MantisBT: master-1.2.x 5b93161f

Diff Back to Repository
Author Committer Branch Timestamp Parent
Paul Richards dhx master-1.2.x 2011-08-29 05:43 master-1.2.x 965b00a0
Affected Issues  0013281: MantisBT Security Vulnerabilities Notification
Changeset

Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:

  • if( $g_project_override != null ) {
  • if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override if it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc35105064e5a2533fb4e1de54426ea17d2ef36 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
bug_actiongroup_ext.php
bug_actiongroup_ext_page.php
bug_actiongroup_page.php
core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>
mod - bug_actiongroup_ext.php Diff File
mod - bug_actiongroup_ext_page.php Diff File
mod - bug_actiongroup_page.php Diff File
mod - core/bug_group_action_api.php Diff File