Release OpenProject 16.6.8

Author: oliverguenther

docs/release-notes/16-6-8/README.md

@@ -0,0 +1,47 @@
+---
+title: OpenProject 16.6.8
+sidebar_navigation:
+    title: 16.6.8
+release_version: 16.6.8
+release_date: 2026-02-18
+---
+
+ # OpenProject 16.6.8
+
+ Release date: 2026-02-18
+
+ We released OpenProject [OpenProject 16.6.8](https://community.openproject.org/versions/2276).
+ The release contains several bug fixes and we recommend updating to the newest version.
+ Below you will find a complete list of all changes and bug fixes.
+
+<!-- BEGIN CVE AUTOMATED SECTION -->
+
+## Security fixes
+
+
+
+### CVE-2026-27019 - Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCE
+
+When OpenProject is configured to accept and handle incoming emails, it was possible that an attacker could send an email with a specially crafted attachment that would be written to a predefined location in the filesystem. All files that can be written by the `openproject` system user could be written. This could even be evaluated to a Remote Code Execution vulnerability.
+
+
+
+This vulnerability was reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-r85w-rv9m-q784](https://github.com/opf/openproject/security/advisories/GHSA-r85w-rv9m-q784)
+
+
+<!-- END CVE AUTOMATED SECTION -->
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->

docs/release-notes/README.md

@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 16.6.8
+
+Release date: 2026-02-18
+
+[Release Notes](16-6-8/)
+
+
 ## 16.6.7
 
 Release date: 2026-02-06

lib/open_project/files.rb

@@ -30,43 +30,29 @@ module OpenProject
   module Files
     module_function
 
-    ##
-    # Creates a temp file with the given file name.
-    # It will reside in some temporary directory.
-    def create_temp_file(name: "test.txt", content: "test content", binary: false)
-      tmp = Tempfile.new name
-      path = Pathname(tmp)
-
-      tmp.delete # delete temp file
-      path.mkdir # create temp directory
-
-      file_path = path.join name
-      File.open(file_path, "w" + (binary ? "b" : "")) do |f|
-        f.write content
-      end
-
-      File.new file_path
+    def build_uploaded_file(tempfile, type, binary: true, file_name: nil)
+      Rack::Multipart::UploadedFile.new tempfile.path,
+                                        type,
+                                        binary,
+                                        filename: file_name
     end
 
-    def build_uploaded_file(tempfile, type, binary: true, file_name: nil)
-      uploaded_file = Rack::Multipart::UploadedFile.new tempfile.path,
-                                                        type,
-                                                        binary
-      if file_name
-        # I wish I could set the file name in a better way *sigh*
-        uploaded_file.instance_variable_set(:@original_filename, file_name)
+    def create_uploaded_file(name:, content_type:, content:, binary: false)
+      create_temp_file(name:, content:, binary:) do |f|
+        build_uploaded_file f, content_type, binary:, file_name: File.basename(name)
       end
-
-      uploaded_file
     end
 
-    def create_uploaded_file(name: "test.txt",
-                             content_type: "text/plain",
-                             content: "test content",
-                             binary: false)
+    def create_temp_file(name:, content:, binary: false, &)
+      basename = name
+      Tempfile.create(basename) do |f|
+        f.binmode if binary
 
-      tmp = create_temp_file(name:, content:, binary:)
-      build_uploaded_file tmp, content_type, binary:
+        f.write content
+        f.rewind
+
+        yield f
+      end
     end
   end
 end

lib/open_project/version.rb

@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 16
     MINOR = 6
-    PATCH = 7
+    PATCH = 8
 
     class << self
       # Used by semver to define the special version (if any).

modules/bim/lib/open_project/bim/bcf_xml/exporter.rb

@@ -111,9 +111,14 @@ def topic_markup_file(issue_dir, issue)
 
     ##
     # Write viewpoints
-    def viewpoints_for(issue_dir, issue)
+    def viewpoints_for(issue_dir, issue) # rubocop:disable Metrics/AbcSize
       [].tap do |files|
         issue.viewpoints.find_each do |vp|
+          # Sanity check for the viewpoints GUID, to protect against
+          # path traversal when generating the viewpoint file name
+          uuid_regex = /\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/i
+          next unless vp.uuid.match?(uuid_regex)
+
           vp_file = File.join(issue_dir, "#{vp.uuid}.bcfv")
           snapshot_file = File.join(issue_dir, "#{vp.uuid}#{vp.snapshot.extension}")
 

publiccode.yml

@@ -7,8 +7,8 @@ name: OpenProject
 applicationSuite: openDesk
 url: 'https://github.com/opf/openproject'
 roadmap: 'https://www.openproject.org/roadmap'
-releaseDate: '2026-02-06'
-softwareVersion: '16.6.7'
+releaseDate: '2026-02-18'
+softwareVersion: '16.6.8'
 developmentStatus: stable
 softwareType: standalone/web
 logo: 'publiccode_logo.svg'

spec/lib/open_project/files_spec.rb

@@ -59,14 +59,14 @@
 require "spec_helper"
 
 RSpec.describe OpenProject::Files do
-  describe "build_uploaded_file" do
+  describe ".build_uploaded_file" do
     let(:original_filename) { "test.png" }
     let(:content_type) { "image/png" }
     let(:file) do
-      OpenProject::Files.create_temp_file(name: original_filename)
+      Tempfile.new(File.basename(original_filename))
     end
 
-    subject { OpenProject::Files.build_uploaded_file(file, content_type) }
+    subject { described_class.build_uploaded_file(file, content_type, file_name: original_filename) }
 
     it "has the original file name" do
       expect(subject.original_filename).to eql(original_filename)
@@ -79,47 +79,24 @@
     context "with custom file name" do
       let(:file_name) { "my-custom-filename.png" }
 
-      subject { OpenProject::Files.build_uploaded_file(file, content_type, file_name:) }
+      subject { described_class.build_uploaded_file(file, content_type, file_name:) }
 
       it "has the custom file name" do
         expect(subject.original_filename).to eql(file_name)
       end
     end
   end
 
-  describe "create_uploaded_file" do
-    context "without parameters" do
-      let(:file) { OpenProject::Files.create_uploaded_file }
-
-      it 'creates a file with the default name "test.txt"' do
-        expect(file.original_filename).to eq "test.txt"
-      end
-
-      it "creates distinct files even with identical names" do
-        file_2 = OpenProject::Files.create_uploaded_file
-
-        expect(file.original_filename).to eq file_2.original_filename
-        expect(file.path).not_to eq file_2.path
-      end
-
-      it 'writes some default content "test content"' do
-        expect(file.read).to eq "test content"
-      end
-
-      it 'set default content type "text/plain"' do
-        expect(file.content_type).to eq "text/plain"
-      end
-    end
-
+  describe ".create_uploaded_file" do
     context "with a custom name, content and content type" do
       let(:name)         { "foo.jpg" }
       let(:content)      { "not-really-a-jpg" }
       let(:content_type) { "image/jpeg" }
 
       let(:file) do
-        OpenProject::Files.create_uploaded_file name:,
-                                                content:,
-                                                content_type:
+        described_class.create_uploaded_file name:,
+                                             content:,
+                                             content_type:
       end
 
       it 'creates a file called "foo.jpg"' do
@@ -138,7 +115,14 @@
     context "with binary content" do
       let(:content) { "\xD1\x9B\x86".b }
       let(:binary)  { false }
-      let(:file)    { OpenProject::Files.create_uploaded_file content:, binary: }
+      let(:file)    do
+        described_class.create_uploaded_file(
+          name: "binary_file",
+          content_type: "application/octet-stream",
+          content: content,
+          binary: binary
+        )
+      end
 
       it "fails when the content is not marked as binary" do
         expect { file }.to raise_error(Encoding::UndefinedConversionError)
@@ -152,5 +136,51 @@
         end
       end
     end
+
+    context "when a relative filename is provided" do
+      let(:name) { "../../hello/../../../foo.txt" }
+      let(:file) do
+        described_class.create_uploaded_file name:,
+                                             content: "content",
+                                             content_type: "text/plain"
+      end
+
+      it "sanitizes the file name" do
+        expect(file.original_filename).to eq "foo.txt"
+      end
+    end
+  end
+
+  describe ".create_temp_file" do
+    let(:name) { "tempfile.txt" }
+    let(:content) { "temporary content" }
+    let(:binary) { false }
+
+    subject do
+      described_class.create_temp_file(name:, content:, binary:, &:read)
+    end
+
+    it "yields a file with the given content" do
+      expect(subject).to eq content
+    end
+
+    context "with binary content" do
+      let(:content) { "\xD1\x9B\x86".b }
+      let(:binary)  { true }
+
+      it "yields the binary content" do
+        expect(subject).to eq content
+      end
+    end
+
+    context "when a relative filename is provided" do
+      let(:name) { "../../tempfile.txt" }
+
+      it "sanitizes the file name" do
+        described_class.create_temp_file(name:, content:, binary:) do |f|
+          expect(f.path).to eq(File.expand_path(f.path))
+        end
+      end
+    end
   end
 end

spec/support/file_helpers.rb

@@ -35,8 +35,10 @@ def mock_uploaded_file(name: "test.txt",
                          content_type: "text/plain",
                          content: "test content",
                          binary: false)
+    ::OpenProject::Files.create_uploaded_file(name:, content_type:, content:, binary:)
 
-    tmp = ::OpenProject::Files.create_temp_file(name:, content:, binary:)
-    Rack::Test::UploadedFile.new tmp.path, content_type, binary
+    ::OpenProject::Files.create_temp_file(name:, content:, binary:) do |tmp|
+      Rack::Test::UploadedFile.new tmp.path, content_type, binary, original_filename: File.basename(name)
+    end
   end
 end