Fix #11610: Validate all custom field types

MantisBT was only validating certain custom field types. List/checkbox
style field values were not being validated making it possible for
malicious users to bypass the custom field 'possible values' setting and
set custom field values to be whatever they desired.

All custom field types are now validated to ensure that selected values
are within the bounds of the 'possible values' setting of each custom
field.

This patch also fixes the radio custom field type so that it no longer
behaves like a field with multiple possible values. Only one value can
be specified for a radio field, hence there is no need to treat it like
an array within gpc_api.

core/cfdefs/cfdef_standard.php

@@ -280,7 +280,7 @@ function cfdef_input_radio( $p_field_def, $p_custom_field_value ) {
 	}
 
 	foreach ( $t_values as $t_option ) {
-		echo '<input ', helper_get_tab_index(), ' type="radio" name="custom_field_' . $p_field_def['id'] . '[]"';
+		echo '<input ', helper_get_tab_index(), ' type="radio" name="custom_field_' . $p_field_def['id'] . '"';
 
 		if ( $t_option == $t_checked_value ) {
 			echo ' value="' . $t_option . '" checked="checked">&nbsp;' . $t_option . '&nbsp;&nbsp;';

core/custom_field_api.php

@@ -1168,16 +1168,29 @@ function custom_field_validate( $p_field_id, $p_value ) {
 			// either false (php >= 5.1)  or -1 (php < 5.1) for failure
 			$t_valid &= ( $p_value == null ) || ( ( $p_value !== false ) && ( $p_value > 0 ) );
 			break;
-		case CUSTOM_FIELD_TYPE_ENUM:
-		case CUSTOM_FIELD_TYPE_EMAIL:
+		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_CHECKBOX:
+			$t_values = explode( '|', $p_value );
+			$t_possible_values = custom_field_prepare_possible_values( $row['possible_values'] );
+			$t_possible_values = explode( '|', $t_possible_values );
+			$t_invalid_values = array_diff( $t_values, $t_possible_values );
+			$t_valid &= ( count( $t_invalid_values ) == 0 );
+			break;
+		case CUSTOM_FIELD_TYPE_ENUM:
 		case CUSTOM_FIELD_TYPE_LIST:
-		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_RADIO:
+			$t_possible_values = custom_field_prepare_possible_values( $row['possible_values'] );
+			$t_values_arr = explode( '|', $t_possible_values );
+			$t_valid &= in_array( $p_value, $t_values_arr );
+			break;
+		case CUSTOM_FIELD_TYPE_EMAIL:
+			if ( $p_value !== '' ) {
+				$t_valid &= email_is_valid( $p_value );
+			}
 		default:
 			break;
 	}
-	return $t_valid;
+	return (bool)$t_valid;
 }
 
 /**

core/gpc_api.php

@@ -201,7 +201,6 @@ function gpc_get_custom_field( $p_var_name, $p_custom_field_type, $p_default = n
 	switch( $p_custom_field_type ) {
 		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_CHECKBOX:
-		case CUSTOM_FIELD_TYPE_RADIO:
 		    // ensure that the default is an array, if set
 		    if ( ($p_default !== null) && !is_array($p_default) ) {
 		        $p_default = array( $p_default );