Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 42627a650abc
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 5f641fc7bc2b
Choose a head ref
  • 2 commits
  • 3 files changed
  • 1 contributor

Commits on Jan 20, 2013

  1. Update match_type parameter to be XSS-safe by itself 

    Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes #15388
    @dregad
    dregad committed Jan 20, 2013
    Copy the full SHA
    4362aa1 View commit details

  2. Display of match_type filter property for unknown types 

    Prior to this, if for any reason the filter's match type property was
not one of the predefined types (i.e. 'any' or 'all'), the code would
default to 'all', but display a blank string on the filter page. This is
confusing to users, so the display now matches the filter's actual
behavior.

Fixes #15389
    @dregad
    dregad committed Jan 20, 2013
    Copy the full SHA
    5f641fc View commit details
Showing with 22 additions and 18 deletions.
  1. +20 −16 core/filter_api.php
  2. +1 −1 search.php
  3. +1 −1 view_all_set.php
36 changes: 20 additions & 16 deletions core/filter_api.php
View file
Original file line number Diff line number Diff line change
@@ -1109,11 +1109,11 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}

$t_view_type = $t_filter['_view_type'];

// project query clauses must be AND-ed always, irrespective of how the filter
// clauses are requested by the user ( all matching -> AND, any matching -> OR )
$t_where_clauses = array();

$t_project_where_clauses = array(
"$t_project_table.enabled = " . db_param(),
"$t_project_table.id = $t_bug_table.project_id",
@@ -1263,13 +1263,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
log_event( LOG_FILTERING, 'project query = ' . $t_project_query );
array_push( $t_project_where_clauses, $t_project_query );
}

# date filter
if(( 'on' == $t_filter[FILTER_PROPERTY_FILTER_BY_DATE] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_YEAR] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_YEAR] ) ) {

$t_start_string = $t_filter[FILTER_PROPERTY_START_YEAR] . "-" . $t_filter[FILTER_PROPERTY_START_MONTH] . "-" . $t_filter[FILTER_PROPERTY_START_DAY] . " 00:00:00";
$t_end_string = $t_filter[FILTER_PROPERTY_END_YEAR] . "-" . $t_filter[FILTER_PROPERTY_END_MONTH] . "-" . $t_filter[FILTER_PROPERTY_END_DAY] . " 23:59:59";

$t_where_params[] = strtotime( $t_start_string );
$t_where_params[] = strtotime( $t_end_string );
array_push( $t_project_where_clauses, "($t_bug_table.date_submitted BETWEEN " . db_param() . " AND " . db_param() . " )" );
@@ -2029,13 +2029,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}

# End text search

# Determine join operator
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY )
$t_join_operator = ' OR ';
else
$t_join_operator = ' AND ';

log_event(LOG_FILTERING, 'Join operator : ' . $t_join_operator);

$t_from_clauses[] = $t_project_table;
@@ -2071,8 +2071,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_where_string .= implode( $t_join_operator, $t_query_clauses['where'] );
$t_where_string .= ' ) ';
}


$t_result = db_query_bound( "$t_select_string $t_from_string $t_join_string $t_where_string $t_order_string", $t_query_clauses['where_values'], $p_per_page, $t_offset );
$t_row_count = db_num_rows( $t_result );

@@ -3388,17 +3388,21 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
<tr class="row-1">
<td class="small-caption"><a href="<?php echo $t_filters_url . FILTER_PROPERTY_MATCH_TYPE;?>" id="match_type_filter"><?php echo lang_get( 'filter_match_type' )?>:</a></td>
<td class="small-caption" id="match_type_filter_target">
<?php
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY ) {
echo lang_get ('filter_match_any');
} else if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ALL ) {
echo lang_get ('filter_match_all');
<?php
switch( $t_filter[FILTER_PROPERTY_MATCH_TYPE] ) {
case FILTER_MATCH_ANY:
echo lang_get ('filter_match_any');
break;
case FILTER_MATCH_ALL:
default:
echo lang_get ('filter_match_all');
break;
}
?>
<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE] ?>"/>
</td>
<td colspan="6">&#160;</td>
</tr>
</tr>
</table>
<?php
}
2 changes: 1 addition & 1 deletion search.php
View file
Original file line number Diff line number Diff line change
@@ -89,7 +89,7 @@
$my_filter[FILTER_PROPERTY_OS_BUILD] = gpc_get_string_array( FILTER_PROPERTY_OS_BUILD, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_VIEW_STATE] = gpc_get_string_array( FILTER_PROPERTY_VIEW_STATE, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_VERSION] = gpc_get_string_array( FILTER_PROPERTY_VERSION, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );

// Filtering by Date
$my_filter[FILTER_PROPERTY_FILTER_BY_DATE] = gpc_get_bool( FILTER_PROPERTY_FILTER_BY_DATE );
2 changes: 1 addition & 1 deletion view_all_set.php
View file
Original file line number Diff line number Diff line change
@@ -233,7 +233,7 @@
$f_note_user_id = array( $f_note_user_id );
}

$f_match_type = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
$f_match_type = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );

# these are only single values, even when doing advanced filtering
$f_per_page = gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, -1 );