View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008975 | mantisbt | security | public | 2008-03-14 20:20 | 2008-06-17 02:48 |
Reporter | thraxisp | Assigned To | jreese | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.1 | ||||
Target Version | 1.1.2 | Fixed in Version | 1.1.2 | ||
Summary | 0008975: CSRF Vulnerabilities in user_create | ||||
Description | Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities Name Multiple Vulnerabilities in Mantis There is a Cross Site Requst Forgery vulnerability in the software. If a logged in user with administrator privileges clicks on the following url: a new user 'foo' with administrator privileges is created. The password of the new user is sent to foo@attacker.com. | ||||
Tags | patch | ||||
Attached Files | post.patch (61,214 bytes)
Index: print_all_bug_options_update.php =================================================================== --- print_all_bug_options_update.php (revision 5116) +++ print_all_bug_options_update.php (working copy) @@ -20,15 +20,16 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Updates printing prefs then redirect to print_all_bug_page_page.php -?> -<?php require_once( 'core.php' ) ?> -<?php require( 'print_all_bug_options_inc.php' ) ?> -<?php auth_ensure_user_authenticated() ?> -<?php + require_once( 'core.php' ); + require( 'print_all_bug_options_inc.php' ); + + helper_ensure_post(); + + auth_ensure_user_authenticated(); + $f_user_id = gpc_get_int( 'user_id' ); $f_redirect_url = gpc_get_string( 'redirect_url' ); Index: news_delete.php =================================================================== --- news_delete.php (revision 5116) +++ news_delete.php (working copy) @@ -20,15 +20,15 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'news_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_news_id = gpc_get_int( 'news_id' ); $row = news_get_row( $f_news_id ); Index: print_all_bug_options_reset.php =================================================================== --- print_all_bug_options_reset.php (revision 5116) +++ print_all_bug_options_reset.php (working copy) @@ -30,6 +30,8 @@ require_once( $t_core_path.'current_user_api.php' ); require( 'print_all_bug_options_inc.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); # protected account check Index: bug_reminder.php =================================================================== --- bug_reminder.php (revision 5116) +++ bug_reminder.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # This page allows an authorized user to send a reminder by email to another user -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'email_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_to = gpc_get_int_array( 'to' ); $f_body = gpc_get_string( 'body' ); Index: manage_proj_cat_copy.php =================================================================== --- manage_proj_cat_copy.php (revision 5116) +++ manage_proj_cat_copy.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bug_relationship_add.php =================================================================== --- bug_relationship_add.php (revision 5116) +++ bug_relationship_add.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'relationship_api.php' ); + helper_ensure_post(); + $f_rel_type = gpc_get_int( 'rel_type' ); $f_src_bug_id = gpc_get_int( 'src_bug_id' ); $f_dest_bug_id_string = gpc_get_string( 'dest_bug_id' ); Index: manage_plugin_update.php =================================================================== --- manage_plugin_update.php (revision 5116) +++ manage_plugin_update.php (working copy) @@ -24,6 +24,8 @@ define( 'PLUGINS_DISABLED', true ); require_once( 'core.php' ); +helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); Index: manage_custom_field_create.php =================================================================== --- manage_custom_field_create.php (revision 5116) +++ manage_custom_field_create.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Index: manage_proj_custom_field_copy.php =================================================================== --- manage_proj_custom_field_copy.php (revision 5116) +++ manage_proj_custom_field_copy.php (working copy) @@ -23,6 +23,8 @@ require_once('core.php'); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: manage_proj_user_copy.php =================================================================== --- manage_proj_user_copy.php (revision 5116) +++ manage_proj_user_copy.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: manage_plugin_upgrade.php =================================================================== --- manage_plugin_upgrade.php (revision 5116) +++ manage_plugin_upgrade.php (working copy) @@ -24,6 +24,8 @@ define( 'PLUGINS_DISABLED', true ); require_once( 'core.php' ); +helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); Index: tag_update.php =================================================================== --- tag_update.php (revision 5116) +++ tag_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path . 'tag_api.php' ); + helper_ensure_post(); + compress_enable(); $f_tag_id = gpc_get_int( 'tag_id' ); Index: bug_relationship_delete.php =================================================================== --- bug_relationship_delete.php (revision 5116) +++ bug_relationship_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -36,6 +36,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'relationship_api.php' ); + helper_ensure_post(); + $f_rel_id = gpc_get_int( 'rel_id' ); $f_bug_id = gpc_get_int( 'bug_id' ); Index: manage_proj_custom_field_update.php =================================================================== --- manage_proj_custom_field_update.php (revision 5116) +++ manage_proj_custom_field_update.php (working copy) @@ -20,15 +20,15 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'custom_field_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_field_id = gpc_get_int( 'field_id' ); $f_project_id = gpc_get_int( 'project_id' ); $f_sequence = gpc_get_int( 'sequence' ); Index: account_sponsor_update.php =================================================================== --- account_sponsor_update.php (revision 5116) +++ account_sponsor_update.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,23 +20,21 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php - # This page updates a user's information + + # This page updates a user's sponsorships # If an account is protected then changes are forbidden # The page gets redirected back to account_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); -?> -<?php + $f_bug_list = gpc_get_string( 'buglist', '' ); $t_bug_list = explode( ',', $f_bug_list ); Index: account_prof_update.php =================================================================== --- account_prof_update.php (revision 5116) +++ account_prof_update.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -30,6 +30,8 @@ require_once( $t_core_path.'profile_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); Index: bugnote_delete.php =================================================================== --- bugnote_delete.php (revision 5116) +++ bugnote_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,12 +20,10 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Remove the bugnote and bugnote text and redirect back to # the viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -33,8 +31,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); $t_bug_id = bugnote_get_field( $f_bugnote_id, 'bug_id' ); Index: lang/strings_english.txt =================================================================== --- lang/strings_english.txt (revision 5116) +++ lang/strings_english.txt (working copy) @@ -313,6 +313,7 @@ $MANTIS_ERROR[ERROR_PLUGIN_PAGE_NOT_FOUND] = 'Plugin page not found.'; $MANTIS_ERROR[ERROR_COLUMNS_DUPLICATE] = 'Field \'%s\' contains duplcate column \'%s\'.'; $MANTIS_ERROR[ERROR_COLUMNS_INVALID] = 'Field \'%s\' contains invalid field \'%s\''; +$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; Index: manage_plugin_install.php =================================================================== --- manage_plugin_install.php (revision 5116) +++ manage_plugin_install.php (working copy) @@ -24,6 +24,8 @@ define( 'PLUGINS_DISABLED', true ); require_once( 'core.php' ); +helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); Index: manage_proj_delete.php =================================================================== --- manage_proj_delete.php (revision 5116) +++ manage_proj_delete.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bugnote_add.php =================================================================== --- bugnote_add.php (revision 5116) +++ bugnote_add.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Insert the bugnote into the database then redirect to the bug page require_once( 'core.php' ); @@ -31,6 +30,8 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_private = gpc_get_bool( 'private' ); $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); Index: news_update.php =================================================================== --- news_update.php (revision 5116) +++ news_update.php (working copy) @@ -20,8 +20,7 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -29,8 +28,9 @@ require_once( $t_core_path.'news_api.php' ); require_once( $t_core_path.'string_api.php' ); require_once( $t_core_path.'print_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_news_id = gpc_get_int( 'news_id' ); $f_project_id = gpc_get_int( 'project_id' ); $f_view_state = gpc_get_int( 'view_state' ); Index: query_store.php =================================================================== --- query_store.php (revision 5116) +++ query_store.php (working copy) @@ -28,6 +28,8 @@ require_once( $t_core_path.'string_api.php' ); require_once( $t_core_path.'date_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); compress_enable(); Index: manage_proj_cat_add.php =================================================================== --- manage_proj_cat_add.php (revision 5116) +++ manage_proj_cat_add.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bug_file_add.php =================================================================== --- bug_file_add.php (revision 5116) +++ bug_file_add.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Add file to a bug and then view the bug -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'file_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id', -1 ); $f_file = gpc_get_file( 'file', -1 ); Index: lost_pwd.php =================================================================== --- lost_pwd.php (revision 5116) +++ lost_pwd.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,6 +27,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + # lost password feature disabled or reset password via email disabled -> stop here! if( OFF == config_get( 'lost_password_feature' ) || OFF == config_get( 'send_reset_password' ) || Index: manage_plugin_uninstall.php =================================================================== --- manage_plugin_uninstall.php (revision 5116) +++ manage_plugin_uninstall.php (working copy) @@ -24,6 +24,8 @@ define( 'PLUGINS_DISABLED', true ); require_once( 'core.php' ); +helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_plugin_threshold' ) ); Index: manage_proj_custom_field_add_existing.php =================================================================== --- manage_proj_custom_field_add_existing.php (revision 5116) +++ manage_proj_custom_field_add_existing.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_field_id = gpc_get_int( 'field_id' ); Index: bug_assign_reporter.php =================================================================== --- bug_assign_reporter.php (revision 5116) +++ bug_assign_reporter.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Assign bug to user then redirect to viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); access_ensure_bug_level( config_get( 'update_bug_threshold' ), $f_bug_id ); Index: bugnote_update.php =================================================================== --- bugnote_update.php (revision 5116) +++ bugnote_update.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Update bugnote data then redirect to the appropriate viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); $f_bugnote_text = gpc_get_string( 'bugnote_text', '' ); $f_time_tracking = gpc_get_string( 'time_tracking', '0:00' ); Index: proj_doc_add.php =================================================================== --- proj_doc_add.php (revision 5116) +++ proj_doc_add.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'file_api.php' ); + helper_ensure_post(); + # Check if project documentation feature is enabled. if ( OFF == config_get( 'enable_project_documentation' ) ) { access_denied(); Index: manage_custom_field_delete.php =================================================================== --- manage_custom_field_delete.php (revision 5116) +++ manage_custom_field_delete.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Index: manage_user_create.php =================================================================== --- manage_user_create.php (revision 5116) +++ manage_user_create.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Index: manage_config_workflow_set.php =================================================================== --- manage_config_workflow_set.php (revision 5116) +++ manage_config_workflow_set.php (working copy) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); Index: manage_proj_update.php =================================================================== --- manage_proj_update.php (revision 5116) +++ manage_proj_update.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: query_delete.php =================================================================== --- query_delete.php (revision 5116) +++ query_delete.php (working copy) @@ -28,6 +28,8 @@ require_once( $t_core_path.'string_api.php' ); require_once( $t_core_path.'date_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); compress_enable(); Index: manage_proj_user_add.php =================================================================== --- manage_proj_user_add.php (revision 5116) +++ manage_proj_user_add.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: account_prof_add.php =================================================================== --- account_prof_add.php (revision 5116) +++ account_prof_add.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,23 +20,21 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # This file adds a new profile and redirects to account_proj_menu_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'profile_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_platform = gpc_get_string( 'platform' ); $f_os = gpc_get_string( 'os' ); $f_os_build = gpc_get_string( 'os_build' ); Index: manage_proj_cat_delete.php =================================================================== --- manage_proj_cat_delete.php (revision 5116) +++ manage_proj_cat_delete.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_category_id = gpc_get_string( 'id' ); Index: manage_proj_custom_field_remove.php =================================================================== --- manage_proj_custom_field_remove.php (revision 5116) +++ manage_proj_custom_field_remove.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_field_id = gpc_get_int( 'field_id' ); Index: tag_attach.php =================================================================== --- tag_attach.php (revision 5116) +++ tag_attach.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path . 'tag_api.php' ); + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_tag_select = gpc_get_int( 'tag_select' ); $f_tag_string = gpc_get_string( 'tag_string' ); Index: admin/install_helper_functions.php =================================================================== --- admin/install_helper_functions.php (revision 5116) +++ admin/install_helper_functions.php (working copy) @@ -17,6 +17,12 @@ # You should have received a copy of the GNU General Public License # along with Mantis. If not, see <http://www.gnu.org/licenses/>. +/** +* check if database support exists +* +* @param string database type +* @return bool +*/ function check_database_support($p_db_type) { $t_support = false; switch ($p_db_type) { @@ -44,6 +50,12 @@ return $t_support; } + /** + * check if php meets minimum version + * + * @param string version information + * @return bool + */ function check_php_version( $p_version ) { if ($p_version == PHP_MIN_VERSION) { return true; @@ -58,4 +70,58 @@ return false; } } - } \ No newline at end of file + } + + /** + * print result in the proper colour + * + * @param bool pass/fail input + * @param bool true if failure is fatal + * @param string text message added to failures + * @return bool + */ + function print_test_result( $p_result, $p_hard_fail=true, $p_message='' ) { + global $g_failed; + echo '<td '; + if ( BAD == $p_result ) { + if ( $p_hard_fail ) { + $g_failed = true; + echo 'bgcolor="red">BAD'; + } else { + echo 'bgcolor="pink">POSSIBLE PROBLEM'; + } + if ( '' != $p_message ) { + echo '<br />' . $p_message; + } + } + + if ( GOOD == $p_result ) { + echo 'bgcolor="green">GOOD'; + } + echo '</td>'; + } + + /** + * print test row + * + * @param string test title text + * @param bool pass/fail input + * @param bool true if failure is fatal + * @param string text message added to failures + * @return bool + */ + function print_test( $p_test_description, $p_result, $p_hard_fail=true, $p_message='' ) { + + echo "\n<tr><td bgcolor=\"#ffffff\">$p_test_description</td>"; + print_test_result( $p_result, $p_hard_fail, $p_message ); + echo "</tr>\n"; + } + + # -------- + # create an SQLArray to insert data + function InsertData( $p_table, $p_data ) { + $query = "INSERT INTO " . $p_table . $p_data; + return Array( $query ); + } + + Index: admin/install.php =================================================================== --- admin/install.php (revision 5116) +++ admin/install.php (working copy) @@ -37,45 +37,6 @@ $g_failed = false; $g_database_upgrade = false; - # ------- - # print test result - function print_test_result( $p_result, $p_hard_fail=true, $p_message='' ) { - global $g_failed; - echo '<td '; - if ( BAD == $p_result ) { - if ( $p_hard_fail ) { - $g_failed = true; - echo 'bgcolor="red">BAD'; - } else { - echo 'bgcolor="pink">POSSIBLE PROBLEM'; - } - if ( '' != $p_message ) { - echo '<br />' . $p_message; - } - } - - if ( GOOD == $p_result ) { - echo 'bgcolor="green">GOOD'; - } - echo '</td>'; - } - - # ------- - # print test header and result - function print_test( $p_test_description, $p_result, $p_hard_fail=true, $p_message='' ) { - - echo "\n<tr><td bgcolor=\"#ffffff\">$p_test_description</td>"; - print_test_result( $p_result, $p_hard_fail, $p_message ); - echo "</tr>\n"; - } - - # -------- - # create an SQLArray to insert data - function InsertData( $p_table, $p_data ) { - $query = "INSERT INTO " . $p_table . $p_data; - return Array( $query ); - } - # install_state # 0 = no checks done # 1 = server ok, get database information Index: signup.php =================================================================== --- signup.php (revision 5116) +++ signup.php (working copy) @@ -28,6 +28,8 @@ require_once( $t_core_path.'email_api.php' ); require_once( $t_core_path . 'disposable' . DIRECTORY_SEPARATOR . 'disposable.php' ); + helper_ensure_post(); + $f_username = strip_tags( gpc_get_string( 'username' ) ); $f_email = strip_tags( gpc_get_string( 'email' ) ); $f_captcha = gpc_get_string( 'captcha', '' ); Index: bug_actiongroup_ext.php =================================================================== --- bug_actiongroup_ext.php (revision 5116) +++ bug_actiongroup_ext.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,6 +28,8 @@ require_once( $t_core_path . 'bug_api.php' ); require_once( $t_core_path . 'bug_group_action_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); helper_begin_long_process(); Index: bug_monitor.php =================================================================== --- bug_monitor.php (revision 5116) +++ bug_monitor.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,17 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # This file turns monitoring on or off for a bug for the current user -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $t_bug = bug_get( $f_bug_id, true ); Index: manage_custom_field_update.php =================================================================== --- manage_custom_field_update.php (revision 5116) +++ manage_custom_field_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_custom_fields_threshold' ) ); Index: manage_config_columns_set.php =================================================================== --- manage_config_columns_set.php (revision 5116) +++ manage_config_columns_set.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,7 +27,9 @@ require_once( $t_core_path . 'columns_api.php' ); require_once( $t_core_path . 'gpc_api.php' ); - + + helper_ensure_post(); + # @@@ access_ensure_project_level( config_get( 'manage_project_threshold' ) ); $f_project_id = gpc_get_int( 'project_id' ); Index: manage_user_reset.php =================================================================== --- manage_user_reset.php (revision 5116) +++ manage_user_reset.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Index: manage_proj_update_children.php =================================================================== --- manage_proj_update_children.php (revision 5116) +++ manage_proj_update_children.php (working copy) @@ -23,6 +23,8 @@ require_once( $t_core_path.'project_hierarchy_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bug_file_delete.php =================================================================== --- bug_file_delete.php (revision 5116) +++ bug_file_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ require_once( $t_core_path.'file_api.php' ); + helper_ensure_post(); + $f_file_id = gpc_get_int( 'file_id' ); $t_bug_id = file_get_field( $f_file_id, 'bug_id' ); Index: manage_config_email_set.php =================================================================== --- manage_config_email_set.php (revision 5116) +++ manage_config_email_set.php (working copy) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_can_change_level = min( config_get_access( 'notify_flags' ), config_get_access( 'default_notify_flags' ) ); Index: manage_user_prune.php =================================================================== --- manage_user_prune.php (revision 5116) +++ manage_user_prune.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Index: manage_proj_ver_add.php =================================================================== --- manage_proj_ver_add.php (revision 5116) +++ manage_proj_ver_add.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: manage_user_delete.php =================================================================== --- manage_user_delete.php (revision 5116) +++ manage_user_delete.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Index: manage_proj_cat_update.php =================================================================== --- manage_proj_cat_update.php (revision 5116) +++ manage_proj_cat_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'category_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_category_id = gpc_get_int( 'category_id' ); Index: account_delete.php =================================================================== --- account_delete.php (revision 5116) +++ account_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -43,6 +43,8 @@ # (none) #============ Permissions ============ + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); Index: manage_proj_ver_delete.php =================================================================== --- manage_proj_ver_delete.php (revision 5116) +++ manage_proj_ver_delete.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_version_id = gpc_get_int( 'version_id' ); Index: manage_proj_user_remove.php =================================================================== --- manage_proj_user_remove.php (revision 5116) +++ manage_proj_user_remove.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bug_delete.php =================================================================== --- bug_delete.php (revision 5116) +++ bug_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ $f_bug_id = gpc_get_int( 'bug_id' ); + helper_ensure_post(); + access_ensure_bug_level( config_get( 'delete_bug_threshold' ), $f_bug_id ); $t_bug = bug_get( $f_bug_id, true ); Index: manage_user_proj_delete.php =================================================================== --- manage_user_proj_delete.php (revision 5116) +++ manage_user_proj_delete.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: wiki.php =================================================================== --- wiki.php (revision 5116) +++ wiki.php (working copy) @@ -28,6 +28,8 @@ require_once( $t_core_path . 'wiki_api.php' ); + helper_ensure_post(); + $f_id = gpc_get_int( 'id' ); $f_type = gpc_get_string( 'type', 'issue' ); Index: proj_doc_delete.php =================================================================== --- proj_doc_delete.php (revision 5116) +++ proj_doc_delete.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + # Check if project documentation feature is enabled. if ( OFF == config_get( 'enable_project_documentation' ) ) { access_denied(); Index: tag_detach.php =================================================================== --- tag_detach.php (revision 5116) +++ tag_detach.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path . 'tag_api.php' ); + helper_ensure_post(); + $f_tag_id = gpc_get_int( 'tag_id' ); $f_bug_id = gpc_get_int( 'bug_id' ); Index: news_add.php =================================================================== --- news_add.php (revision 5116) +++ news_add.php (working copy) @@ -20,16 +20,16 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'news_api.php' ); require_once( $t_core_path.'print_api.php' ); -?> -<?php + + helper_ensure_post(); + access_ensure_project_level( config_get( 'manage_news_threshold' ) ); $f_view_state = gpc_get_int( 'view_state' ); Index: manage_user_update.php =================================================================== --- manage_user_update.php (revision 5116) +++ manage_user_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'manage_user_threshold' ) ); Index: account_prefs_update.php =================================================================== --- account_prefs_update.php (revision 5116) +++ account_prefs_update.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,21 +20,19 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Updates prefs then redirect to account_prefs_page.php3 -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'user_pref_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); -?> -<?php + $f_user_id = gpc_get_int( 'user_id' ); $f_redirect_url = gpc_get_string( 'redirect_url' ); Index: account_update.php =================================================================== --- account_update.php (revision 5116) +++ account_update.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,25 +20,23 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # This page updates a user's information # If an account is protected then changes are forbidden # The page gets redirected back to account_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_email = gpc_get_string( 'email', '' ); $f_realname = gpc_get_string( 'realname', '' ); $f_password = gpc_get_string( 'password', '' ); Index: manage_proj_ver_update.php =================================================================== --- manage_proj_ver_update.php (revision 5116) +++ manage_proj_ver_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_version_id = gpc_get_int( 'version_id' ); Index: core/database_api.php =================================================================== --- core/database_api.php (revision 5116) +++ core/database_api.php (working copy) @@ -64,6 +64,7 @@ $g_db = ADONewConnection( $p_dsn ); $t_result = $g_db->IsConnected(); } + $g_db->LogSQL(); if ( $t_result ) { # For MySQL, the charset for the connection needs to be specified. Index: core/helper_api.php =================================================================== --- core/helper_api.php (revision 5116) +++ core/helper_api.php (working copy) @@ -502,4 +502,16 @@ return (int)$t_min; } + + # + #------------------------------------------------- + # check access method is POST, return if true, else call error handler + function helper_ensure_post() + { + if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( $_SERVER['REQUEST_METHOD'] != 'POST' ) ) { + trigger_error( ERROR_INVALID_REQUEST_METHOD, ERROR ); + } + + } + ?> Index: core/relationship_graph_api.php =================================================================== --- core/relationship_graph_api.php (revision 5116) +++ core/relationship_graph_api.php (working copy) @@ -250,7 +250,8 @@ } else { $t_graph_orientation = 'vertical'; } - + $t_graph_attributes['fontpath'] = $t_graph_fontpath; + $t_graph = new Digraph( $t_id_string, $t_graph_attributes, $t_dot_tool ); $t_graph->set_default_node_attr( array ( Index: core/constant_inc.php =================================================================== --- core/constant_inc.php (revision 5116) +++ core/constant_inc.php (working copy) @@ -194,6 +194,7 @@ define( 'ERROR_FTP_CONNECT_ERROR', 16 ); define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); define( 'ERROR_PAGE_REDIRECTION', 18 ); + define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); # ERROR_CONFIG_* define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); Index: manage_config_revert.php =================================================================== --- manage_config_revert.php (revision 5116) +++ manage_config_revert.php (working copy) @@ -25,6 +25,8 @@ $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project', 0 ); Index: bug_report.php =================================================================== --- bug_report.php (revision 5116) +++ bug_report.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -32,6 +32,8 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'custom_field_api.php' ); + helper_ensure_post(); + access_ensure_project_level( config_get('report_bug_threshold' ) ); $t_bug_data = new BugData; Index: bug_update.php =================================================================== --- bug_update.php (revision 5116) +++ bug_update.php (working copy) @@ -20,11 +20,9 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Update bug data then redirect to the appropriate viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); @@ -32,8 +30,9 @@ require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); require_once( $t_core_path.'custom_field_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); Index: bug_assign.php =================================================================== --- bug_assign.php (revision 5116) +++ bug_assign.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,18 +20,16 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Assign bug to user then redirect to viewing page -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php + helper_ensure_post(); + $f_bug_id = gpc_get_int( 'bug_id' ); $t_bug = bug_get( $f_bug_id ); Index: bug_actiongroup.php =================================================================== --- bug_actiongroup.php (revision 5116) +++ bug_actiongroup.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,19 +20,18 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # This page allows actions to be performed an an array of bugs -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); -?> -<?php auth_ensure_user_authenticated() ?> -<?php + + helper_ensure_post(); + + auth_ensure_user_authenticated(); helper_begin_long_process(); $f_action = gpc_get_string( 'action' ); Index: manage_user_proj_add.php =================================================================== --- manage_user_proj_add.php (revision 5116) +++ manage_user_proj_add.php (working copy) @@ -23,6 +23,8 @@ require_once( 'core.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_user_id = gpc_get_int( 'user_id' ); Index: account_prefs_reset.php =================================================================== --- account_prefs_reset.php (revision 5116) +++ account_prefs_reset.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -47,6 +47,8 @@ $f_redirect_url = gpc_get_string( 'redirect_url', 'account_prefs_page.php' ); #============ Permissions ============ + helper_ensure_post(); + auth_ensure_user_authenticated(); user_ensure_unprotected( $f_user_id ); Index: tag_delete.php =================================================================== --- tag_delete.php (revision 5116) +++ tag_delete.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path . 'tag_api.php' ); + helper_ensure_post(); + access_ensure_global_level( config_get( 'tag_edit_threshold' ) ); $f_tag_id = gpc_get_int( 'tag_id' ); Index: manage_proj_subproj_add.php =================================================================== --- manage_proj_subproj_add.php (revision 5116) +++ manage_proj_subproj_add.php (working copy) @@ -25,6 +25,8 @@ $t_core_path = config_get( 'core_path' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); Index: bug_set_sponsorship.php =================================================================== --- bug_set_sponsorship.php (revision 5116) +++ bug_set_sponsorship.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,14 +20,15 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'sponsorship_api.php' ); + helper_ensure_post(); + if ( config_get( 'enable_sponsorship' ) == OFF ) { trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR ); } Index: adm_config_set.php =================================================================== --- adm_config_set.php (revision 5116) +++ adm_config_set.php (working copy) @@ -26,7 +26,8 @@ require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); - + helper_ensure_post(); + $f_user_id = gpc_get_int( 'user_id' ); $f_project_id = gpc_get_int( 'project_id' ); $f_config_option = gpc_get_string( 'config_option' ); Index: proj_doc_update.php =================================================================== --- proj_doc_update.php (revision 5116) +++ proj_doc_update.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'file_api.php' ); + helper_ensure_post(); + # Check if project documentation feature is enabled. if ( OFF == config_get( 'enable_project_documentation' ) || !file_is_uploading_enabled() || Index: account_prof_delete.php =================================================================== --- account_prof_delete.php (revision 5116) +++ account_prof_delete.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,24 +20,22 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # The specified profile is deleted and the user is redirected to # account_prof_menu_page.php3 -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'profile_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_profile_id = gpc_get_int( 'profile_id' ); if ( profile_is_global( $f_profile_id ) ) { Index: manage_proj_create.php =================================================================== --- manage_proj_create.php (revision 5116) +++ manage_proj_create.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'project_hierarchy_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); access_ensure_global_level( config_get( 'create_project_threshold' ) ); Index: manage_config_work_threshold_set.php =================================================================== --- manage_config_work_threshold_set.php (revision 5116) +++ manage_config_work_threshold_set.php (working copy) @@ -26,6 +26,8 @@ $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'email_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $t_redirect_url = 'manage_config_work_threshold_page.php'; Index: bugnote_set_view_state.php =================================================================== --- bugnote_set_view_state.php (revision 5116) +++ bugnote_set_view_state.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,19 +20,18 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Set an existing bugnote private or public. -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'bug_api.php' ); require_once( $t_core_path.'bugnote_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_bugnote_id = gpc_get_int( 'bugnote_id' ); $f_private = gpc_get_bool( 'private' ); Index: manage_config_columns_reset.php =================================================================== --- manage_config_columns_reset.php (revision 5116) +++ manage_config_columns_reset.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,6 +27,8 @@ require_once( $t_core_path . 'config_api.php' ); + helper_ensure_post(); + auth_ensure_user_authenticated(); auth_reauthenticate(); Index: set_project.php =================================================================== --- set_project.php (revision 5116) +++ set_project.php (working copy) @@ -20,15 +20,15 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + $f_project_id = gpc_get_string( 'project_id' ); $f_make_default = gpc_get_bool ( 'make_default' ); $f_ref = gpc_get_string( 'ref', '' ); Index: account_prof_make_default.php =================================================================== --- account_prof_make_default.php (revision 5116) +++ account_prof_make_default.php (working copy) @@ -2,7 +2,7 @@ # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org -# Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net +# Copyright (C) 2002 - 2008 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,24 +20,22 @@ # -------------------------------------------------------- # $Id$ # -------------------------------------------------------- -?> -<?php + # Make the specified profile the default # Redirect to account_prof_menu_page.php -?> -<?php + require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path.'current_user_api.php' ); -?> -<?php + + helper_ensure_post(); + auth_ensure_user_authenticated(); current_user_ensure_unprotected(); -?> -<?php + $f_profile_id = gpc_get_int( 'profile_id' ); current_user_set_pref( 'default_profile', $f_profile_id ); Index: manage_proj_ver_copy.php =================================================================== --- manage_proj_ver_copy.php (revision 5116) +++ manage_proj_ver_copy.php (working copy) @@ -27,6 +27,8 @@ require_once( $t_core_path.'version_api.php' ); + helper_ensure_post(); + auth_reauthenticate(); $f_project_id = gpc_get_int( 'project_id' ); | ||||
A patch to verify that action pages are accessed using POST is attached. |
|
The patch looks good. Here are some minor comments:
|
|
A patch to verify that action pages are accessed using POST is attached. |
|
fixed in SVN r5134 |
|
fixed in SVN r5134 |
|
changed to add token based verification in svn revision 5250 |
|
fix reverted in SVN |
|
New fix commited to 1.1.2 in SVN r5290, and trunk 1.2.x in SVN r5292. |
|
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2276 to this. |
|
making it public. This is CVE-2008-2276 |
|
MantisBT: master-1.1.x 4b9b2fff 2008-05-22 10:34 Details Diff |
Implemented form security validation API. Affects bug 0008975. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5287 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008975 |
|
add - core/form_api.php | Diff File | ||
mod - core/session_api.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
MantisBT: master 77d93349 2008-05-22 10:48 Details Diff |
Implemented form security validation API. Affects bug 0008975. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5288 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008975 |
|
mod - core/session_api.php | Diff File | ||
add - core/form_api.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
MantisBT: master-1.1.x 70076d63 2008-05-22 13:44 Details Diff |
Fix 0008975: CSRF Vulnerabilities in user_create This process will be rolled out in pieces to the rest of Mantis (and the 1.2.x trunk) as chances permit. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5290 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008975 |
|
mod - manage_user_create_page.php | Diff File | ||
mod - manage_user_create.php | Diff File | ||
MantisBT: master d0994d58 2008-05-22 13:44 Details Diff |
Fix 0008975: CSRF Vulnerabilities in user_create This process will be rolled out in pieces to the rest of Mantis (and the 1.2.x trunk) as chances permit. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5292 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008975 |
|
mod - manage_user_create_page.php | Diff File | ||
mod - manage_user_create.php | Diff File |