Rework the bug action group api such that we can easily convert this …

…to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
-		if( $g_project_override != null ) {
+		if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc3510 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
  bug_actiongroup_ext.php
  bug_actiongroup_ext_page.php
  bug_actiongroup_page.php
  core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>

bug_actiongroup_ext.php

@@ -35,12 +35,11 @@
 	$f_action = gpc_get_string( 'action' );
 	$f_bug_arr	= gpc_get_int_array( 'bug_arr', array() );
 
-	$t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php';
 	$t_form_name = 'bug_actiongroup_' . $f_action;
 
 	form_security_validate( $t_form_name );
 
-	require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file );
+	bug_group_action_init( $f_action );
 
 	# group bugs by project
 	$t_projects_bugs = array();

bug_actiongroup_ext_page.php

@@ -20,34 +20,15 @@
 	 * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
 	 * @link http://www.mantisbt.org
 	 */
-	 /**
-	  * MantisBT Core API's
-	  */
-	require_once( 'core.php' );
 
+	require_once( 'core.php' );
 	require_once( 'bug_group_action_api.php' );
 
-	auth_ensure_user_authenticated();
-
-	$f_action = gpc_get_string( 'action' );
-	$f_bug_arr = gpc_get_int_array( 'bug_arr', array() );
-
-	# redirect to view issues if nothing is selected
-	if ( is_blank( $f_action ) || ( 0 == count( $f_bug_arr ) ) ) {
-		print_header_redirect( 'view_all_bug_page.php' );
-	}
-
-  # redirect to view issues page if action doesn't have ext_* prefix.
-  # This should only occur if this page is called directly.
-	$t_external_action_prefix = 'EXT_';
-	if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) {
-		print_header_redirect( 'view_all_bug_page.php' );
-  }
-
 	$t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) );
-	$t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php';
 	$t_form_name = 'bug_actiongroup_' . $t_external_action;
 
+	bug_group_action_init( $t_external_action );
+
 	bug_group_action_print_top();
 ?>
 

bug_actiongroup_page.php

@@ -42,6 +42,7 @@
 	# run through the issues to see if they are all from one project
 	$t_project_id = ALL_PROJECTS;
 	$t_multiple_projects = false;
+	$t_projects = array();
 
 	bug_cache_array_rows( $f_bug_arr );
 
@@ -52,11 +53,13 @@
 				$t_multiple_projects = true;
 			} else {
 				$t_project_id = $t_bug->project_id;
+				$t_projects[$t_project_id] = $t_project_id;
 			}
 		}
 	}
 	if ( $t_multiple_projects ) {
 		$t_project_id = ALL_PROJECTS;
+		$t_projects[ALL_PROJECTS] = ALL_PROJECTS;
 	}
 	# override the project if necessary
 	if( $t_project_id != helper_get_current_project() ) {

core/bug_group_action_api.php

@@ -22,6 +22,25 @@
  *	@subpackage BugGroupActionAPI
  */
 
+/**
+ * Initialise bug action group api
+ */
+function bug_group_action_init( $p_action ) {
+	$t_valid_actions = bug_group_action_get_commands( current_user_get_accessible_projects() );
+	$t_action = strtoupper( $p_action );
+
+	if ( !isset( $t_valid_actions[$t_action] ) && !isset ( $t_valid_actions['EXT_' . $t_action] ) ) {
+		trigger_error( ERROR_GENERIC, ERROR );
+	}
+
+	$t_include_file = config_get_global( 'absolute_path' ) . 'bug_actiongroup_' . $p_action . '_inc.php';
+	if ( !file_exists( $t_include_file ) ) {
+		trigger_error( ERROR_GENERIC, ERROR );
+	} else {
+		require_once( $t_include_file );
+	}
+}
+
 /**
  * Print the top part for the bug action group page.
  */
@@ -94,7 +113,6 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) {
  * @param $p_action   The custom action name without the "EXT_" prefix.
  */
 function bug_group_action_print_action_fields( $p_action ) {
-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
 	$t_function_name = 'action_' . $p_action . '_print_fields';
 	$t_function_name();
 }
@@ -106,7 +124,6 @@ function bug_group_action_print_action_fields( $p_action ) {
  * @param $p_action   The custom action name without the "EXT_" prefix.
  */
 function bug_group_action_print_title( $p_action ) {
-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
 	$t_function_name = 'action_' . $p_action . '_print_title';
 	$t_function_name();
 }
@@ -121,7 +138,6 @@ function bug_group_action_print_title( $p_action ) {
  * @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate )
  */
 function bug_group_action_validate( $p_action, $p_bug_id ) {
-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
 	$t_function_name = 'action_' . $p_action . '_validate';
 	return $t_function_name( $p_bug_id );
 }
@@ -136,7 +152,6 @@ function bug_group_action_validate( $p_action, $p_bug_id ) {
  * @returns true|array Action can be applied., ( bug_id => reason for failure to process )
  */
 function bug_group_action_process( $p_action, $p_bug_id ) {
-	require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
 	$t_function_name = 'action_' . $p_action . '_process';
 	return $t_function_name( $p_bug_id );
 }