Release OpenProject 16.6.7

Author: oliverguenther

docs/release-notes/16-6-7/README.md

@@ -0,0 +1,69 @@
+---
+title: OpenProject 16.6.7
+sidebar_navigation:
+    title: 16.6.7
+release_version: 16.6.7
+release_date: 2026-02-06
+---
+
+ # OpenProject 16.6.7
+
+ Release date: 2026-02-06
+
+ We released OpenProject [OpenProject 16.6.7](https://community.openproject.org/versions/2265).
+ The release contains several bug fixes and we recommend updating to the newest version.
+ Below you will find a complete list of all changes and bug fixes.
+
+<!-- BEGIN CVE AUTOMATED SECTION -->
+
+## Security fixes
+
+
+
+### GHSA-q523-c695-h3hp - Stored HTML injection on time tracking
+
+An HTML injection vulnerability occurs in the time tracking function of OpenProject version 17.0.2. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the `Work package` section when creating time tracking.
+
+
+
+Responsibly disclosed by Researcher: Nguyen Truong Son ([truongson526@gmail.com](mailto:truongson526@gmail.com)) through the GitHub advisory.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-q523-c695-h3hp](https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp)
+
+
+
+### GHSA-x37c-hcg5-r5m7 - Command Injection on OpenProject repositories leads to Remote Code Execution
+
+An arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (`/projects/:project_id/repository/changes`) when rendering the “latest changes” view via `git log`.
+
+
+
+By supplying a specially crafted `rev` value (for example, `rev=--output=/tmp/poc.txt`), an attacker can inject `git log` command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled `rev` as an option and writes the output to an attacker-chosen path.
+
+
+
+As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of `git log` output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as `/etc/passwd`.
+
+
+
+This vulnerability was reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-x37c-hcg5-r5m7](https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7)
+
+
+<!-- END CVE AUTOMATED SECTION -->
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->

docs/release-notes/README.md

@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 16.6.7
+
+Release date: 2026-02-06
+
+[Release Notes](16-6-7/)
+
+
 ## 16.6.6
 
 Release date: 2026-01-27

frontend/package-lock.json

@@ -148,6 +148,7 @@
     "jquery.cookie": "^1.4.1",
     "jquery.flot": "^0.8.3",
     "json5": "^2.2.2",
+    "lit-html": "^3.3.2",
     "lodash": "^4.17.21",
     "mark.js": "^8.11.0",
     "mdx-embed": "^1.1.2",

frontend/package.json

@@ -1,5 +1,5 @@
 import { ActionEvent, Controller } from '@hotwired/stimulus';
-import { Calendar, EventApi } from '@fullcalendar/core';
+import { Calendar, EventApi, EventContentArg } from '@fullcalendar/core';
 import timeGridPlugin from '@fullcalendar/timegrid';
 import dayGridPlugin from '@fullcalendar/daygrid';
 import interactionPlugin from '@fullcalendar/interaction';
@@ -12,6 +12,8 @@ import allLocales from '@fullcalendar/core/locales-all';
 import { renderStreamMessage } from '@hotwired/turbo';
 import { opStopwatchStopIconData, toDOMString } from '@openproject/octicons-angular';
 import { useMeta } from 'stimulus-use';
+import { html, render, TemplateResult } from 'lit-html';
+import { unsafeHTML } from 'lit-html/directives/unsafe-html.js';
 
 export default class MyTimeTrackingController extends Controller {
   private turboRequests:TurboRequestsService;
@@ -124,38 +126,12 @@ export default class MyTimeTrackingController extends Controller {
         return classes;
       },
       eventContent: (info) => {
-        let timeDetails = '';
-        let stopTimerButton = '';
-        let duration = info.event.extendedProps.hours as number;
+        const wrapper = document.createElement('div');
+        wrapper.classList.add('fc-event-main-frame');
 
-        if (info.isResizing && info.event.start && info.event.end) {
-          duration = this.calculateHours(info.event);
-        }
+        render(this.createEventContent(info), wrapper);
 
-        if (!info.event.allDay) {
-          const time = `${toMoment(info.event.start!, this.calendar).format('LT')} - ${toMoment(info.event.end!, this.calendar).format('LT')}`;
-          timeDetails = `<div class="fc-event-times" title="${time}">${time}</div>`;
-        }
-
-        if (info.event.extendedProps.ongoing) {
-          stopTimerButton = toDOMString(opStopwatchStopIconData, 'small', { 'aria-hidden': 'true', class: 'octicon stop-timer-button' });
-        }
-
-        return {
-          html: `
-           <div class="fc-event-main-frame">
-             <div class="fc-event-time">${stopTimerButton} ${this.displayDuration(duration)}</div>
-             <div class="fc-event-title-container">
-                <div class="fc-event-title fc-event-wp" title="${info.event.extendedProps.workPackageSubject}">
-                  <a class="Link--primary Link" href="${this.pathHelper.workPackageShortPath(info.event.extendedProps.workPackageId as string)}">
-                    ${info.event.extendedProps.workPackageSubject}
-                  </a>
-               </div>
-               <div class="fc-event-project" title="${info.event.extendedProps.projectName}">${info.event.extendedProps.projectName}</div>
-               ${timeDetails}
-             </div>
-           </div>`,
-        };
+        return { domNodes: [wrapper] };
       },
       select: (info) => {
         let dialogParams = 'onlyMe=true';
@@ -261,6 +237,46 @@ export default class MyTimeTrackingController extends Controller {
     this.calendar.render();
   }
 
+  createEventContent(info:EventContentArg) {
+    let timeDetails:string|TemplateResult = '';
+    let stopTimerButton = '';
+    let duration = info.event.extendedProps.hours as number;
+
+    if (info.isResizing && info.event.start && info.event.end) {
+      duration = this.calculateHours(info.event);
+    }
+
+    if (!info.event.allDay) {
+      const time = `${toMoment(info.event.start!, this.calendar).format('LT')} - ${toMoment(info.event.end!, this.calendar).format('LT')}`;
+      timeDetails = html`<div class="fc-event-times" title="${time}">${time}</div>`;
+    }
+
+    if (info.event.extendedProps.ongoing) {
+      stopTimerButton = toDOMString(opStopwatchStopIconData, 'small', {
+        'aria-hidden': 'true',
+        class: 'octicon stop-timer-button',
+      });
+    }
+
+    return html`
+      <div class="fc-event-time">
+        ${unsafeHTML(stopTimerButton)}
+        ${this.displayDuration(duration)}
+      </div>
+      <div class="fc-event-title-container">
+        <div class="fc-event-title fc-event-wp" title="${info.event.extendedProps.workPackageSubject}">
+          <a class="Link--primary Link"
+             href="${this.pathHelper.workPackageShortPath(info.event.extendedProps.workPackageId as string)}">
+            ${info.event.extendedProps.workPackageSubject}
+          </a>
+        </div>
+        <div class="fc-event-project" title="${info.event.extendedProps.projectName}">
+          ${info.event.extendedProps.projectName}
+        </div>
+        ${timeDetails}
+      </div>`;
+  }
+
   addTotalFooter() {
     if (!this.calendar) return;
     const calendarScrollGridWrapper = document.querySelector('.fc-timegrid .fc-scrollgrid tbody');
@@ -368,7 +384,7 @@ export default class MyTimeTrackingController extends Controller {
     return tr;
   }
 
-  updateTimeEntry(timeEntryId:string, spentOn:string, startTime:string | null, hours:number, revertFunction:() => void) {
+  updateTimeEntry(timeEntryId:string, spentOn:string, startTime:string|null, hours:number, revertFunction:() => void) {
     fetch(this.pathHelper.timeEntryUpdate(timeEntryId), {
       method: 'PATCH',
       headers: {
@@ -470,7 +486,10 @@ export default class MyTimeTrackingController extends Controller {
     interface AdditionalDialogCloseData {
       spent_on?:string;
     }
-    const { detail: { dialog, additional, submitted } } = event as { detail:{ dialog:HTMLDialogElement; additional:AdditionalDialogCloseData|undefined; submitted:boolean } };
+
+    const { detail: { dialog, additional, submitted } } = event as {
+      detail:{ dialog:HTMLDialogElement; additional:AdditionalDialogCloseData|undefined; submitted:boolean }
+    };
     if (dialog.id !== 'time-entry-dialog' || !submitted) { return; }
 
     // we simply refresh the calendar page