View Issue Details

IDProjectCategoryView StatusLast Update
0020107mantisbtadministrationpublic2016-06-12 00:43
ReportercproensaAssigned Tocproensa 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.3 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0020107: config report filter by option name doesnt work for some options
Description

In configuration report (adm_config_report.php)
when selecting a specific configuration option, some optios are not showing the filtered list and resets to the "any" state.

Probably caused by code that checks the option name only over global variables.

Steps To Reproduce

In configuration report page, select the filter as this:
user name = [any]
project name = [any]
configuration option = "database_version"

The filter doesnt work

Additional Information

this block from "adm_config_report.php"
(introduced by 0019301)

function check_config_value( $p_config ) {
    if(    $p_config != META_FILTER_NONE
       && !is_blank( $p_config )
    && is_null( @config_get_global( $p_config ) )
    ) {
        return META_FILTER_NONE;
    }
    return $p_config;
}

changing the check into:

&& is_null( @config_get( $p_config ) )

seems to make the filter work
this may not be not a proper fix, since i am not aware of the implications of this change

TagsNo tags attached.

Relationships

related to 0019301 closeddregad CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) 

Activities

dregad

dregad

2015-09-15 02:24

developer   ~0051461

I don't remember the reason (assuming there was any) why I used config_get_global() here. Need to check if replacing that by a config_get() call as suggested would have any side effects.

cproensa

cproensa

2015-09-21 07:45

developer   ~0051508

there is a little more changes involved
PR: https://github.com/mantisbt/mantisbt/pull/652

Related Changesets

MantisBT: master 15990874

2015-09-21 06:45:03

cproensa


Committer: dregad Details Diff
Fix adm_config_report filter for protected configs

In adm_config_report.php, when filtering by option name some options
were shown but did not work with the filter, and couldn't be set
manually.

We now check for option names in DB also, not just global ones.

Fixes 0020107

Signed-off-by: Damien Regad <dregad@mantisbt.org>
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File

Issue History

Date Modified Username Field Change
2015-09-13 19:45 cproensa New Issue
2015-09-15 02:01 atrol Relationship added related to 0019301
2015-09-15 02:05 atrol Status new => confirmed
2015-09-15 02:24 dregad Note Added: 0051461
2015-09-21 07:45 cproensa Note Added: 0051508
2015-12-20 17:48 dregad Changeset attached => MantisBT master 15990874
2015-12-20 17:48 dregad Assigned To => dregad
2015-12-20 17:48 dregad Status confirmed => resolved
2015-12-20 17:48 dregad Resolution open => fixed
2015-12-20 17:48 dregad Fixed in Version => 1.3.0-rc.2
2015-12-20 17:49 dregad Target Version => 1.3.0-rc.2
2015-12-21 13:50 atrol Assigned To dregad => community
2016-01-19 15:23 atrol Assigned To community => cproensa
2016-06-12 00:43 vboctor Status resolved => closed