From 36ed5a459ab0d7757dc0160fac361485efc2d133 Mon Sep 17 00:00:00 2001
From: Jeroen Latour <jlatour@users.sourceforge.net>
Date: Mon, 12 Aug 2002 19:50:22 +0000
Subject: [PATCH] Added input cleaning to the bug history (another SQL
 poisoning attack). Reformatted code in bugnote_set_view_state.php

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@1188 f5dc347c-c33d-0410-90a0-b07cc1902cb9
---
 bug_update.php             | 36 +++++++++---------
 bugnote_set_view_state.php |  2 +-
 core_history_API.php       | 77 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 95 insertions(+), 20 deletions(-)

diff --git a/bug_update.php b/bug_update.php
index b09de99ff2..98b3e0b4ac 100644
--- a/bug_update.php
+++ b/bug_update.php
@@ -113,24 +113,24 @@
 
 	# log changes
 	$t_user_id = get_current_user_field( 'id' );
-	history_log_event_direct( $c_id, 'category',        $h_category, $c_category, $t_user_id );
-	history_log_event_direct( $c_id, 'severity',        $h_severity, $c_severity, $t_user_id );
-	history_log_event_direct( $c_id, 'reproducibility', $h_reproducibility, $c_reproducibility, $t_user_id );
-	history_log_event_direct( $c_id, 'priority',        $h_priority, $c_priority, $t_user_id );
-	history_log_event_direct( $c_id, 'status',          $h_status, $c_status, $t_user_id );
-	history_log_event_direct( $c_id, 'projection',      $h_projection, $c_projection, $t_user_id );
-	history_log_event_direct( $c_id, 'duplicate_id',    $h_duplicate_id, $c_duplicate_id, $t_user_id );
-	history_log_event_direct( $c_id, 'resolution',      $h_resolution, $c_resolution, $t_user_id );
-	history_log_event_direct( $c_id, 'handler_id',      $h_handler_id, $c_handler_id, $t_user_id );
-	history_log_event_direct( $c_id, 'reporter_id',     $h_reporter_id, $c_reporter_id, $t_user_id );
-	history_log_event_direct( $c_id, 'eta',             $h_eta, $c_eta, $t_user_id );
-	history_log_event_direct( $c_id, 'summary',         $h_summary, $c_summary, $t_user_id );
-	history_log_event_direct( $c_id, 'os',              $h_os, $c_os, $t_user_id );
-	history_log_event_direct( $c_id, 'os_build',        $h_os_build, $c_os_build, $t_user_id );
-	history_log_event_direct( $c_id, 'platform',        $h_platform, $c_platform, $t_user_id );
-	history_log_event_direct( $c_id, 'build',           $h_build, $c_build, $t_user_id );
-	history_log_event_direct( $c_id, 'version',         $h_version, $c_version, $t_user_id );
-	history_log_event_direct( $c_id, 'view_state',      $h_view_state, $c_view_state, $t_user_id );
+	history_log_event_direct( $c_id, 'category',        $h_category, $f_category, $t_user_id );
+	history_log_event_direct( $c_id, 'severity',        $h_severity, $f_severity, $t_user_id );
+	history_log_event_direct( $c_id, 'reproducibility', $h_reproducibility, $f_reproducibility, $t_user_id );
+	history_log_event_direct( $c_id, 'priority',        $h_priority, $f_priority, $t_user_id );
+	history_log_event_direct( $c_id, 'status',          $h_status, $f_status, $t_user_id );
+	history_log_event_direct( $c_id, 'projection',      $h_projection, $f_projection, $t_user_id );
+	history_log_event_direct( $c_id, 'duplicate_id',    $h_duplicate_id, $f_duplicate_id, $t_user_id );
+	history_log_event_direct( $c_id, 'resolution',      $h_resolution, $f_resolution, $t_user_id );
+	history_log_event_direct( $c_id, 'handler_id',      $h_handler_id, $f_handler_id, $t_user_id );
+	history_log_event_direct( $c_id, 'reporter_id',     $h_reporter_id, $f_reporter_id, $t_user_id );
+	history_log_event_direct( $c_id, 'eta',             $h_eta, $f_eta, $t_user_id );
+	history_log_event_direct( $c_id, 'summary',         $h_summary, $f_summary, $t_user_id );
+	history_log_event_direct( $c_id, 'os',              $h_os, $f_os, $t_user_id );
+	history_log_event_direct( $c_id, 'os_build',        $h_os_build, $f_os_build, $t_user_id );
+	history_log_event_direct( $c_id, 'platform',        $h_platform, $f_platform, $t_user_id );
+	history_log_event_direct( $c_id, 'build',           $h_build, $f_build, $t_user_id );
+	history_log_event_direct( $c_id, 'version',         $h_version, $f_version, $t_user_id );
+	history_log_event_direct( $c_id, 'view_state',      $h_view_state, $f_view_state, $t_user_id );
 
 	if ( $h_description != $c_description ) {
 		history_log_event_special( $c_id, DESCRIPTION_UPDATED );
diff --git a/bugnote_set_view_state.php b/bugnote_set_view_state.php
index 777d7ba999..2d45f5d47a 100644
--- a/bugnote_set_view_state.php
+++ b/bugnote_set_view_state.php
@@ -14,7 +14,7 @@
 	$t_bugnote_user_id	= get_bugnote_field( $f_bugnote_id, 'reporter_id' );
 	$t_id				= get_bugnote_field( $f_bugnote_id, 'bug_id' );
 	$t_user_id			= get_current_user_field( 'id' );
-	$c_bugnote_id = (integer)$f_bugnote_id;
+	$c_bugnote_id 		= (integer)$f_bugnote_id;
 
 	project_access_check( $t_id );
 
diff --git a/core_history_API.php b/core_history_API.php
index f9ffe14c8b..ec2bf79e00 100644
--- a/core_history_API.php
+++ b/core_history_API.php
@@ -1 +1,76 @@
-<?php
	# Mantis - a php based bugtracking system
	# Copyright (C) 2000, 2001  Kenzaburo Ito - kenito@300baud.org
	# This program is distributed under the terms and conditions of the GPL
	# See the files README and LICENSE for details

	###########################################################################
	# History API
	###########################################################################

	# --------------------
	# log the changes (old / new value are supplied to reduce db access)
	# events should be logged *after* the modification
	function history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, $p_new_value, $p_user_id = 0 ) {
		global $g_mantis_bug_history_table;

		# Only log events that change the value
		if ( $p_new_value != $p_old_value ) {
			$c_user_id = (integer)$p_user_id;
			if ( 0 == $c_user_id ) {
				$c_user_id   = get_current_user_field( 'id' );
			};

			$query = "INSERT INTO $g_mantis_bug_history_table
					( user_id, bug_id, date_modified, field_name, old_value, new_value )
					VALUES
					( '$c_user_id', '$p_bug_id', NOW(), '$p_field_name', '$p_old_value', '$p_new_value' )";
			$result = db_query( $query );
		}
	}
	# --------------------
	# log the changes
	# events should be logged *after* the modification
	function history_log_event( $p_bug_id, $p_field_name, $p_old_value ) {
		history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, get_bug_field( $p_bug_id, $p_field_name ) );
	}
	# --------------------
	# log the changes
	# events should be logged *after* the modification
	# These are special case logs (new bug, deleted bugnote, etc.)
	function history_log_event_special( $p_bug_id, $p_type, $p_optional='',  $p_optional2='' ) {
		global $g_mantis_bug_history_table;

		$p_optional = string_prepare_text( $p_optional );

		$t_user_id   = get_current_user_field( 'id' );
		$query = "INSERT INTO $g_mantis_bug_history_table
				( user_id, bug_id, date_modified, type, old_value, new_value )
				VALUES
				( '$t_user_id', '$p_bug_id', NOW(), '$p_type', '$p_optional', '$p_optional2' )";
		$result = db_query( $query );
	}
	# --------------------
	# return all bug history for a given bug id ordered by date
	function history_get_events( $p_bug_id ) {
		global $g_mantis_bug_history_table, $g_mantis_user_table;

		$query = "SELECT b.*, u.username
				FROM $g_bug_history_table b
				LEFT JOIN $g_mantis_user_table u
				ON b.user_id=u.id
				WHERE bug_id='$p_bug_id'
				ORDER BY date_modified DESC";
		$result = db_query( $query );
	}
	# --------------------
?>
\ No newline at end of file
+<?php
+	# Mantis - a php based bugtracking system
+	# Copyright (C) 2000, 2001  Kenzaburo Ito - kenito@300baud.org
+	# This program is distributed under the terms and conditions of the GPL
+	# See the files README and LICENSE for details
+
+	###########################################################################
+	# History API
+	###########################################################################
+
+	# --------------------
+	# log the changes (old / new value are supplied to reduce db access)
+	# events should be logged *after* the modification
+	function history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, $p_new_value, $p_user_id = 0 ) {
+		global $g_mantis_bug_history_table;
+
+		# Only log events that change the value
+		if ( $p_new_value != $p_old_value ) {
+			$c_field_name	= string_prepare_text( $p_field_name );
+			$c_old_value	= string_prepare_text( $p_old_value );
+			$c_new_value	= string_prepare_text( $p_new_value );
+			$c_bug_id		= (integer)$p_bug_id;
+			$c_user_id 		= (integer)$p_user_id;
+			if ( 0 == $c_user_id ) {
+				$c_user_id	= get_current_user_field( 'id' );
+			};
+			
+			$query = "INSERT INTO $g_mantis_bug_history_table
+					( user_id, bug_id, date_modified, field_name, old_value, new_value )
+					VALUES
+					( '$c_user_id', '$c_bug_id', NOW(), '$c_field_name', '$c_old_value', '$c_new_value' )";
+			$result = db_query( $query );
+		}
+	}
+	# --------------------
+	# log the changes
+	# events should be logged *after* the modification
+	function history_log_event( $p_bug_id, $p_field_name, $p_old_value ) {
+		history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, get_bug_field( $p_bug_id, $p_field_name ) );
+	}
+	# --------------------
+	# log the changes
+	# events should be logged *after* the modification
+	# These are special case logs (new bug, deleted bugnote, etc.)
+	function history_log_event_special( $p_bug_id, $p_type, $p_optional='',  $p_optional2='' ) {
+		global $g_mantis_bug_history_table;
+
+		$c_bug_id		= (integer)$c_bug_id;
+		$c_type			= (integer)$c_type;
+		$c_optional		= string_prepare_text( $p_optional );
+		$c_optional2	= string_prepare_text( $p_optional2 );
+		$t_user_id		= get_current_user_field( 'id' );
+		
+		$query = "INSERT INTO $g_mantis_bug_history_table
+				( user_id, bug_id, date_modified, type, old_value, new_value )
+				VALUES
+				( '$t_user_id', '$c_bug_id', NOW(), '$c_type', '$c_optional', '$c_optional2' )";
+		$result = db_query( $query );
+	}
+	# --------------------
+	# return all bug history for a given bug id ordered by date
+	function history_get_events( $p_bug_id ) {
+		global $g_mantis_bug_history_table, $g_mantis_user_table;
+		
+		$c_bug_id 		= (integer)$p_bug_id;
+
+		$query = "SELECT b.*, u.username
+				FROM $g_bug_history_table b
+				LEFT JOIN $g_mantis_user_table u
+				ON b.user_id=u.id
+				WHERE bug_id='$c_bug_id'
+				ORDER BY date_modified DESC";
+		$result = db_query( $query );
+	}
+	# --------------------
+?>
\ No newline at end of file