Fix #12607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT.
mantisbt · Dec 14, 2010 · d67c4de · d67c4de
1 parent 1efe5be
commit d67c4de
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/admin/upgrade_unattended.php b/admin/upgrade_unattended.php
@@ -32,6 +32,16 @@
 
 $g_failed = false;
 
+/* This script is probably meant to be executed from PHP CLI and hence should
+ * not be interpreted as text/html. However saying that, we do call gpc_
+ * functions that only make sense in PHP CGI mode. Given this mismatch we'll
+ * just assume for now that this script is meant to be used from PHP CGI and
+ * the output is meant to be text/plain. We also need to prevent Internet
+ * Explorer from ignoring our MIME type and using it's own MIME sniffing.
+ */
+header( 'Content-Type: text/plain;' );
+header( 'X-Content-Type-Options: nosniff' );
+
 /**
  * Print the result of an upgrade step.
  * 
@@ -88,15 +98,15 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 $f_db_exists = gpc_get_bool( 'db_exists', false );
 
 # install the tables
-$c_db_type = string_attribute( $f_db_type );
-if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.inc.php' ) ) {
-	echo "Invalid db type '$c_db_type'.";
+if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
+     !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
+	echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
 	exit;
 }
 
-$GLOBALS['g_db_type'] = $c_db_type; # database_api references this
+$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
 require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
-$g_db = ADONewConnection( $c_db_type );
+$g_db = ADONewConnection( $f_db_type );
 
 echo "\nPost 1.0 schema changes\n";
 echo "Connecting to database... ";