From b7b9537d4e976cad6b76be2d0a1a2817342f643c Mon Sep 17 00:00:00 2001
From: David Hicks <hickseydr@optusnet.com.au>
Date: Thu, 4 Mar 2010 22:31:59 +1100
Subject: [PATCH] Fix #11610: Validate all custom field types

MantisBT was only validating certain custom field types. List/checkbox
style field values were not being validated making it possible for
malicious users to bypass the custom field 'possible values' setting and
set custom field values to be whatever they desired.

All custom field types are now validated to ensure that selected values
are within the bounds of the 'possible values' setting of each custom
field.

This patch also fixes the radio custom field type so that it no longer
behaves like a field with multiple possible values. Only one value can
be specified for a radio field, hence there is no need to treat it like
an array within gpc_api.
---
 core/cfdefs/cfdef_standard.php |  2 +-
 core/custom_field_api.php      | 21 +++++++++++++++++----
 core/gpc_api.php               |  1 -
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/core/cfdefs/cfdef_standard.php b/core/cfdefs/cfdef_standard.php
index 1848580b15..9ce8119714 100644
--- a/core/cfdefs/cfdef_standard.php
+++ b/core/cfdefs/cfdef_standard.php
@@ -280,7 +280,7 @@ function cfdef_input_radio( $p_field_def, $p_custom_field_value ) {
 	}
 
 	foreach ( $t_values as $t_option ) {
-		echo '<input ', helper_get_tab_index(), ' type="radio" name="custom_field_' . $p_field_def['id'] . '[]"';
+		echo '<input ', helper_get_tab_index(), ' type="radio" name="custom_field_' . $p_field_def['id'] . '"';
 
 		if ( $t_option == $t_checked_value ) {
 			echo ' value="' . $t_option . '" checked="checked">&nbsp;' . $t_option . '&nbsp;&nbsp;';
diff --git a/core/custom_field_api.php b/core/custom_field_api.php
index 4c22f896c6..d80a6b748c 100644
--- a/core/custom_field_api.php
+++ b/core/custom_field_api.php
@@ -1168,16 +1168,29 @@ function custom_field_validate( $p_field_id, $p_value ) {
 			// either false (php >= 5.1)  or -1 (php < 5.1) for failure
 			$t_valid &= ( $p_value == null ) || ( ( $p_value !== false ) && ( $p_value > 0 ) );
 			break;
-		case CUSTOM_FIELD_TYPE_ENUM:
-		case CUSTOM_FIELD_TYPE_EMAIL:
+		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_CHECKBOX:
+			$t_values = explode( '|', $p_value );
+			$t_possible_values = custom_field_prepare_possible_values( $row['possible_values'] );
+			$t_possible_values = explode( '|', $t_possible_values );
+			$t_invalid_values = array_diff( $t_values, $t_possible_values );
+			$t_valid &= ( count( $t_invalid_values ) == 0 );
+			break;
+		case CUSTOM_FIELD_TYPE_ENUM:
 		case CUSTOM_FIELD_TYPE_LIST:
-		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_RADIO:
+			$t_possible_values = custom_field_prepare_possible_values( $row['possible_values'] );
+			$t_values_arr = explode( '|', $t_possible_values );
+			$t_valid &= in_array( $p_value, $t_values_arr );
+			break;
+		case CUSTOM_FIELD_TYPE_EMAIL:
+			if ( $p_value !== '' ) {
+				$t_valid &= email_is_valid( $p_value );
+			}
 		default:
 			break;
 	}
-	return $t_valid;
+	return (bool)$t_valid;
 }
 
 /**
diff --git a/core/gpc_api.php b/core/gpc_api.php
index a5aa68aeb0..031c7fb23a 100644
--- a/core/gpc_api.php
+++ b/core/gpc_api.php
@@ -201,7 +201,6 @@ function gpc_get_custom_field( $p_var_name, $p_custom_field_type, $p_default = n
 	switch( $p_custom_field_type ) {
 		case CUSTOM_FIELD_TYPE_MULTILIST:
 		case CUSTOM_FIELD_TYPE_CHECKBOX:
-		case CUSTOM_FIELD_TYPE_RADIO:
 		    // ensure that the default is an array, if set
 		    if ( ($p_default !== null) && !is_array($p_default) ) {
 		        $p_default = array( $p_default );