Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rework the bug action group api such that we can easily convert this …
…to an object in the future, and to validate calls to require once. This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated. Depending on webserver configuration, this is a file inclusion vulnerability. There will be a follow up commit to config api - probably: - if( $g_project_override != null ) { + if( $g_project_override != null && $p_project == null ) { At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to: a) change project override within the command list function b) modifify config api to only use the project override *if* it is attempting to look up information on the default project. Backported from master-1.2.x branch. Note that this commit relies upon commit 6dc3510 from the master branch (that hadn't been backported to 1.2.x). Conflicts: bug_actiongroup_ext.php bug_actiongroup_ext_page.php bug_actiongroup_page.php core/bug_group_action_api.php Signed-off-by: David Hicks <d@hx.id.au>
- Loading branch information
1 parent
965b00a
commit 5b93161
Showing
4 changed files
with
26 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters