# This patch fixes OSA-2018-04: An attacker could send a malicious email to an
# OTRS system. If a user with admin permissions opens it, it causes deletions
# of arbitrary files that the OTRS web server user has write access to.
# https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/

diff -Naur otrs2-5.0.16.orig/Kernel/Modules/AdminSupportDataCollector.pm otrs2-5.0.16/Kernel/Modules/AdminSupportDataCollector.pm
--- otrs2-5.0.16.orig/Kernel/Modules/AdminSupportDataCollector.pm	2017-01-17 03:39:35.000000000 +0100
+++ otrs2-5.0.16/Kernel/Modules/AdminSupportDataCollector.pm	2018-10-12 13:36:08.723033628 +0200
@@ -275,6 +275,8 @@
 sub _GenerateSupportBundle {
     my ( $Self, %Param ) = @_;
 
+    $Kernel::OM->Get('Kernel::Output::HTML::Layout')->ChallengeTokenCheck();
+
     my $MainObject = $Kernel::OM->Get('Kernel::System::Main');
     my $RandomID   = $MainObject->GenerateRandomString(
         Length     => 8,
@@ -345,12 +347,23 @@
 
     my $ParamObject  = $Kernel::OM->Get('Kernel::System::Web::Request');
     my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
+
+    $LayoutObject->ChallengeTokenCheck();
+
     my $Filename     = $ParamObject->GetParam( Param => 'Filename' ) || '';
     my $RandomID     = $ParamObject->GetParam( Param => 'RandomID' ) || '';
 
-    if ( !$Filename ) {
+    # Validate simple file name.
+    if ( !$Filename || $Filename !~ m{^[a-z0-9._-]+$}smxi  ) {
+        return $LayoutObject->ErrorScreen(
+            Message => "Need Filename or Filename invalid!",
+        );
+    }
+
+    # Validate simple RandomID.
+    if ( !$RandomID || $RandomID !~ m{^[a-f0-9]+$}smx  ) {
         return $LayoutObject->ErrorScreen(
-            Message => "Need Filename!",
+            Message => "Need RandomID or RandomID invalid!",
         );
     }
 
diff -Naur otrs2-5.0.16.orig/Kernel/Output/HTML/Templates/Standard/AdminSupportDataCollector.tt otrs2-5.0.16/Kernel/Output/HTML/Templates/Standard/AdminSupportDataCollector.tt
--- otrs2-5.0.16.orig/Kernel/Output/HTML/Templates/Standard/AdminSupportDataCollector.tt	2017-01-17 03:39:35.000000000 +0100
+++ otrs2-5.0.16/Kernel/Output/HTML/Templates/Standard/AdminSupportDataCollector.tt	2018-10-12 13:36:08.723033628 +0200
@@ -216,7 +216,7 @@
                 }
 
                 $('#DownloadSupportBundle').bind('click', function (Event) {
-                    window.location.href = '[% Env("Baselink") %]Action=[% Env("Action") %];Subaction=DownloadSupportBundle;Filename=' + Response.Filename + ';RandomID=' + Response.RandomID;
+                    window.location.href = '[% Env("Baselink") %]Action=[% Env("Action") %];Subaction=DownloadSupportBundle;Filename=' + Response.Filename + ';RandomID=' + Response.RandomID + ';ChallengeToken=' + Core.Config.Get('ChallengeToken');
                     Core.UI.Dialog.CloseDialog($('#SupportBundleOptionsDialog'));
                 });
             }