7 +57,7 @@ $value = substr($value, 1, -1); }- $chars = $this->getCharacters();+ $chars = $this->getCharacters(); $this->setCharacters('0123456789-$:/.+'); $result = parent::hasValidCharacters($value); $this->setCharacters($chars);
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Input Validation Improvement] [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Codabar.php] [Lines 27-58]
Old Code:
```php
if (strpbrk($value, 'ABCD')) {
$first = $value[0];
if (! strpbrk($first, 'ABCD')) {
```
Fixed Code:
```php
if (strpbrk($value, 'ABCD') !== false) {
$first = $value[0];
if (strpbrk($first, 'ABCD') === false) {
```
Additional Details: The changes make the input validation more strict by using explicit boolean comparisons with `!== false` and `=== false` instead of relying on truthy/falsy evaluations. While not a direct security vulnerability fix, this makes the validation more robust against edge cases.
2. Vulnerability Existed: not sure
[Consistency Improvement] [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Codabar.php] [Lines 41-52]
Old Code:
```php
} elseif (strpbrk($value, 'TN*E')) {
$first = $value[0];
if (! strpbrk($first, 'TN*E')) {
```
Fixed Code:
```php
} elseif (strpbrk($value, 'TN*E') !== false) {
$first = $value[0];
if (strpbrk($first, 'TN*E') === false) {
```
Additional Details: Similar to the first change, this improves consistency in validation checks by using explicit boolean comparisons. While not a security fix per se, it makes the code more maintainable and less prone to subtle bugs.
Note: The changes appear to be primarily code quality improvements rather than direct security vulnerability fixes. The modifications make the validation logic more explicit and consistent, which could prevent potential validation bypasses in edge cases, though no specific vulnerability is being addressed.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Storage/Writable/WritableInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Storage/Writable/WritableInterface.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Storage\Writable;
Based on the provided code diff, here's the analysis following the required format: Vulnerability Existed: no [No vulnerability found] [include/laminas-mail/src/Storage/Writable/WritableInterface.php] [Lines 1-10] [Old Code: Contains copyright/license header comments] [Fixed Code: Removed copyright/license header comments] Additional details: 1. The changes shown in the diff only involve the removal of documentation comments (copyright/license headers). 2. There are no functional code changes that could indicate a security vulnerability. 3. The modification appears to be a documentation/comment cleanup rather than a security fix. Note: If there were other changes in the file that aren't shown in this diff, they might contain security fixes, but based on the provided diff content, no security-related changes are present.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/File/Count.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/File/Count.php@@ -1,40 +1,44 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\File; use Laminas\Validator\AbstractValidator; use Laminas\Validator\Exception;+use Psr\Http\Message\UploadedFileInterface;+use Traversable;++use function array_key_exists;+use function array_shift;+use function count;+use function dirname;+use function func_get_args;+use function func_num_args;+use function is_array;+use function is_numeric;+use function is_string;++use const DIRECTORY_SEPARATOR; /** * Validator for counting all given files- * */ class Count extends AbstractValidator { /**#@++ * * @const string Error constants */- const TOO_MANY = 'fileCountTooMany';- const TOO_FEW = 'fileCountTooFew';+ public const TOO_MANY = 'fileCountTooMany';+ public const TOO_FEW = 'fileCountTooFew'; /**#@-*/- /**- * @var array Error message templates- */+ /** @var array Error message templates */ protected $messageTemplates = [ self::TOO_MANY => "Too many files, maximum '%max%' are allowed but '%count%' are given", self::TOO_FEW => "Too few files, minimum '%min%' are expected but '%count%' are given", ];- /**- * @var array Error message template variables- */+ /** @var array Error message template variables */ protected $messageVariables = [ 'min' => ['options' => 'min'], 'max' => ['options' => 'max'],@@ -50,6 +54,7 @@ /** * Internal file array+ * * @var array */ protected $files;@@ -60,8 +65,8 @@ * @var array */ protected $options = [- 'min' => null, // Minimum file count, if null there is no minimum file count- 'max' => null, // Maximum file count, if null there is no maximum file count+ 'min' => null, // Minimum file count, if null there is no minimum file count+ 'max' => null, // Maximum file count, if null there is no maximum file count ]; /**@@ -75,12 +80,12 @@ * 'min': Minimum filecount * 'max': Maximum filecount *- * @param int|array|\Traversable $options Options for the adapter+ * @param int|array|Traversable $options Options for the adapter */ public function __construct($options = null) { if (1 < func_num_args()) {- $args = func_get_args();+ $args = func_get_args(); $options = [ 'min' => array_shift($args), 'max' => array_shift($args),@@ -109,7 +114,7 @@ * * @param int|array $min The minimum file count * @return $this Provides a fluent interface- * @throws Exception\InvalidArgumentException When min is greater than max+ * @throws Exception\InvalidArgumentException When min is greater than max. */ public function setMin($min) {@@ -147,7 +152,7 @@ * * @param int|array $max The maximum file count * @return $this Provides a fluent interface- * @throws Exception\InvalidArgumentException When max is smaller than min+ * @throws Exception\InvalidArgumentException When max is smaller than min. */ public function setMax($max) {@@ -173,7 +178,7 @@ /** * Adds a file for validation *- * @param string|array $file+ * @param string|array|UploadedFileInterface $file * @return $this */ public function addFile($file)@@ -190,6 +195,10 @@ } }+ if ($file instanceof UploadedFileInterface && is_string($file->getClientFilename())) {+ $this->files[(string) $file->getClientFilename()] = $file->getClientFilename();+ }+ return $this; }@@ -198,18 +207,22 @@ * not bigger than max (when max is not null). Attention: When checking with set min you * must give all files with the first call, otherwise you will get a false. *- * @param string|array $value Filenames to check for count- * @param array $file File data from \Laminas\File\Transfer\Transfer+ * @param string|array|UploadedFileInterface $value Filenames to check for count+ * @param array $file File data from \Laminas\File\Transfer\Transfer * @return bool */ public function isValid($value, $file = null) {- if (($file !== null) && ! array_key_exists('destination', $file)) {- $file['destination'] = dirname($value);- }-- if (($file !== null) && array_key_exists('tmp_name', $file)) {- $value = $file['destination'] . DIRECTORY_SEPARATOR . $file['name'];+ if ($this->isUploadedFilterInterface($value)) {+ $this->addFile($value);+ } elseif ($file !== null) {+ if (! array_key_exists('destination', $file)) {+ $file['destination'] = dirname($value);+ }++ if (array_key_exists('tmp_name', $file)) {+ $value = $file['destination'] . DIRECTORY_SEPARATOR . $file['name'];+ } } if (($file === null) || ! empty($file['tmp_name'])) {@@ -217,6 +230,7 @@ } $this->count = count($this->files);+ if (($this->getMax() !== null) && ($this->count > $this->getMax())) { return $this->throwError($file, self::TOO_MANY); }@@ -231,7 +245,7 @@ /** * Throws an error of the given type *- * @param string $file+ * @param string|null|array $file * @param string $errorType * @return false */@@ -250,4 +264,19 @@ $this->error($errorType); return false; }++ /**+ * Checks if the type of uploaded file is UploadedFileInterface.+ *+ * @param string|array|UploadedFileInterface $value Filenames to check for count+ * @return bool+ */+ private function isUploadedFilterInterface($value)+ {+ if ($value instanceof UploadedFileInterface) {+ return true;+ }++ return false;+ } }
After analyzing the code diff, I can identify the following security-related changes:
1. Vulnerability Existed: yes
File Upload Validation [File] include/laminas-mail/vendor/laminas/laminas-validator/src/File/Count.php [Lines 178-197]
Old Code:
public function addFile($file)
{
if (is_string($file)) {
$this->files[$file] = $file;
} elseif (is_array($file)) {
foreach ($file as $name) {
$this->files[$name] = $name;
}
}
Fixed Code:
public function addFile($file)
{
if (is_string($file)) {
$this->files[$file] = $file;
} elseif (is_array($file)) {
foreach ($file as $name) {
$this->files[$name] = $name;
}
}
if ($file instanceof UploadedFileInterface && is_string($file->getClientFilename())) {
$this->files[(string) $file->getClientFilename()] = $file->getClientFilename();
}
The fix adds support for PSR-7 UploadedFileInterface objects, ensuring proper validation of uploaded files through this interface. This prevents potential security issues with malformed file uploads.
2. Vulnerability Existed: yes
File Validation Logic Improvement [File] include/laminas-mail/vendor/laminas/laminas-validator/src/File/Count.php [Lines 211-223]
Old Code:
public function isValid($value, $file = null)
{
if (($file !== null) && ! array_key_exists('destination', $file)) {
$file['destination'] = dirname($value);
}
if (($file !== null) && array_key_exists('tmp_name', $file)) {
$value = $file['destination'] . DIRECTORY_SEPARATOR . $file['name'];
}
Fixed Code:
public function isValid($value, $file = null)
{
if ($this->isUploadedFilterInterface($value)) {
$this->addFile($value);
} elseif ($file !== null) {
if (! array_key_exists('destination', $file)) {
$file['destination'] = dirname($value);
}
if (array_key_exists('tmp_name', $file)) {
$value = $file['destination'] . DIRECTORY_SEPARATOR . $file['name'];
}
}
The improved validation logic now properly handles PSR-7 UploadedFileInterface objects and separates the validation path for different types of file inputs, making the validation more robust against potential security issues.
3. Vulnerability Existed: not sure
Type Safety Improvements [File] include/laminas-mail/vendor/laminas/laminas-validator/src/File/Count.php [Lines 24-25]
Old Code:
const TOO_MANY = 'fileCountTooMany';
const TOO_FEW = 'fileCountTooFew';
Fixed Code:
public const TOO_MANY = 'fileCountTooMany';
public const TOO_FEW = 'fileCountTooFew';
While this change improves type safety by making the constants public, it's unclear if this was specifically addressing a security vulnerability or just modernizing the code.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/autoload.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/autoload.php@@ -2,6 +2,24 @@ // autoload.php @generated by Composer+if (PHP_VERSION_ID < 50600) {+ if (!headers_sent()) {+ header('HTTP/1.1 500 Internal Server Error');+ }+ $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;+ if (!ini_get('display_errors')) {+ if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {+ fwrite(STDERR, $err);+ } elseif (!headers_sent()) {+ echo $err;+ }+ }+ trigger_error(+ $err,+ E_USER_ERROR+ );+}+ require_once __DIR__ . '/composer/autoload_real.php';-return ComposerAutoloaderInit3444d7a74de5f33e5c885887a2493eb3::getLoader();+return ComposerAutoloaderInit5839f4fd6b3a30999ab415e06868370f::getLoader();
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[PHP Version Compatibility Check Added] [include/laminas-mail/vendor/autoload.php] [Lines 2-24]
[Old Code]
```php
// autoload.php @generated by Composer
require_once __DIR__ . '/composer/autoload_real.php';
return ComposerAutoloaderInit3444d7a74de5f33e5c885887a2493eb3::getLoader();
```
[Fixed Code]
```php
// autoload.php @generated by Composer
if (PHP_VERSION_ID < 50600) {
if (!headers_sent()) {
header('HTTP/1.1 500 Internal Server Error');
}
$err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
if (!ini_get('display_errors')) {
if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
fwrite(STDERR, $err);
} elseif (!headers_sent()) {
echo $err;
}
}
trigger_error(
$err,
E_USER_ERROR
);
}
require_once __DIR__ . '/composer/autoload_real.php';
return ComposerAutoloaderInit5839f4fd6b3a30999ab415e06868370f::getLoader();
```
Additional Details: The change adds PHP version compatibility checking, which could prevent security issues that might arise from running on unsupported PHP versions, though this isn't a direct vulnerability fix.
2. Vulnerability Existed: no
[Composer Autoloader Class Name Changed] [include/laminas-mail/vendor/autoload.php] [Lines 26]
[Old Code]
```php
return ComposerAutoloaderInit3444d7a74de5f33e5c885887a2493eb3::getLoader();
```
[Fixed Code]
```php
return ComposerAutoloaderInit5839f4fd6b3a30999ab415e06868370f::getLoader();
```
Additional Details: This appears to be a routine update of the Composer autoloader class name, which changes with each Composer update and doesn't represent a security fix.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Header/Cc.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Header/Cc.php@@ -1,15 +1,11 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Header; class Cc extends AbstractAddressList {+ /** @var string */ protected $fieldName = 'Cc';+ /** @var string */ protected static $type = 'cc'; }
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: no
No specific vulnerability [File] include/laminas-mail/src/Header/Cc.php [Lines] 1-15
Old Code: Contains copyright/license header and basic class definition
Fixed Code: Removed documentation header, added type hints for properties
Additional Details:
- The changes appear to be documentation/cleanup related rather than security fixes
- The modifications include:
1. Removal of the PHPDoc copyright/license header block
2. Addition of type hints (`/** @var string */`) for class properties
- No actual security vulnerabilities were addressed in this diff
- No changes were made to the actual functionality or security-related aspects of the code
The changes seem to be part of general code maintenance rather than security patching. No security vulnerabilities were identified in this specific diff.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Address.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Address.php@@ -1,20 +1,23 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail; use Laminas\Validator\EmailAddress as EmailAddressValidator; use Laminas\Validator\Hostname;+use function array_shift;+use function is_string;+use function preg_match;+use function sprintf;+use function trim;+ class Address implements Address\AddressInterface {+ /** @var null|string */ protected $comment;+ /** @var string */ protected $email;+ /** @var null|string */ protected $name; /**@@ -50,6 +53,8 @@ $email = $matches['email']; } $email = trim($email);+ //trim single quotes, because outlook does add single quotes to emails sometimes which is technically not valid+ $email = trim($email, '\''); return new static($email, $name, $comment); }@@ -108,9 +113,9 @@ } /**- * Retrieve name+ * Retrieve name, if any *- * @return string+ * @return null|string */ public function getName() {@@ -153,7 +158,7 @@ */ private function constructName() {- $name = $this->getName();+ $name = $this->getName(); $comment = $this->getComment(); if ($comment === null || $comment === '') {
Based on the provided code diff, I'll analyze the changes for potential security fixes:
1. Vulnerability Existed: not sure
Email Address Validation Improvement [include/laminas-mail/src/Address.php] [Lines around 50-53]
Old Code:
```php
$email = trim($email);
```
Fixed Code:
```php
$email = trim($email);
//trim single quotes, because outlook does add single quotes to emails sometimes which is technically not valid
$email = trim($email, '\'');
```
Additional Details: This change improves email address handling by removing single quotes that Outlook sometimes adds. While not a direct security vulnerability, it could potentially prevent issues with malformed email addresses.
2. Vulnerability Existed: not sure
Type Safety Improvements [include/laminas-mail/src/Address.php] [Lines throughout file]
Old Code: No explicit type declarations for properties
Fixed Code:
```php
/** @var null|string */
protected $comment;
/** @var string */
protected $email;
/** @var null|string */
protected $name;
```
Additional Details: Added type hints for class properties, which improves code safety but doesn't directly address a specific vulnerability.
3. Vulnerability Existed: not sure
Documentation Improvement [include/laminas-mail/src/Address.php] [Lines around 108-113]
Old Code:
```php
/**
* Retrieve name
*
* @return string
*/
```
Fixed Code:
```php
/**
* Retrieve name, if any
*
* @return null|string
*/
```
Additional Details: More accurate return type documentation, though this is more of a code quality improvement than a security fix.
Note: While these changes improve code quality and robustness, I couldn't identify any clear security vulnerabilities being fixed in this diff. The changes appear to be primarily focused on better handling of edge cases and improving code documentation.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityList.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityList.php@@ -1,46 +1,62 @@ <?php+declare(strict_types=1);++namespace Laminas\Stdlib;++use Countable;+use Exception;+use Iterator;+use ReturnTypeWillChange;++use function array_map;+use function current;+use function key;+use function next;+use function reset;+use function uasort;+ /**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License+ * @template TKey of string+ * @template TValue of mixed+ * @template-implements Iterator<TKey, TValue> */--namespace Laminas\Stdlib;--use Countable;-use Iterator;- class PriorityList implements Iterator, Countable {- const EXTR_DATA = 0x00000001;- const EXTR_PRIORITY = 0x00000002;- const EXTR_BOTH = 0x00000003;+ public const EXTR_DATA = 0x00000001;+ public const EXTR_PRIORITY = 0x00000002;+ public const EXTR_BOTH = 0x00000003;+ /** * Internal list of all items. *- * @var array[]+ * @var array<TKey, array{data: TValue, priority: int, serial: positive-int|0}> */ protected $items = []; /** * Serial assigned to items to preserve LIFO. *+ * @var positive-int|0+ */+ protected $serial = 0;++ // phpcs:disable WebimpressCodingStandard.NamingConventions.ValidVariableName.NotCamelCapsProperty++ /**+ * Serial order mode+ *+ * @var integer+ */+ protected $isLIFO = 1;++ // phpcs:enable++ /**+ * Internal counter to avoid usage of count().+ * * @var int */- protected $serial = 0;-- /**- * Serial order mode- * @var integer- */- protected $isLIFO = 1;-- /**- * Internal counter to avoid usage of count().- *- * @var int- */ protected $count = 0; /**@@ -53,13 +69,12 @@ /** * Insert a new item. *- * @param string $name- * @param mixed $value- * @param int $priority- *- * @return void- */- public function insert($name, $value, $priority = 0)+ * @param TKey $name+ * @param TValue $value+ * @param int $priority+ * @return void+ */+ public function insert($name, mixed $value, $priority = 0) { if (! isset($this->items[$name])) { $this->count++;@@ -75,17 +90,15 @@ } /**- * @param string $name+ * @param TKey $name * @param int $priority- * * @return $this- *- * @throws \Exception+ * @throws Exception */ public function setPriority($name, $priority) { if (! isset($this->items[$name])) {- throw new \Exception("item $name not found");+ throw new Exception("item $name not found"); } $this->items[$name]['priority'] = (int) $priority;@@ -97,7 +110,7 @@ /** * Remove a item. *- * @param string $name+ * @param TKey $name * @return void */ public function remove($name)@@ -125,8 +138,8 @@ /** * Get a item. *- * @param string $name- * @return mixed+ * @param TKey $name+ * @return TValue|null */ public function get($name) {@@ -154,12 +167,11 @@ * Compare the priority of two items. * * @param array $item1,- * @param array $item2 * @return int */ protected function compare(array $item1, array $item2) {- return ($item1['priority'] === $item2['priority'])+ return $item1['priority'] === $item2['priority'] ? ($item1['serial'] > $item2['serial'] ? -1 : 1) * $this->isLIFO : ($item1['priority'] > $item2['priority'] ? -1 : 1); }@@ -168,7 +180,6 @@ * Get/Set serial order mode * * @param bool|null $flag- * * @return bool */ public function isLIFO($flag = null)@@ -188,6 +199,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function rewind() { $this->sort();@@ -197,6 +209,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function current() { $this->sorted || $this->sort();@@ -208,6 +221,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function key() { $this->sorted || $this->sort();@@ -217,6 +231,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function next() { $node = next($this->items);@@ -227,6 +242,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function valid() { return current($this->items) !== false;@@ -243,6 +259,7 @@ /** * {@inheritDoc} */+ #[ReturnTypeWillChange] public function count() { return $this->count;@@ -252,21 +269,18 @@ * Return list as array * * @param int $flag- * * @return array */ public function toArray($flag = self::EXTR_DATA) { $this->sort();- if ($flag == self::EXTR_BOTH) {+ if ($flag === self::EXTR_BOTH) { return $this->items; } return array_map(- function ($item) use ($flag) {- return ($flag == PriorityList::EXTR_PRIORITY) ? $item['priority'] : $item['data'];- },+ static fn($item) => $flag === self::EXTR_PRIORITY ? $item['priority'] : $item['data'], $this->items ); }
After analyzing the provided code diff, I don't identify any clear security vulnerabilities that were fixed. The changes appear to be primarily focused on code quality improvements, type safety enhancements, and modernization rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no No specific vulnerability found The changes include: - Added strict_types declaration - Improved type hints and PHPDoc annotations - Added ReturnTypeWillChange attributes - Modernized array_map callback syntax - Made constants public - Improved exception handling (changed \Exception to Exception) 2. Vulnerability Existed: no No specific vulnerability found The changes appear to be general code improvements rather than security fixes: - Better type safety with template annotations - More precise type definitions - Cleaner code organization - Consistent exception usage The changes seem to be part of a general codebase modernization effort rather than addressing specific security vulnerabilities. The improvements in type safety could potentially help prevent certain types of bugs, but these don't appear to be fixing any known or specific security issues. If there were any security implications in these changes, they would be very subtle and not clearly identifiable as fixing any particular vulnerability class. The changes seem focused on maintainability and forward compatibility rather than security.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Isbn/Isbn10.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Isbn/Isbn10.php@@ -1,17 +1,11 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Isbn; class Isbn10 { /**- * @param int|string $value+ * @param string $value * @return int|string */ public function getChecksum($value)@@ -23,7 +17,7 @@ /** * Calculate the value sum. *- * @param int|string $value+ * @param string $value * @return int */ private function sum($value)@@ -31,7 +25,7 @@ $sum = 0; for ($i = 0; $i < 9; $i++) {- $sum += (10 - $i) * $value[$i];+ $sum += (10 - $i) * (int) $value[$i]; } return $sum;@@ -47,11 +41,11 @@ { $checksum = 11 - ($sum % 11);- if ($checksum == 11) {+ if ($checksum === 11) { return '0'; }- if ($checksum == 10) {+ if ($checksum === 10) { return 'X'; }
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Type Juggling Vulnerability [File] [Lines 25, 41, 45]
[Old Code]
$sum += (10 - $i) * $value[$i];
if ($checksum == 11) {
if ($checksum == 10) {
[Fixed Code]
$sum += (10 - $i) * (int) $value[$i];
if ($checksum === 11) {
if ($checksum === 10) {
Additional Details:
- The vulnerability involved type juggling issues where loose comparisons (==) were replaced with strict comparisons (===)
- The calculation of the sum was made more secure by explicitly casting the character to an integer
- These changes prevent potential type manipulation attacks where different types might produce unexpected results in comparisons or calculations
2. Vulnerability Existed: not sure
Possible Information Disclosure [File] [Lines 1-5]
[Old Code]
/**
* @see https://github.com/laminas/laminas-validator for the canonical source repository
* @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License
*/
[Fixed Code]
(removed entirely)
Additional Details:
- The removal of the header comment block might be related to security through obscurity or license information management
- Without more context, it's unclear if this poses a security risk or is just a cleanup change
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Header/Exception/ExceptionInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Header/Exception/ExceptionInterface.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Header\Exception;
Based on the provided code diff, I'll analyze it for security fixes:
Vulnerability Existed: no
[No security vulnerability found] [include/laminas-mail/src/Header/Exception/ExceptionInterface.php] [Lines 1-10]
[Old Code: Copyright and license notice]
[Fixed Code: Removed copyright and license notice]
Additional Details:
- The changes shown in the diff are purely related to documentation/comment removal (copyright and license information)
- No actual code changes were made that would affect security
- The interface definition remains unchanged (only the header comments were removed)
- This appears to be a maintenance change rather than a security fix
No security vulnerabilities were identified in this diff. The changes are administrative in nature, removing boilerplate license and copyright information from the file header.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Ean14.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Ean14.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Barcode;
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potentially removed security-related comments] [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Ean14.php] [Lines 1-10]
[Old Code]
<?php
/**
* @see https://github.com/laminas/laminas-validator for the canonical source repository
* @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License
*/
[Fixed Code]
<?php
The diff shows removal of documentation comments including license and copyright information. While this doesn't appear to be a direct security vulnerability, removing license information could potentially lead to legal issues rather than security issues. There's no clear security vulnerability in this change, but I'm noting it since it's the only change present.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Transport/Factory.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Transport/Factory.php@@ -1,28 +1,28 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Transport; use Laminas\Stdlib\ArrayUtils; use Traversable;+use function class_exists;+use function gettype;+use function is_array;+use function is_object;+use function sprintf;+use function strtolower;++// phpcs:ignore WebimpressCodingStandard.NamingConventions.AbstractClass.Prefix abstract class Factory {- /**- * @var array Known transport types- */+ /** @var array Known transport types */ protected static $classMap = [- 'file' => 'Laminas\Mail\Transport\File',- 'inmemory' => 'Laminas\Mail\Transport\InMemory',- 'memory' => 'Laminas\Mail\Transport\InMemory',- 'null' => 'Laminas\Mail\Transport\InMemory',- 'sendmail' => 'Laminas\Mail\Transport\Sendmail',- 'smtp' => 'Laminas\Mail\Transport\Smtp',+ 'file' => File::class,+ 'inmemory' => InMemory::class,+ 'memory' => InMemory::class,+ 'null' => InMemory::class,+ 'sendmail' => Sendmail::class,+ 'smtp' => Smtp::class, ]; /**@@ -41,11 +41,11 @@ throw new Exception\InvalidArgumentException(sprintf( '%s expects an array or Traversable argument; received "%s"', __METHOD__,- (is_object($spec) ? get_class($spec) : gettype($spec))+ is_object($spec) ? $spec::class : gettype($spec) )); }- $type = isset($spec['type']) ? $spec['type'] : 'sendmail';+ $type = $spec['type'] ?? 'sendmail'; $normalizedType = strtolower($type);@@ -61,13 +61,13 @@ )); }- $transport = new $type;+ $transport = new $type(); if (! $transport instanceof TransportInterface) { throw new Exception\DomainException(sprintf(- '%s expects the "type" attribute to resolve to a valid'- . ' Laminas\Mail\Transport\TransportInterface instance; received "%s"',+ '%s expects the "type" attribute to resolve to a valid %s instance; received "%s"', __METHOD__,+ TransportInterface::class, $type )); }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Class Instantiation Vulnerability] [include/laminas-mail/src/Transport/Factory.php] [Lines around 41-61] [Old Code] $type = isset($spec['type']) ? $spec['type'] : 'sendmail'; $transport = new $type; [Fixed Code] $type = $spec['type'] ?? 'sendmail'; $transport = new $type(); Additional Details: The change makes the code more robust by using null coalescing operator and adding parentheses for instantiation. While not directly fixing a known vulnerability, it could potentially prevent issues with class instantiation. 2. Vulnerability Existed: not sure [Potential Information Disclosure] [include/laminas-mail/src/Transport/Factory.php] [Lines around 41-43] [Old Code] (is_object($spec) ? get_class($spec) : gettype($spec)) [Fixed Code] is_object($spec) ? $spec::class : gettype($spec) Additional Details: The change modernizes the code to use ::class syntax, which is more consistent but doesn't appear to fix a specific vulnerability. However, it could potentially prevent information disclosure in error messages. 3. Vulnerability Existed: not sure [Potential Type Safety Issue] [include/laminas-mail/src/Transport/Factory.php] [Lines around 61-69] [Old Code] . ' Laminas\Mail\Transport\TransportInterface instance; received "%s"', [Fixed Code] . ' %s instance; received "%s"', TransportInterface::class, Additional Details: The change makes the code more maintainable by using ::class constant, but doesn't appear to fix a specific security vulnerability. Note: While none of these changes clearly fix known vulnerabilities, they all contribute to more robust and maintainable code which could indirectly prevent potential security issues. The most significant change is the class instantiation pattern which could potentially prevent issues with dynamic class loading.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php@@ -1,16 +1,20 @@ <?php-/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Validator; use DateTime; use DateTimeImmutable;+use DateTimeInterface; use Traversable;++use function array_shift;+use function func_get_args;+use function gettype;+use function implode;+use function is_array;+use function iterator_to_array; /** * Validates that a given value is a DateTime instance or can be converted into one.@@ -19,23 +23,21 @@ { /**#@+ * Validity constants- * @var string- */- const INVALID = 'dateInvalid';- const INVALID_DATE = 'dateInvalidDate';- const FALSEFORMAT = 'dateFalseFormat';+ */+ public const INVALID = 'dateInvalid';+ public const INVALID_DATE = 'dateInvalidDate';+ public const FALSEFORMAT = 'dateFalseFormat'; /**#@-*/ /** * Default format constant- * @var string- */- const FORMAT_DEFAULT = 'Y-m-d';+ */+ public const FORMAT_DEFAULT = 'Y-m-d'; /** * Validation failure message template definitions *- * @var array+ * @var string[] */ protected $messageTemplates = [ self::INVALID => 'Invalid type given. String, integer, array or DateTime expected',@@ -43,36 +45,30 @@ self::FALSEFORMAT => "The input does not fit the date format '%format%'", ];- /**- * @var array- */+ /** @var string[] */ protected $messageVariables = [ 'format' => 'format', ];- /**- * @var string- */+ /** @var string */ protected $format = self::FORMAT_DEFAULT;- /**- * @var bool- */+ /** @var bool */ protected $strict = false; /** * Sets validator options *- * @param string|array|Traversable $options OPTIONAL+ * @param string|array|Traversable $options OPTIONAL */ public function __construct($options = []) { if ($options instanceof Traversable) { $options = iterator_to_array($options); } elseif (! is_array($options)) {- $options = func_get_args();+ $options = func_get_args(); $temp['format'] = array_shift($options);- $options = $temp;+ $options = $temp; } parent::__construct($options);@@ -81,7 +77,7 @@ /** * Returns the format option *- * @return string|null+ * @return string */ public function getFormat() {@@ -94,31 +90,31 @@ * Format cannot be null. It will always default to 'Y-m-d', even * if null is provided. *- * @param string $format+ * @param string|null $format * @return $this provides a fluent interface * @todo validate the format */ public function setFormat($format = self::FORMAT_DEFAULT) {- $this->format = empty($format) ? self::FORMAT_DEFAULT : $format;+ $this->format = $format === null || $format === '' ? self::FORMAT_DEFAULT : $format; return $this; }- public function setStrict(bool $strict) : self+ public function setStrict(bool $strict): self { $this->strict = $strict; return $this; }- public function isStrict() : bool+ public function isStrict(): bool { return $this->strict; } /**- * Returns true if $value is a DateTime instance or can be converted into one.- *- * @param string|array|int|DateTime $value+ * Returns true if $value is a DateTimeInterface instance or can be converted into one.+ *+ * @param string|numeric|array|DateTimeInterface $value * @return bool */ public function isValid($value)@@ -142,56 +138,67 @@ /** * Attempts to convert an int, string, or array to a DateTime object *- * @param string|int|array $param- * @param bool $addErrors- * @return bool|DateTime+ * @param string|numeric|array|DateTimeInterface $param+ * @param bool $addErrors+ * @return false|DateTime */ protected function convertToDateTime($param, $addErrors = true) {- if ($param instanceof DateTime || $param instanceof DateTimeImmutable) {+ if ($param instanceof DateTime) { return $param; }+ if ($param instanceof DateTimeImmutable) {+ return DateTime::createFromImmutable($param);+ }+ $type = gettype($param);- if (! in_array($type, ['string', 'integer', 'double', 'array'])) {- if ($addErrors) {- $this->error(self::INVALID);- }- return false;- }-- $convertMethod = 'convert' . ucfirst($type);- return $this->{$convertMethod}($param, $addErrors);+ switch ($type) {+ case 'string':+ return $this->convertString($param, $addErrors);+ case 'integer':+ return $this->convertInteger($param);+ case 'double':+ return $this->convertDouble($param);+ case 'array':+ return $this->convertArray($param, $addErrors);+ }++ if ($addErrors) {+ $this->error(self::INVALID);+ }++ return false; } /** * Attempts to convert an integer into a DateTime object *- * @param integer $value- * @return bool|DateTime+ * @param integer $value+ * @return false|DateTime */ protected function convertInteger($value) {- return date_create("@$value");+ return DateTime::createFromFormat('U', (string) $value); } /** * Attempts to convert an double into a DateTime object *- * @param double $value- * @return bool|DateTime+ * @param double $value+ * @return false|DateTime */ protected function convertDouble($value) {- return DateTime::createFromFormat('U', $value);+ return DateTime::createFromFormat('U', (string) $value); } /** * Attempts to convert a string into a DateTime object *- * @param string $value- * @param bool $addErrors- * @return bool|DateTime+ * @param string $value+ * @param bool $addErrors+ * @return false|DateTime */ protected function convertString($value, $addErrors = true) {@@ -200,6 +207,10 @@ // Invalid dates can show up as warnings (ie. "2007-02-99") // and still return a DateTime object. $errors = DateTime::getLastErrors();+ if ($errors === false) {+ return $date;+ }+ if ($errors['warning_count'] > 0) { if ($addErrors) { $this->error(self::FALSEFORMAT);@@ -213,9 +224,8 @@ /** * Implodes the array into a string and proxies to {@link convertString()}. *- * @param array $value- * @param bool $addErrors- * @return bool|DateTime+ * @param bool $addErrors+ * @return false|DateTime * @todo enhance the implosion */ protected function convertArray(array $value, $addErrors = true)
Analyzing the provided code diff, I'll identify potential security vulnerabilities:
1. Vulnerability Existed: yes
Improper Input Validation [File] include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php [Lines] 90
[Old Code]
$this->format = empty($format) ? self::FORMAT_DEFAULT : $format;
[Fixed Code]
$this->format = $format === null || $format === '' ? self::FORMAT_DEFAULT : $format;
Details: The old code used empty() which could lead to unexpected behavior with certain input values (like '0'). The fixed version provides more precise validation.
2. Vulnerability Existed: yes
DateTime Conversion Vulnerability [File] include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php [Lines] 179-181
[Old Code]
return date_create("@$value");
[Fixed Code]
return DateTime::createFromFormat('U', (string) $value);
Details: The old code used date_create with direct string interpolation which could be vulnerable to injection attacks. The new version uses a more secure format-specific creation method.
3. Vulnerability Existed: yes
Error Handling Vulnerability [File] include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php [Lines] 207-209
[Old Code]
$errors = DateTime::getLastErrors();
[Fixed Code]
$errors = DateTime::getLastErrors();
if ($errors === false) {
return $date;
}
Details: The old code didn't check if getLastErrors() returned false, which could lead to undefined behavior. The new version properly handles this edge case.
4. Vulnerability Existed: not sure
Type Handling Vulnerability [File] include/laminas-mail/vendor/laminas/laminas-validator/src/Date.php [Lines] 138-168
[Old Code]
$convertMethod = 'convert' . ucfirst($type);
return $this->{$convertMethod}($param, $addErrors);
[Fixed Code]
switch ($type) {
case 'string':
return $this->convertString($param, $addErrors);
case 'integer':
return $this->convertInteger($param);
case 'double':
return $this->convertDouble($param);
case 'array':
return $this->convertArray($param, $addErrors);
}
Details: The old code used dynamic method calling which could potentially be exploited if $type was controlled by an attacker. The new version uses a more secure switch statement, but it's unclear if this was specifically a security fix or just a code improvement.
Note: The changes also include general code quality improvements (like type hints and strict typing) that while not directly security fixes, contribute to more secure code by reducing ambiguity and potential edge cases.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/scp/canned.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/scp/canned.php@@ -37,6 +37,10 @@ $canned=null; if($_REQUEST['id'] && !($canned=Canned::lookup($_REQUEST['id']))) $errors['err']=sprintf(__('%s: Unknown or invalid ID.'), __('Canned Response'));+if ($canned && !$canned->staffCanAccess($thisstaff)) {+ header('Location: canned.php');+ exit;+} $canned_form = new SimpleForm(array( 'attachments' => new FileUploadField(array('id'=>'attach',
Here's the analysis of the provided code diff for security fixes:
Vulnerability Existed: yes
Insecure Direct Object Reference (IDOR) scp/canned.php [Lines 37-40]
[Old Code]
$canned=null;
if($_REQUEST['id'] && !($canned=Canned::lookup($_REQUEST['id'])))
$errors['err']=sprintf(__('%s: Unknown or invalid ID.'), __('Canned Response'));
[Fixed Code]
$canned=null;
if($_REQUEST['id'] && !($canned=Canned::lookup($_REQUEST['id'])))
$errors['err']=sprintf(__('%s: Unknown or invalid ID.'), __('Canned Response'));
if ($canned && !$canned->staffCanAccess($thisstaff)) {
header('Location: canned.php');
exit;
}
Additional Details:
The fix adds an access control check to prevent unauthorized access to canned responses. The vulnerability was an Insecure Direct Object Reference (IDOR) where any authenticated user could potentially access any canned response by manipulating the 'id' parameter, regardless of their permissions. The fix implements proper authorization checks using staffCanAccess() before allowing access to the resource.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php@@ -1,16 +1,21 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib; use Countable; use IteratorAggregate;+use ReturnTypeWillChange; use Serializable;+use UnexpectedValueException;++use function array_map;+use function count;+use function is_array;+use function serialize;+use function sprintf;+use function unserialize; /** * Re-usable, serializable priority queue implementation@@ -23,29 +28,36 @@ * This class aggregates items for the queue itself, but also composes an * "inner" iterator in the form of an SplPriorityQueue object for performing * the actual iteration.+ *+ * @template TValue+ * @template TPriority of int+ * @implements IteratorAggregate<array-key, TValue> */ class PriorityQueue implements Countable, IteratorAggregate, Serializable {- const EXTR_DATA = 0x00000001;- const EXTR_PRIORITY = 0x00000002;- const EXTR_BOTH = 0x00000003;+ public const EXTR_DATA = 0x00000001;+ public const EXTR_PRIORITY = 0x00000002;+ public const EXTR_BOTH = 0x00000003; /** * Inner queue class to use for iteration- * @var string- */- protected $queueClass = 'Laminas\Stdlib\SplPriorityQueue';+ *+ * @var class-string<\SplPriorityQueue>+ */+ protected $queueClass = SplPriorityQueue::class; /** * Actual items aggregated in the priority queue. Each item is an array * with keys "data" and "priority".- * @var array- */- protected $items = [];+ *+ * @var list<array{data: TValue, priority: TPriority}>+ */+ protected $items = []; /** * Inner queue object- * @var SplPriorityQueue+ *+ * @var \SplPriorityQueue<TPriority, TValue>|null */ protected $queue;@@ -54,13 +66,14 @@ * * Priority defaults to 1 (low priority) if none provided. *- * @param mixed $data- * @param int $priority- * @return PriorityQueue+ * @param TValue $data+ * @param TPriority $priority+ * @return $this */ public function insert($data, $priority = 1) {- $priority = (int) $priority;+ /** @psalm-var TPriority $priority */+ $priority = (int) $priority; $this->items[] = [ 'data' => $data, 'priority' => $priority,@@ -82,19 +95,19 @@ * the same item has been added multiple times, it will not remove other * instances. *- * @param mixed $datum * @return bool False if the item was not found, true otherwise. */- public function remove($datum)+ public function remove(mixed $datum) { $found = false;+ $key = null; foreach ($this->items as $key => $item) { if ($item['data'] === $datum) { $found = true; break; } }- if ($found) {+ if ($found && $key !== null) { unset($this->items[$key]); $this->queue = null;@@ -116,7 +129,7 @@ */ public function isEmpty() {- return (0 === $this->count());+ return 0 === $this->count(); } /**@@ -124,6 +137,7 @@ * * @return int */+ #[ReturnTypeWillChange] public function count() { return count($this->items);@@ -132,21 +146,50 @@ /** * Peek at the top node in the queue, based on priority. *- * @return mixed+ * @return TValue */ public function top() {- return $this->getIterator()->top();+ $queue = clone $this->getQueue();++ return $queue->top(); } /** * Extract a node from the inner queue and sift up *- * @return mixed+ * @return TValue */ public function extract() {- return $this->getQueue()->extract();+ $value = $this->getQueue()->extract();++ $keyToRemove = null;+ $highestPriority = null;+ foreach ($this->items as $key => $item) {+ if ($item['data'] !== $value) {+ continue;+ }++ if (null === $highestPriority) {+ $highestPriority = $item['priority'];+ $keyToRemove = $key;+ continue;+ }++ if ($highestPriority >= $item['priority']) {+ continue;+ }++ $highestPriority = $item['priority'];+ $keyToRemove = $key;+ }++ if ($keyToRemove !== null) {+ unset($this->items[$keyToRemove]);+ }++ return $value; } /**@@ -159,8 +202,9 @@ * retrieves the inner queue object, and clones it for purposes of * iteration. *- * @return SplPriorityQueue- */+ * @return \SplPriorityQueue<TPriority, TValue>+ */+ #[ReturnTypeWillChange] public function getIterator() { $queue = $this->getQueue();@@ -174,49 +218,77 @@ */ public function serialize() {- return serialize($this->items);+ return serialize($this->__serialize());+ }++ /**+ * Magic method used for serializing of an instance.+ *+ * @return list<array{data: TValue, priority: TPriority}>+ */+ public function __serialize()+ {+ return $this->items; } /** * Unserialize a string into a PriorityQueue object *- * Serialization format is compatible with {@link Laminas\Stdlib\SplPriorityQueue}+ * Serialization format is compatible with {@link SplPriorityQueue} * * @param string $data * @return void */ public function unserialize($data) {- foreach (unserialize($data) as $item) {+ $toUnserialize = unserialize($data);+ if (! is_array($toUnserialize)) {+ throw new UnexpectedValueException(sprintf(+ 'Cannot deserialize %s instance; corrupt serialization data',+ self::class+ ));+ }++ /** @psalm-var list<array{data: TValue, priority: TPriority}> $toUnserialize */++ $this->__unserialize($toUnserialize);+ }++ /**+ * Magic method used to rebuild an instance.+ *+ * @param list<array{data: TValue, priority: TPriority}> $data Data array.+ * @return void+ */+ public function __unserialize($data)+ {+ foreach ($data as $item) { $this->insert($item['data'], $item['priority']); } } /** * Serialize to an array- * * By default, returns only the item data, and in the order registered (not * sorted). You may provide one of the EXTR_* flags as an argument, allowing * the ability to return priorities or both data and priority. * * @param int $flag- * @return array+ * @return array<array-key, mixed>+ * @psalm-return ($flag is self::EXTR_BOTH+ * ? list<array{data: TValue, priority: TPriority}>+ * : $flag is self::EXTR_PRIORITY+ * ? list<TPriority>+ * : list<TValue>+ * ) */ public function toArray($flag = self::EXTR_DATA) {- switch ($flag) {- case self::EXTR_BOTH:- return $this->items;- case self::EXTR_PRIORITY:- return array_map(function ($item) {- return $item['priority'];- }, $this->items);- case self::EXTR_DATA:- default:- return array_map(function ($item) {- return $item['data'];- }, $this->items);- }+ return match ($flag) {+ self::EXTR_BOTH => $this->items,+ self::EXTR_PRIORITY => array_map(static fn($item): int => $item['priority'], $this->items),+ default => array_map(static fn($item): mixed => $item['data'], $this->items),+ }; } /**@@ -225,11 +297,12 @@ * Please see {@link getIterator()} for details on the necessity of an * internal queue class. The class provided should extend SplPriorityQueue. *- * @param string $class- * @return PriorityQueue+ * @param class-string<\SplPriorityQueue> $class+ * @return $this */ public function setInternalQueueClass($class) {+ /** @psalm-suppress RedundantCastGivenDocblockType */ $this->queueClass = (string) $class; return $this; }@@ -237,7 +310,7 @@ /** * Does the queue contain the given datum? *- * @param mixed $datum+ * @param TValue $datum * @return bool */ public function contains($datum)@@ -253,7 +326,7 @@ /** * Does the queue have an item with the given priority? *- * @param int $priority+ * @param TPriority $priority * @return bool */ public function hasPriority($priority)@@ -270,19 +343,25 @@ * Get the inner priority queue instance * * @throws Exception\DomainException- * @return SplPriorityQueue+ * @return \SplPriorityQueue<TPriority, TValue>+ * @psalm-assert !null $this->queue */ protected function getQueue() { if (null === $this->queue) {- $this->queue = new $this->queueClass();+ /** @psalm-suppress UnsafeInstantiation */+ $queue = new $this->queueClass();+ /** @psalm-var \SplPriorityQueue<TPriority, TValue> $queue */+ $this->queue = $queue;+ /** @psalm-suppress DocblockTypeContradiction */ if (! $this->queue instanceof \SplPriorityQueue) { throw new Exception\DomainException(sprintf( 'PriorityQueue expects an internal queue of type SplPriorityQueue; received "%s"',- get_class($this->queue)+ $queue::class )); } }+ return $this->queue; }
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: yes
Unsafe Deserialization Vulnerability [include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php] [Lines 239-242]
[Old Code]
public function unserialize($data)
{
foreach (unserialize($data) as $item) {
[Fixed Code]
public function unserialize($data)
{
$toUnserialize = unserialize($data);
if (! is_array($toUnserialize)) {
throw new UnexpectedValueException(sprintf(
'Cannot deserialize %s instance; corrupt serialization data',
self::class
));
}
The fix adds validation for unserialized data, preventing potential object injection attacks through malicious serialized data.
2. Vulnerability Existed: yes
Potential Type Confusion Vulnerability [include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php] [Lines 107-109]
[Old Code]
if ($found) {
unset($this->items[$key]);
[Fixed Code]
if ($found && $key !== null) {
unset($this->items[$key]);
The fix adds a null check for $key before unset operation, preventing potential issues when $key might be null.
3. Vulnerability Existed: not sure
Potential Information Exposure [include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php] [Various lines]
The diff shows many type hinting and return type additions throughout the file. While these primarily improve code quality, they might also help prevent type confusion vulnerabilities, though I can't identify a specific vulnerability being fixed here.
4. Vulnerability Existed: not sure
Potential Race Condition [include/laminas-mail/vendor/laminas/laminas-stdlib/src/PriorityQueue.php] [Lines 162-186]
The extract() method was significantly modified to handle item removal more carefully. While this appears to be more about correctness than security, it might prevent race conditions in concurrent usage scenarios.
The most clearly security-related fix is the unserialize() validation improvement, which directly addresses a known security anti-pattern (unvalidated unserialization). The other changes appear to be more about code quality and correctness, though they may have indirect security benefits.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Protocol/Smtp/Auth/Login.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Protocol/Smtp/Auth/Login.php@@ -1,14 +1,12 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Protocol\Smtp\Auth; use Laminas\Mail\Protocol\Smtp;++use function array_replace_recursive;+use function base64_encode;+use function is_array; /** * Performs LOGIN authentication@@ -30,8 +28,6 @@ protected $password; /**- * Constructor.- * * @param string $host (Default: 127.0.0.1) * @param int $port (Default: null) * @param array $config Auth-specific parameters@@ -64,7 +60,6 @@ /** * Perform LOGIN authentication with supplied credentials- * */ public function auth() {
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no [Documentation Changes] [include/laminas-mail/src/Protocol/Smtp/Auth/Login.php] [Lines 1-14, 30-32, 64-66] [Old Code with documentation comments and constructor description] [Fixed Code with removed documentation comments] 2. Vulnerability Existed: not sure [Potential Information Leak] [include/laminas-mail/src/Protocol/Smtp/Auth/Login.php] [Lines 1-14] [Old Code with copyright/license headers] [Fixed Code with removed headers] Additional Notes: - The changes appear to be primarily documentation/comment related rather than security fixes - The removal of license headers might be concerning from a legal perspective but doesn't indicate a security vulnerability - The added function imports (array_replace_recursive, base64_encode, is_array) suggest some refactoring but no clear security implications - No actual authentication logic changes were made that would indicate a security fix No clear security vulnerabilities were fixed in this diff. The changes seem to be mostly code cleanup and documentation updates.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Digits.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Digits.php@@ -1,27 +1,25 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator; use Laminas\Filter\Digits as DigitsFilter;+use function is_float;+use function is_int;+use function is_string;+ class Digits extends AbstractValidator {- const NOT_DIGITS = 'notDigits';- const STRING_EMPTY = 'digitsStringEmpty';- const INVALID = 'digitsInvalid';+ public const NOT_DIGITS = 'notDigits';+ public const STRING_EMPTY = 'digitsStringEmpty';+ public const INVALID = 'digitsInvalid'; /** * Digits filter used for validation *- * @var \Laminas\Filter\Digits+ * @var DigitsFilter|null */- protected static $filter = null;+ protected static $filter; /** * Validation failure message template definitions@@ -37,7 +35,7 @@ /** * Returns true if and only if $value only contains digit characters *- * @param string $value+ * @param mixed $value * @return bool */ public function isValid($value)
Analyzing the provided code diff, here's the security analysis: 1. Vulnerability Existed: not sure Visibility Change for Constants [include/laminas-mail/vendor/laminas/laminas-validator/src/Digits.php] [Lines 10-12] Old Code: const NOT_DIGITS = 'notDigits'; const STRING_EMPTY = 'digitsStringEmpty'; const INVALID = 'digitsInvalid'; Fixed Code: public const NOT_DIGITS = 'notDigits'; public const STRING_EMPTY = 'digitsStringEmpty'; public const INVALID = 'digitsInvalid'; Additional Details: This change improves code quality by explicitly declaring constant visibility but doesn't appear to address a specific security vulnerability. 2. Vulnerability Existed: not sure Type Hinting Improvement [include/laminas-mail/vendor/laminas/laminas-validator/src/Digits.php] [Lines 19, 37] Old Code: protected static $filter = null; @param string $value Fixed Code: protected static $filter; @param mixed $value Additional Details: The changes improve type safety but don't clearly fix a security vulnerability. The parameter type change from 'string' to 'mixed' might affect input validation but isn't clearly a security fix. The diff primarily shows code quality improvements rather than explicit security fixes. The changes include: 1. Making constants explicitly public 2. Improved type hints and documentation 3. Removal of redundant null initialization 4. Added type-related function imports No clear security vulnerabilities were fixed in this diff. The changes appear to be general code quality improvements and modernization rather than security patches.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Ip.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Ip.php@@ -1,23 +1,28 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator; use Traversable;+use function bindec;+use function hexdec;+use function ip2long;+use function is_string;+use function long2ip;+use function preg_match;+use function str_contains;+use function strlen;+use function strpos;+use function strrpos;+use function substr;+use function substr_count;+ class Ip extends AbstractValidator {- const INVALID = 'ipInvalid';- const NOT_IP_ADDRESS = 'notIpAddress';+ public const INVALID = 'ipInvalid';+ public const NOT_IP_ADDRESS = 'notIpAddress';- /**- * @var array- */+ /** @var array */ protected $messageTemplates = [ self::INVALID => 'Invalid type given. String expected', self::NOT_IP_ADDRESS => 'The input does not appear to be a valid IP address',@@ -79,7 +84,11 @@ } }- if (($this->options['allowipv6'] && $this->validateIPv6($value)) ||+ $isValidV6Address = $this->validateIPv6($value);+ $isValidV6Address = $isValidV6Address !== false && $isValidV6Address !== 0;++ if (+ ($this->options['allowipv6'] && $isValidV6Address) || ($this->options['allowipvfuture'] && $this->validateIPvFuture($value)) ) { return true;@@ -116,32 +125,31 @@ return false; }- return $value == long2ip($ip2long);+ return $value === long2ip($ip2long); } /** * Validates an IPv6 address *- * @param string $value Value to check against- * @return bool True when $value is a valid ipv6 address- * False otherwise+ * @param string $value Value to check against+ * @return bool|int True when $value is a valid ipv6 address False otherwise */ protected function validateIPv6($value) { if (strlen($value) < 3) {- return $value == '::';+ return $value === '::'; }- if (strpos($value, '.')) {+ if (strpos($value, '.') !== false) { $lastcolon = strrpos($value, ':');- if (! ($lastcolon && $this->validateIPv4(substr($value, $lastcolon + 1)))) {+ if (! ($lastcolon !== false && $this->validateIPv4(substr($value, $lastcolon + 1)))) { return false; } $value = substr($value, 0, $lastcolon) . ':0:0'; }- if (strpos($value, '::') === false) {+ if (! str_contains($value, '::')) { return preg_match('/\A(?:[a-f0-9]{1,4}:){7}[a-f0-9]{1,4}\z/i', $value); }@@ -151,7 +159,7 @@ } // special case with ending or starting double colon- if ($colonCount == 8) {+ if ($colonCount === 8) { return preg_match('/\A(?:::)?(?:[a-f0-9]{1,4}:){6}[a-f0-9]{1,4}(?:::)?\z/i', $value); }@@ -184,6 +192,6 @@ * "As such, implementations must not provide the version flag for the * existing IPv4 and IPv6 literal address forms described below." */- return $result && $matches[1] != 4 && $matches[1] != 6;+ return $result && $matches[1] !== '4' && $matches[1] !== '6'; } }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes [Weak IPv6 Validation] [include/laminas-mail/vendor/laminas/laminas-validator/src/Ip.php] [Lines 116-192] [Old Code] - Used loose comparison (==) for IP validation - Had weaker IPv6 validation logic with potential false positives - Less strict type checking in IPvFuture validation [Fixed Code] - Uses strict comparison (===) for IP validation - Improved IPv6 validation with more precise checks - Added explicit type checking in IPvFuture validation 2. Vulnerability Existed: yes [Type Juggling Vulnerability] [include/laminas-mail/vendor/laminas/laminas-validator/src/Ip.php] [Lines 125, 137, 159, 192] [Old Code] - Used loose comparisons (==) which could lead to type juggling issues - Potential for false positives in IP validation due to type coercion [Fixed Code] - Replaced with strict comparisons (===) - Added explicit type checks (str_contains, !== false checks) - More robust validation against type juggling attacks 3. Vulnerability Existed: not sure [Potential IPv4 Address Spoofing] [include/laminas-mail/vendor/laminas/laminas-validator/src/Ip.php] [Lines 137-142] [Old Code] - Less strict validation of IPv4-mapped IPv6 addresses [Fixed Code] - Added more precise validation for IPv4 portions in IPv6 addresses - May address potential spoofing vectors in IPv6 representations of IPv4 The changes primarily focus on improving the robustness of IP address validation, particularly for IPv6 addresses, and addressing potential security issues related to type juggling and weak comparisons. The fixes make the validator more strict and precise in its checks, reducing the chance of false positives that could lead to security bypasses.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/GreaterThan.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/GreaterThan.php@@ -1,20 +1,19 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator; use Laminas\Stdlib\ArrayUtils; use Traversable;+use function array_key_exists;+use function array_shift;+use function func_get_args;+use function is_array;+ class GreaterThan extends AbstractValidator {- const NOT_GREATER = 'notGreaterThan';- const NOT_GREATER_INCLUSIVE = 'notGreaterThanInclusive';+ public const NOT_GREATER = 'notGreaterThan';+ public const NOT_GREATER_INCLUSIVE = 'notGreaterThanInclusive'; /** * Validation failure message template definitions@@ -22,13 +21,11 @@ * @var array */ protected $messageTemplates = [- self::NOT_GREATER => "The input is not greater than '%min%'",+ self::NOT_GREATER => "The input is not greater than '%min%'", self::NOT_GREATER_INCLUSIVE => "The input is not greater than or equal to '%min%'", ];- /**- * @var array- */+ /** @var array */ protected $messageVariables = [ 'min' => 'min', ];@@ -62,7 +59,7 @@ $options = ArrayUtils::iteratorToArray($options); } if (! is_array($options)) {- $options = func_get_args();+ $options = func_get_args(); $temp['min'] = array_shift($options); if (! empty($options)) {@@ -99,10 +96,9 @@ /** * Sets the min option *- * @param mixed $min * @return $this Provides a fluent interface */- public function setMin($min)+ public function setMin(mixed $min) { $this->min = $min; return $this;
After analyzing the provided code diff, I don't find any clear security vulnerabilities that were fixed. The changes appear to be primarily code style improvements and modernization rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no No specific vulnerability found [include/laminas-mail/vendor/laminas/laminas-validator/src/GreaterThan.php] [Various lines] The changes include: - Removal of docblock comments - Changing constants from implicit public to explicit public - Formatting improvements (spacing, alignment) - Type hinting added for setMin() method - Use statements added for functions The changes are mostly cosmetic and don't appear to address any security issues. The modifications include: - Modernizing PHP code (adding type hints, using explicit visibility for constants) - Code style improvements (consistent spacing, alignment) - Adding function imports - Removing redundant docblocks These changes improve code quality and maintainability but don't appear to fix any security vulnerabilities. If there were any security implications in these changes, they would be extremely subtle (like maybe making the code slightly more robust through better type checking), but nothing that would qualify as a vulnerability fix.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.