Avoid private project name disclosure

When an unprivileged user tries to access a private project via manage_proj_edit_page.php, they receive an Access Denied as expected, but the project's name is leaked via the navbar's project selector. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting and providing an initial patch for this bug. Fixes #27726, #27357, CVE-2020-29603
mantisbt · Dec 30, 2020 · cff10f2 · cff10f2
1 parent 09886c8
commit cff10f2
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/core/layout_api.php b/core/layout_api.php
@@ -519,7 +519,10 @@ function layout_navbar_projects_menu() {
 	echo '<a data-toggle="dropdown" href="#" class="dropdown-toggle">' . "\n";
 
 	$t_current_project_id = helper_get_current_project();
-	if( ALL_PROJECTS == $t_current_project_id) {
+
+	# Check user's access to the project, and if not authorized select display
+	# ALL PROJECTS to avoid disclosing the private project's name.
+	if( ALL_PROJECTS == $t_current_project_id || !access_get_project_level( $t_current_project_id ) ) {
 		echo '&#160;' . string_attribute( lang_get( 'all_projects' ) ) . '&#160;' . "\n";
 	} else {
 		echo '&#160;' . string_attribute( project_get_field( $t_current_project_id, 'name' ) ) . '&#160;' . "\n";