MantisBT: master-1.2.x 5b93161f
|Paul Richards||dhx||master-1.2.x||2011-08-29 05:43||master-1.2.x 965b00a0|
|Affected Issues||0013281: MantisBT Security Vulnerabilities Notification|
Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.
This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
There will be a follow up commit to config api - probably:
At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
Backported from master-1.2.x branch. Note that this commit relies upon
Signed-off-by: David Hicks <firstname.lastname@example.org>
|mod - bug_actiongroup_ext.php||Diff File|
|mod - bug_actiongroup_ext_page.php||Diff File|
|mod - bug_actiongroup_page.php||Diff File|
|mod - core/bug_group_action_api.php||Diff File|