Implement a white list of options accessible via SOAP API

This is a safer approach than the previous blacklist method, which could potentially allow confidential information disclosure if a config were added or renamed without a matching change in config_is_private() function. Fixes #20277 Original commit modified: comments and commit message wording. Signed-off-by: Damien Regad <dregad@mantisbt.org>
mantisbt · Jan 2, 2016 · 7927c27 · 7927c27
1 parent 1dbaeaf
commit 7927c27
Show file tree

Hide file tree

Showing 3 changed files with 357 additions and 62 deletions.
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
@@ -4262,7 +4262,352 @@
 	'class_path','library_path', 'language_path', 'absolute_path_default_upload_folder',
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
-	'cdn_enabled'
+	'cdn_enabled', 'public_config_names'
+);
+
+/**
+ * List of config options available via SOAP API.
+ * The following list of configuration options is used to check if it is
+ * allowed to query a specific configuration option via SOAP API.
+ * @global array $g_public_config_names
+ */
+$g_public_config_names = array(
+	'access_levels_enum_string',
+	'action_button_position',
+	'add_bugnote_threshold',
+	'add_profile_threshold',
+	'admin_site_threshold',
+	'allow_account_delete',
+	'allow_anonymous_login',
+	'allow_blank_email',
+	'allow_delete_own_attachments',
+	'allow_download_own_attachments',
+	'allow_file_upload',
+	'allow_freetext_in_profile_fields',
+	'allow_no_category',
+	'allow_permanent_cookie',
+	'allow_reporter_close',
+	'allow_reporter_reopen',
+	'allow_reporter_upload',
+	'allow_signup',
+	'allowed_files',
+	'anonymous_account',
+	'antispam_max_event_count',
+	'antispam_time_window_in_seconds',
+	'assign_sponsored_bugs_threshold',
+	'auto_set_status_to_assigned',
+	'backward_year_count',
+	'bottom_include_page',
+	'bug_assigned_status',
+	'bug_closed_status_threshold',
+	'bug_count_hyperlink_prefix',
+	'bug_duplicate_resolution',
+	'bug_feedback_status',
+	'bug_link_tag',
+	'bug_list_cookie',
+	'bug_readonly_status_threshold',
+	'bug_reminder_threshold',
+	'bug_reopen_resolution',
+	'bug_reopen_status',
+	'bug_resolution_fixed_threshold',
+	'bug_resolution_not_fixed_threshold',
+	'bug_resolved_status_threshold',
+	'bug_revision_drop_threshold',
+	'bug_submit_status',
+	'bugnote_link_tag',
+	'bugnote_order',
+	'bugnote_user_change_view_state_threshold',
+	'bugnote_user_delete_threshold',
+	'bugnote_user_edit_threshold',
+	'calendar_date_format',
+	'calendar_js_date_format',
+	'cdn_enabled',
+	'change_view_status_threshold',
+	'check_mx_record',
+	'complete_date_format',
+	'compress_html',
+	'cookie_prefix',
+	'cookie_time_length',
+	'copyright_statement',
+	'create_permalink_threshold',
+	'create_project_threshold',
+	'create_short_url',
+	'css_include_file',
+	'css_rtl_include_file',
+	'csv_add_bom',
+	'csv_separator',
+	'custom_field_edit_after_create',
+	'custom_field_link_threshold',
+	'custom_field_type_enum_string',
+	'default_bug_additional_info',
+	'default_bug_eta',
+	'default_bug_priority',
+	'default_bug_projection',
+	'default_bug_relationship_clone',
+	'default_bug_relationship',
+	'default_bug_reproducibility',
+	'default_bug_resolution',
+	'default_bug_severity',
+	'default_bug_steps_to_reproduce',
+	'default_bug_view_status',
+	'default_bugnote_order',
+	'default_bugnote_view_status',
+	'default_category_for_moves',
+	'default_email_bugnote_limit',
+	'default_email_on_assigned_minimum_severity',
+	'default_email_on_assigned',
+	'default_email_on_bugnote_minimum_severity',
+	'default_email_on_bugnote',
+	'default_email_on_closed_minimum_severity',
+	'default_email_on_closed',
+	'default_email_on_feedback_minimum_severity',
+	'default_email_on_feedback',
+	'default_email_on_new_minimum_severity',
+	'default_email_on_new',
+	'default_email_on_priority_minimum_severity',
+	'default_email_on_priority',
+	'default_email_on_reopened_minimum_severity',
+	'default_email_on_reopened',
+	'default_email_on_resolved_minimum_severity',
+	'default_email_on_resolved',
+	'default_email_on_status_minimum_severity',
+	'default_email_on_status',
+	'default_home_page',
+	'default_language',
+	'default_limit_view',
+	'default_manage_tag_prefix',
+	'default_manage_user_prefix',
+	'default_new_account_access_level',
+	'default_project_view_status',
+	'default_redirect_delay',
+	'default_refresh_delay',
+	'default_reminder_view_status',
+	'default_show_changed',
+	'default_timezone',
+	'delete_bug_threshold',
+	'delete_bugnote_threshold',
+	'delete_project_threshold',
+	'development_team_threshold',
+	'differentiate_duplicates',
+	'disallowed_files',
+	'display_bug_padding',
+	'display_bugnote_padding',
+	'display_project_padding',
+	'download_attachments_threshold',
+	'due_date_update_threshold',
+	'due_date_view_threshold',
+	'email_padding_length',
+	'email_receive_own',
+	'email_separator1',
+	'email_separator2',
+	'enable_email_notification',
+	'enable_eta',
+	'enable_product_build',
+	'enable_profiles',
+	'enable_project_documentation',
+	'enable_projection',
+	'enable_sponsorship',
+	'eta_enum_string',
+	'fallback_language',
+	'favicon_image',
+	'file_upload_max_num',
+	'filter_by_custom_fields',
+	'filter_custom_fields_per_row',
+	'filter_position',
+	'forward_year_count',
+	'from_email',
+	'from_name',
+	'handle_bug_threshold',
+	'handle_sponsored_bugs_threshold',
+	'hide_status_default',
+	'history_default_visible',
+	'history_order',
+	'hr_size',
+	'hr_width',
+	'html_make_links',
+	'html_valid_tags_single_line',
+	'html_valid_tags',
+	'inline_file_exts',
+	'limit_reporters',
+	'logo_image',
+	'logo_url',
+	'logout_cookie',
+	'logout_redirect_page',
+	'long_process_timeout',
+	'lost_password_feature',
+	'mail_priority',
+	'manage_config_cookie',
+	'manage_configuration_threshold',
+	'manage_custom_fields_threshold',
+	'manage_global_profile_threshold',
+	'manage_news_threshold',
+	'manage_plugin_threshold',
+	'manage_project_threshold',
+	'manage_site_threshold',
+	'manage_user_threshold',
+	'manage_users_cookie',
+	'max_dropdown_length',
+	'max_failed_login_count',
+	'max_file_size',
+	'max_lost_password_in_progress_count',
+	'meta_include_file',
+	'min_refresh_delay',
+	'minimum_sponsorship_amount',
+	'monitor_add_others_bug_threshold',
+	'monitor_bug_threshold',
+	'monitor_delete_others_bug_threshold',
+	'move_bug_threshold',
+	'my_view_boxes_fixed_position',
+	'my_view_bug_count',
+	'news_enabled',
+	'news_limit_method',
+	'news_view_limit_days',
+	'news_view_limit',
+	'normal_date_format',
+	'notify_flags',
+	'notify_new_user_created_threshold_min',
+	'plugins_enabled',
+	'preview_attachments_inline_max_size',
+	'preview_max_height',
+	'preview_max_width',
+	'priority_enum_string',
+	'priority_significant_threshold',
+	'private_bug_threshold',
+	'private_bugnote_threshold',
+	'private_news_threshold',
+	'private_project_threshold',
+	'project_cookie',
+	'project_status_enum_string',
+	'project_user_threshold',
+	'project_view_state_enum_string',
+	'projection_enum_string',
+	'reassign_on_feedback',
+	'reauthentication_expiry',
+	'reauthentication',
+	'recently_visited_count',
+	'relationship_graph_enable',
+	'relationship_graph_fontname',
+	'relationship_graph_fontsize',
+	'relationship_graph_max_depth',
+	'relationship_graph_orientation',
+	'relationship_graph_view_on_click',
+	'reminder_receive_threshold',
+	'reminder_recipients_monitor_bug',
+	'reopen_bug_threshold',
+	'report_bug_threshold',
+	'report_issues_for_unreleased_versions_threshold',
+	'reporter_summary_limit',
+	'reproducibility_enum_string',
+	'resolution_enum_string',
+	'return_path_email',
+	'roadmap_update_threshold',
+	'roadmap_view_threshold',
+	'rss_enabled',
+	'set_bug_sticky_threshold',
+	'set_configuration_threshold',
+	'set_view_status_threshold',
+	'severity_enum_string',
+	'severity_significant_threshold',
+	'short_date_format',
+	'show_assigned_names',
+	'show_avatar_threshold',
+	'show_avatar',
+	'show_bug_project_links',
+	'show_changelog_dates',
+	'show_detailed_errors',
+	'show_footer_menu',
+	'show_log_threshold',
+	'show_memory_usage',
+	'show_monitor_list_threshold',
+	'show_priority_text',
+	'show_product_version',
+	'show_project_menu_bar',
+	'show_queries_count',
+	'show_realname',
+	'show_roadmap_dates',
+	'show_sticky_issues',
+	'show_timer',
+	'show_user_email_threshold',
+	'show_user_realname_threshold',
+	'show_version_dates_threshold',
+	'show_version',
+	'signup_use_captcha',
+	'sort_by_last_name',
+	'sponsor_threshold',
+	'sponsorship_currency',
+	'sponsorship_enum_string',
+	'status_enum_string',
+	'status_legend_position',
+	'status_percentage_legend',
+	'stop_on_errors',
+	'store_reminders',
+	'stored_query_create_shared_threshold',
+	'stored_query_create_threshold',
+	'stored_query_use_threshold',
+	'string_cookie',
+	'subprojects_enabled',
+	'subprojects_inherit_categories',
+	'subprojects_inherit_versions',
+	'summary_category_include_project',
+	'tag_attach_threshold',
+	'tag_create_threshold',
+	'tag_detach_own_threshold',
+	'tag_detach_threshold',
+	'tag_edit_own_threshold',
+	'tag_edit_threshold',
+	'tag_separator',
+	'tag_view_threshold',
+	'time_tracking_edit_threshold',
+	'time_tracking_enabled',
+	'time_tracking_reporting_threshold',
+	'time_tracking_stopwatch',
+	'time_tracking_view_threshold',
+	'time_tracking_with_billing',
+	'time_tracking_without_note',
+	'top_include_page',
+	'update_bug_assign_threshold',
+	'update_bug_status_threshold',
+	'update_bug_threshold',
+	'update_bugnote_threshold',
+	'update_readonly_bug_threshold',
+	'upload_bug_file_threshold',
+	'upload_project_file_threshold',
+	'use_dynamic_filters',
+	'user_login_valid_regex',
+	'validate_email',
+	'version_suffix',
+	'view_all_cookie',
+	'view_attachments_threshold',
+	'view_bug_threshold',
+	'view_changelog_threshold',
+	'view_configuration_threshold',
+	'view_filters',
+	'view_handler_threshold',
+	'view_history_threshold',
+	'view_proj_doc_threshold',
+	'view_sponsorship_details_threshold',
+	'view_sponsorship_total_threshold',
+	'view_state_enum_string',
+	'view_summary_threshold',
+	'webmaster_email',
+	'webservice_admin_access_level_threshold',
+	'webservice_error_when_version_not_found',
+	'webservice_eta_enum_default_when_not_found',
+	'webservice_priority_enum_default_when_not_found',
+	'webservice_projection_enum_default_when_not_found',
+	'webservice_readonly_access_level_threshold',
+	'webservice_readwrite_access_level_threshold',
+	'webservice_resolution_enum_default_when_not_found',
+	'webservice_severity_enum_default_when_not_found',
+	'webservice_specify_reporter_on_add_access_level_threshold',
+	'webservice_status_enum_default_when_not_found',
+	'webservice_version_when_not_found',
+	'wiki_enable',
+	'wiki_engine_url',
+	'wiki_engine',
+	'wiki_root_namespace',
+	'window_title',
+	'wrap_in_preformatted_text'
 );
 
 # Temporary variables should not remain defined in global scope