View Issue Details

IDProjectCategoryView StatusLast Update
0020107mantisbtadministrationpublic2016-06-12 00:43
Reportercproensa Assigned Tocproensa  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.3 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0020107: config report filter by option name doesnt work for some options
Description

In configuration report (adm_config_report.php)
when selecting a specific configuration option, some optios are not showing the filtered list and resets to the "any" state.

Probably caused by code that checks the option name only over global variables.

Steps To Reproduce

In configuration report page, select the filter as this:
user name = [any]
project name = [any]
configuration option = "database_version"

The filter doesnt work

Additional Information

this block from "adm_config_report.php"
(introduced by 0019301)

<pre>
function check_config_value( $p_config ) {
if( $p_config != META_FILTER_NONE
&& !is_blank( $p_config )
<b> && is_null( @config_get_global( $p_config ) )</b>
) {
return META_FILTER_NONE;
}
return $p_config;
}
</pre>

changing the check into:
<pre>
&& is_null( @config_get( $p_config ) )
</pre>

seems to make the filter work
this may not be not a proper fix, since i am not aware of the implications of this change

TagsNo tags attached.

Relationships

related to 0019301 closeddregad CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) 

Activities

dregad

dregad

2015-09-15 02:24

developer   ~0051461

I don't remember the reason (assuming there was any) why I used config_get_global() here. Need to check if replacing that by a config_get() call as suggested would have any side effects.

cproensa

cproensa

2015-09-21 07:45

developer   ~0051508

there is a little more changes involved
PR: https://github.com/mantisbt/mantisbt/pull/652

Related Changesets

MantisBT: master 15990874

2015-09-21 02:45

cproensa

Committer: dregad


Details Diff
Fix adm_config_report filter for protected configs

In adm_config_report.php, when filtering by option name some options
were shown but did not work with the filter, and couldn't be set
manually.

We now check for option names in DB also, not just global ones.

Fixes 0020107

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0020107
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File