MantisBT: master-2.24 9de20c09

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.24 2020-09-12 12:21 master-2.24 5595c90f
Affected Issues  0027039: CVE-2020-25781: Access to private bug note attachments
Changeset

Check ability to download attachments at bugnote level

This prevents users authorized to download attachments but not to view
private bugnotes, from accessing files attached to a private note via
file_download.php?file_id={FILE_ID}&type=bug (CVE-2020-25781).

Includes some minor code cleanup in file_get_visible_attachments():

  • use a foreach loop
  • reuse variables instead of derefenrcing array

Fixes 0027039
mod - core/file_api.php Diff File
mod - file_download.php Diff File