2014-11-26 12:16 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0012309mantisbtsecuritypublic2011-08-02 12:35
Reporteratrol 
Assigned Todhx 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012309: XSS issues when viewing Summary page
DescriptionScripting code entered in summary field might be executed when displaying Summary page
Steps To Reproduce1. Enter an issue with scripting code in Summary field
2. View "Summary" page
3. See your code beeing executed if issue is displayed in list of longest open issues
TagsNo tags attached.
Attached Files
  • patch file icon issue12309.patch (1,154 bytes) 2010-09-02 04:39 - 
    From e789c340dd658d54276202353fe7bf6d142d5b4c Mon Sep 17 00:00:00 2001
    From: Roland Becker <roland@atrol.de>
    Date: Thu, 2 Sep 2010 10:33:35 +0200
    Subject: [PATCH] Fix #12309: XSS issues when viewing Summary page
    
    ---
     core/summary_api.php |    4 ++--
     1 files changed, 2 insertions(+), 2 deletions(-)
    
    diff --git a/core/summary_api.php b/core/summary_api.php
    index c58a678..4950f4a 100644
    --- a/core/summary_api.php
    +++ b/core/summary_api.php
    @@ -333,7 +333,7 @@ function summary_print_by_activity() {
     
     	foreach( $t_summarydata as $row ) {
     		$t_bugid = string_get_bug_view_link( $row['id'] );
    -		$t_summary = string_html_specialchars( $row['summary'] );
    +		$t_summary = string_display_line( $row['summary'] );
     		$t_notescount = $row['count'];
     
     		print "<tr " . helper_alternate_class() . ">\n";
    @@ -377,7 +377,7 @@ function summary_print_by_age() {
     		}
     
     		$t_bugid = string_get_bug_view_link( $row['id'] );
    -		$t_summary = $row['summary'];
    +		$t_summary = string_display_line( $row['summary'] );
     		$t_days_open = intval(( time() - $row['date_submitted'] ) / SECONDS_PER_DAY );
     
     		print "<tr " . helper_alternate_class() . ">\n";
    -- 
    1.7.2.2
    
    
    patch file icon issue12309.patch (1,154 bytes) 2010-09-02 04:39 + 

- Relationships
related to 0012432closedgiallu XSS issues when viewing Summary page 
+ Relationships

-  Notes
User avatar

~0026511

atrol (developer)

Reminder sent to: dhx, jreese

Please have a look at the patch and if it's OK let it become part of next version.
User avatar

~0026512

dhx (reporter)

Good find, thanks atrol.

The only comment I have is that I think we should be using string_display_line() instead of string_html_specialchars() for sanitising the summary. I can fix that up in your patch when I commit it.
User avatar

~0026513

atrol (developer)

Last edited: 2010-08-30 03:22

View 2 revisions

I changed it the same way like it's done for the list of most active issues.
If string_html_specialchars is the right way to do it, you have to change it twice.

User avatar

~0026546

atrol (developer)

Updated patch to use string_display_line()
User avatar

~0026547

dhx (reporter)

Thanks Roland, I've committed it at long last. Sorry for the delay!
User avatar

~0026548

dhx (reporter)

That was your first patch? Congratulations! :)
User avatar

~0026552

atrol (developer)

It's the second, first was 0012217 :)
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2010-08-30 02:55 atrol New Issue
2010-08-30 02:57 atrol File Added: issue12309.patch
2010-08-30 02:59 atrol Note Added: 0026511
2010-08-30 03:07 dhx Note Added: 0026512
2010-08-30 03:07 dhx Assigned To => dhx
2010-08-30 03:07 dhx Status new => assigned
2010-08-30 03:13 atrol Note Added: 0026513
2010-08-30 03:22 atrol Note Edited: 0026513 View Revisions
2010-09-02 04:39 atrol File Deleted: issue12309.patch
2010-09-02 04:39 atrol File Added: issue12309.patch
2010-09-02 04:40 atrol Note Added: 0026546
2010-09-02 07:24 dhx Changeset attached => MantisBT master-1.2.x 085097fc
2010-09-02 07:24 dhx Resolution open => fixed
2010-09-02 07:24 dhx Fixed in Version => 1.2.3
2010-09-02 07:24 dhx Note Added: 0026547
2010-09-02 07:24 dhx Status assigned => resolved
2010-09-02 07:25 dhx Changeset attached => MantisBT master 61e90d06
2010-09-02 07:27 dhx Note Added: 0026548
2010-09-02 07:45 atrol Note Added: 0026552
2010-09-19 02:03 dhx View Status private => public
2010-10-07 05:46 giallu Issue cloned: 0012432
2010-10-07 05:46 giallu Relationship added related to 0012432
2011-08-02 12:35 dregad Status resolved => closed
+ Issue History