Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a7eacc1
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 4b7492d
Choose a head ref
  • 5 commits
  • 11 files changed
  • 3 contributors

Commits on Sep 4, 2011

  1. Revert "Fix #13282, #13283: bug_actiongroup_ext_page.php LFI and XSS" 

    This reverts commit a7eacc1.

Paul fixed this in a better way with commit
a908cc6 (to be backported to 1.2.x
after this older commit is reverted).
    @davidhicks
    davidhicks committed Sep 4, 2011

    Verified

    This commit was signed with the committer’s verified signature.
    jtojnar Jan Tojnar
    GPG key ID: 7FAB2A15F7A607A4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    965b00a View commit details

  2. Rework the bug action group api such that we can easily convert this … 

    …to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
-		if( $g_project_override != null ) {
+		if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc3510 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
  bug_actiongroup_ext.php
  bug_actiongroup_ext_page.php
  bug_actiongroup_page.php
  core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>
    @mantis @davidhicks
    mantis authored and davidhicks committed Sep 4, 2011

    Verified

    This commit was signed with the committer’s verified signature.
    jtojnar Jan Tojnar
    GPG key ID: 7FAB2A15F7A607A4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    5b93161 View commit details

  3. Fix #11481: Don't show bug group actions that can't be used 

    Currently the bug action group dropdown list on view_all_bug_page.php
shows (almost) every available option, even if the current user isn't
authorised to use those options.

This patch implements checking to see which options are available to the
user for the issues which are currently shown on view_all_bug_page.php.
Options are only displayed in the dropdown list if the user is able to
use the option on at least one of the bugs displayed.

Additionally, the logic behind when selection checkboxes are shown
alongside a bug has been improved. Checkboxes won't display next to bugs
that the user cannot perform group actions on.

Backported from master branch because it's needed to resolve an LFI/XSS
issue in bug_actiongroup_ext.php.
    @davidhicks
    davidhicks committed Sep 4, 2011

    Verified

    This commit was signed with the committer’s verified signature.
    jtojnar Jan Tojnar
    GPG key ID: 7FAB2A15F7A607A4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6ede60d View commit details

  4. Fix issue introduced previously whereby php_Self is now used unchecked. 

    introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues

David: Backported from master branch and removed unreachable code branch.

Signed-off-by: David Hicks <d@hx.id.au>
    @mantis @davidhicks
    mantis authored and davidhicks committed Sep 4, 2011

    Verified

    This commit was signed with the committer’s verified signature.
    jtojnar Jan Tojnar
    GPG key ID: 7FAB2A15F7A607A4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d00745f View commit details

  5. Project override should only apply if $p_project hasn't been explicit… 

    …y set.

For the most part, we use config_get(var) to get information for the current project [or overriden project]

If we are explicity passing in a project ID, we should use this ID instead, and not override.

Signed-off-by: David Hicks <d@hx.id.au>
    @mantis @davidhicks
    mantis authored and davidhicks committed Sep 4, 2011

    Verified

    This commit was signed with the committer’s verified signature.
    jtojnar Jan Tojnar
    GPG key ID: 7FAB2A15F7A607A4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    4b7492d View commit details
Showing with 208 additions and 141 deletions.
  1. +1 −2 bug_actiongroup_ext.php
  2. +4 −29 bug_actiongroup_ext_page.php
  3. +3 −0 bug_actiongroup_page.php
  4. +7 −2 config_defaults_inc.php
  5. +155 −32 core/bug_group_action_api.php
  6. +16 −3 core/columns_api.php
  7. +1 −1 core/config_api.php
  8. +12 −62 core/print_api.php
  9. +0 −2 my_view_inc.php
  10. +5 −3 view_all_bug_page.php
  11. +4 −5 view_all_inc.php
3 changes: 1 addition & 2 deletions bug_actiongroup_ext.php
View file
Original file line number Diff line number Diff line change
@@ -35,12 +35,11 @@
$f_action = gpc_get_string( 'action' );
$f_bug_arr = gpc_get_int_array( 'bug_arr', array() );

$t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php';
$t_form_name = 'bug_actiongroup_' . $f_action;

form_security_validate( $t_form_name );

require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file );
bug_group_action_init( $f_action );

# group bugs by project
$t_projects_bugs = array();
33 changes: 4 additions & 29 deletions bug_actiongroup_ext_page.php
View file
Original file line number Diff line number Diff line change
@@ -20,40 +20,15 @@
* @copyright Copyright (C) 2002 - 2011 MantisBT Team - mantisbt-dev@lists.sourceforge.net
* @link http://www.mantisbt.org
*/
/**
* MantisBT Core API's
*/
require_once( 'core.php' );

require_once( 'core.php' );
require_once( 'bug_group_action_api.php' );

auth_ensure_user_authenticated();

$f_action = gpc_get_string( 'action' );
$f_bug_arr = gpc_get_int_array( 'bug_arr', array() );

# redirect to view issues if nothing is selected
if ( is_blank( $f_action ) || ( 0 == count( $f_bug_arr ) ) ) {
print_header_redirect( 'view_all_bug_page.php' );
}

# redirect to view issues page if action doesn't have ext_* prefix.
# This should only occur if this page is called directly.
$t_external_action_prefix = 'EXT_';
$t_matches = array();
preg_match( '/^EXT_(\w+)$/', $f_action, $t_matches );
if ( count( $t_matches ) !== 2 ) {
print_header_redirect( 'view_all_bug_page.php' );
exit;
}
$t_external_action = $t_matches[1];
$t_include_file = 'bug_actiongroup_' . $t_external_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}

$t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) );
$t_form_name = 'bug_actiongroup_' . $t_external_action;

bug_group_action_init( $t_external_action );

bug_group_action_print_top();
?>

3 changes: 3 additions & 0 deletions bug_actiongroup_page.php
View file
Original file line number Diff line number Diff line change
@@ -42,6 +42,7 @@
# run through the issues to see if they are all from one project
$t_project_id = ALL_PROJECTS;
$t_multiple_projects = false;
$t_projects = array();

bug_cache_array_rows( $f_bug_arr );

@@ -52,11 +53,13 @@
$t_multiple_projects = true;
} else {
$t_project_id = $t_bug->project_id;
$t_projects[$t_project_id] = $t_project_id;
}
}
}
if ( $t_multiple_projects ) {
$t_project_id = ALL_PROJECTS;
$t_projects[ALL_PROJECTS] = ALL_PROJECTS;
}
# override the project if necessary
if( $t_project_id != helper_get_current_project() ) {
9 changes: 7 additions & 2 deletions config_defaults_inc.php
View file
Original file line number Diff line number Diff line change
@@ -112,10 +112,15 @@
$t_host = 'localhost';
}

$t_path = str_replace( basename( $_SERVER['PHP_SELF'] ), '', $_SERVER['PHP_SELF'] );
$t_self = $_SERVER['SCRIPT_NAME'];
$t_self = filter_var( $t_self, FILTER_SANITIZE_STRING );
$t_path = str_replace( basename( $t_self ), '', $t_self );
$t_path = basename( $t_path ) == "admin" ? dirname( $t_path ) . '/' : $t_path;
$t_path = basename( $t_path ) == "soap" ? dirname( dirname( $t_path ) ) . '/' : $t_path;

if ( strpos( $t_path, '&#' ) ) {
echo 'Can not safely determine $g_path. Please set $g_path manually in config_inc.php';
die;
}

$t_url = $t_protocol . '://' . $t_host . $t_path;

187 changes: 155 additions & 32 deletions core/bug_group_action_api.php
View file
Original file line number Diff line number Diff line change
@@ -22,6 +22,25 @@
* @subpackage BugGroupActionAPI
*/

/**
* Initialise bug action group api
*/
function bug_group_action_init( $p_action ) {
$t_valid_actions = bug_group_action_get_commands( current_user_get_accessible_projects() );
$t_action = strtoupper( $p_action );

if ( !isset( $t_valid_actions[$t_action] ) && !isset ( $t_valid_actions['EXT_' . $t_action] ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}

$t_include_file = config_get_global( 'absolute_path' ) . 'bug_actiongroup_' . $p_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
} else {
require_once( $t_include_file );
}
}

/**
* Print the top part for the bug action group page.
*/
@@ -94,14 +113,6 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) {
* @param $p_action The custom action name without the "EXT_" prefix.
*/
function bug_group_action_print_action_fields( $p_action ) {
if ( !preg_match( '/^\w+$/', $p_action ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
require_once( $t_include_file );
$t_function_name = 'action_' . $p_action . '_print_fields';
$t_function_name();
}
@@ -113,14 +124,6 @@ function bug_group_action_print_action_fields( $p_action ) {
* @param $p_action The custom action name without the "EXT_" prefix.
*/
function bug_group_action_print_title( $p_action ) {
if ( !preg_match( '/^\w+$/', $p_action ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
require_once( $t_include_file );
$t_function_name = 'action_' . $p_action . '_print_title';
$t_function_name();
}
@@ -135,14 +138,6 @@ function bug_group_action_print_title( $p_action ) {
* @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate )
*/
function bug_group_action_validate( $p_action, $p_bug_id ) {
if ( !preg_match( '/^\w+$/', $p_action ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
require_once( $t_include_file );
$t_function_name = 'action_' . $p_action . '_validate';
return $t_function_name( $p_bug_id );
}
@@ -157,14 +152,142 @@ function bug_group_action_validate( $p_action, $p_bug_id ) {
* @returns true|array Action can be applied., ( bug_id => reason for failure to process )
*/
function bug_group_action_process( $p_action, $p_bug_id ) {
if ( !preg_match( '/^\w+$/', $p_action ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
$t_include_file = 'bug_actiongroup_' . $p_action . '_inc.php';
if ( !file_exists( $t_include_file ) ) {
trigger_error( ERROR_GENERIC, ERROR );
}
require_once( $t_include_file );
$t_function_name = 'action_' . $p_action . '_process';
return $t_function_name( $p_bug_id );
}

/**
* Get a list of bug group actions available to the current user for one or
* more projects.
* @param array $p_projects An array containing one or more project IDs
* @return null
*/
function bug_group_action_get_commands( $p_project_ids = null ) {
if ( $p_project_ids === null || count( $p_project_ids ) == 0 ) {
$p_project_ids = array( ALL_PROJECTS );
}

$t_commands = array();
foreach( $p_project_ids as $t_project_id ) {

if( !isset( $t_commands['MOVE'] ) &&
access_has_project_level( config_get( 'move_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['MOVE'] = lang_get( 'actiongroup_menu_move' );
}

if( !isset( $t_commands['COPY'] ) &&
access_has_any_project( config_get( 'report_bug_threshold', null, null, $t_project_id ) ) ) {
$t_commands['COPY'] = lang_get( 'actiongroup_menu_copy' );
}

if( !isset( $t_commands['ASSIGN'] ) &&
access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $t_project_id ), $t_project_id ) ) {
if( ON == config_get( 'auto_set_status_to_assigned', null, null, $t_project_id ) &&
access_has_project_level( access_get_status_threshold( config_get( 'bug_assigned_status', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) {
$t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' );
} else {
$t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' );
}
}

if( !isset( $t_commands['CLOSE'] ) &&
access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) &&
( access_has_project_level( access_get_status_threshold( config_get( 'bug_closed_status_threshold', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ||
access_has_project_level( config_get( 'allow_reporter_close', null, null, $t_project_id ), $t_project_id ) ) ) {
$t_commands['CLOSE'] = lang_get( 'actiongroup_menu_close' );
}

if( !isset( $t_commands['DELETE'] ) &&
access_has_project_level( config_get( 'delete_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['DELETE'] = lang_get( 'actiongroup_menu_delete' );
}

if( !isset( $t_commands['RESOLVE'] ) &&
access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) &&
access_has_project_level( access_get_status_threshold( config_get( 'bug_resolved_status_threshold', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) {
$t_commands['RESOLVE'] = lang_get( 'actiongroup_menu_resolve' );
}

if( !isset( $t_commands['SET_STICKY'] ) &&
access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['SET_STICKY'] = lang_get( 'actiongroup_menu_set_sticky' );
}

if( !isset( $t_commands['UP_PRIOR'] ) &&
access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['UP_PRIOR'] = lang_get( 'actiongroup_menu_update_priority' );
}

if( !isset( $t_commands['EXT_UPDATE_SEVERITY'] ) &&
access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['EXT_UPDATE_SEVERITY'] = lang_get( 'actiongroup_menu_update_severity' );
}

if( !isset( $t_commands['UP_STATUS'] ) &&
access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['UP_STATUS'] = lang_get( 'actiongroup_menu_update_status' );
}

if( !isset( $t_commands['UP_CATEGORY'] ) &&
access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['UP_CATEGORY'] = lang_get( 'actiongroup_menu_update_category' );
}

if( !isset( $t_commands['VIEW_STATUS'] ) &&
access_has_project_level( config_get( 'change_view_status_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['VIEW_STATUS'] = lang_get( 'actiongroup_menu_update_view_status' );
}

if( !isset( $t_commands['EXT_UPDATE_PRODUCT_BUILD'] ) &&
config_get( 'enable_product_build', null, null, $t_project_id ) == ON &&
access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['EXT_UPDATE_PRODUCT_BUILD'] = lang_get( 'actiongroup_menu_update_product_build' );
}

if( !isset( $t_commands['EXT_ADD_NOTE'] ) &&
access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['EXT_ADD_NOTE'] = lang_get( 'actiongroup_menu_add_note' );
}

if( !isset( $t_commands['EXT_ATTACH_TAGS'] ) &&
access_has_project_level( config_get( 'tag_attach_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['EXT_ATTACH_TAGS'] = lang_get( 'actiongroup_menu_attach_tags' );
}

if( !isset( $t_commands['UP_FIXED_IN_VERSION'] ) &&
version_should_show_product_version( $t_project_id ) &&
access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['UP_FIXED_IN_VERSION'] = lang_get( 'actiongroup_menu_update_fixed_in_version' );
}

if( !isset( $t_commands['UP_TARGET_VERSION'] ) &&
version_should_show_product_version( $t_project_id ) &&
access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $t_project_id ), $t_project_id ) ) {
$t_commands['UP_TARGET_VERSION'] = lang_get( 'actiongroup_menu_update_target_version' );
}

$t_custom_field_ids = custom_field_get_linked_ids( $t_project_id );
foreach( $t_custom_field_ids as $t_custom_field_id ) {
if( !custom_field_has_write_access_to_project( $t_custom_field_id, $t_project_id ) ) {
continue;
}
$t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
$t_command_id = 'custom_field_' . $t_custom_field_id;
$t_command_caption = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
$t_commands[$t_command_id] = string_display( $t_command_caption );
}
}

$t_custom_group_actions = config_get( 'custom_group_actions' );

foreach( $t_custom_group_actions as $t_custom_group_action ) {
# use label if provided to get the localized text, otherwise fallback to action name.
if( isset( $t_custom_group_action['label'] ) ) {
$t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] );
} else {
$t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] );
}
}

return $t_commands;
}
19 changes: 16 additions & 3 deletions core/columns_api.php
View file
Original file line number Diff line number Diff line change
@@ -836,11 +836,24 @@ function print_column_title_overdue( $p_sort, $p_dir, $p_columns_target = COLUMN
* @access public
*/
function print_column_selection( $p_bug, $p_columns_target = COLUMNS_TARGET_VIEW_PAGE ) {
global $t_checkboxes_exist, $t_update_bug_threshold;
global $g_checkboxes_exist;

echo '<td>';
if( access_has_bug_level( $t_update_bug_threshold, $p_bug->id ) ) {
$t_checkboxes_exist = true;
if( access_has_any_project( config_get( 'report_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
# !TODO: check if any other projects actually exist for the bug to be moved to
access_has_project_level( config_get( 'move_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
# !TODO: factor in $g_auto_set_status_to_assigned == ON
access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'update_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'delete_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
# !TODO: check to see if the bug actually has any different selectable workflow states
access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'change_view_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'tag_attach_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ) {
$g_checkboxes_exist = true;
printf( "<input type=\"checkbox\" name=\"bug_arr[]\" value=\"%d\" />", $p_bug->id );
} else {
echo "&#160;";
2 changes: 1 addition & 1 deletion core/config_api.php
View file
Original file line number Diff line number Diff line change
@@ -63,7 +63,7 @@ function config_get( $p_option, $p_default = null, $p_user = null, $p_project =
# @@ debug @@ if ($t_bypass_lookup) { echo "bp=$p_option match=$t_match_pattern <br />"; }

if( !$t_bypass_lookup ) {
if( $g_project_override !== null ) {
if( $g_project_override != null && $p_project == null ) {
$p_project = $g_project_override;
}
# @@ debug @@ if ( ! db_is_connected() ) { echo "no db "; }
Loading