From 5c55e6c6357c67d91b5f4cbec5846c30e3b94ab8 Mon Sep 17 00:00:00 2001
From: Paul Richards <paul@mantisforge.org>
Date: Sat, 18 Oct 2014 23:32:59 +0100
Subject: [PATCH] Fix Cross-Site Scripting issue via helper_get_current_project

<paulr_> there's no bug in tracker for this one
<paulr_> it's in helper get project trace
<paulr_> anyway,  helper_get_current_project_trace is WEIRD as it allows ;'s
<paulr_> aka 0;0
<paulr_> when used with subproject browser
<paulr_> there's a XSS "vulnerbility" in that PROJECT_COOKIE if you could get that set to something
<paulr_> the subproject browser displays it in raw text
<paulr_> so I think we should always cast as int
<paulr_> a) whether there's any realistic way to exploit that...
<paulr_> b) in 1.3, code in trace functions for ;
<paulr_> but the 2 project browser weird thing is gone
<dregad> you know, it would be a lot easier if you did this the right way, i.e. private issue on the tracker
<dregad> and attach the patch to it ;)
<paulr_> I couldn't work out before we the explode logic in trace actually is needed anymore

---
 core/helper_api.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/helper_api.php b/core/helper_api.php
index 8579212..c88c747 100644
--- a/core/helper_api.php
+++ b/core/helper_api.php
@@ -232,6 +232,9 @@ function helper_get_current_project() {
 			$t_project_id = $t_pref->default_project;
 		} else {
 			$t_project_id = explode( ';', $t_project_id );
+			foreach( $t_project_id as $t_key => $t_id ) {
+				$t_project_id[$t_key] = (int)$t_id;
+			}
 			$t_project_id = $t_project_id[count( $t_project_id ) - 1];
 		}

@@ -272,6 +275,9 @@ function helper_get_current_project_trace() {

 	} else {
 		$t_project_id = explode( ';', $t_project_id );
+		foreach( $t_project_id as $t_key => $t_id ) {
+			$t_project_id[$t_key] = (int)$t_id;
+		}
 		$t_bottom = $t_project_id[count( $t_project_id ) - 1];
 	}

--
1.9.4.msysgit.1