Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious users from passing arbitrary strings as parameter. Fixes #15388
mantisbt · Jan 19, 2013 · dbf923c · dbf923c
1 parent 26c8ca2
commit dbf923c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 13 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -1085,11 +1085,11 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
 	}
 
 	$t_view_type = $t_filter['_view_type'];
-	
+
 	// project query clauses must be AND-ed always, irrespective of how the filter
 	// clauses are requested by the user ( all matching -> AND, any matching -> OR )
 	$t_where_clauses = array();
-	
+
 	$t_project_where_clauses =  array(
 		"$t_project_table.enabled = " . db_param(),
 		"$t_project_table.id = $t_bug_table.project_id",
@@ -1239,13 +1239,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
 		log_event( LOG_FILTERING, 'project query = ' . $t_project_query );
 		array_push( $t_project_where_clauses, $t_project_query );
 	}
-	
+
 	# date filter
 	if(( 'on' == $t_filter[FILTER_PROPERTY_FILTER_BY_DATE] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_YEAR] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_YEAR] ) ) {
-	
+
 		$t_start_string = $t_filter[FILTER_PROPERTY_START_YEAR] . "-" . $t_filter[FILTER_PROPERTY_START_MONTH] . "-" . $t_filter[FILTER_PROPERTY_START_DAY] . " 00:00:00";
 		$t_end_string = $t_filter[FILTER_PROPERTY_END_YEAR] . "-" . $t_filter[FILTER_PROPERTY_END_MONTH] . "-" . $t_filter[FILTER_PROPERTY_END_DAY] . " 23:59:59";
-	
+
 		$t_where_params[] = strtotime( $t_start_string );
 		$t_where_params[] = strtotime( $t_end_string );
 		array_push( $t_project_where_clauses, "($t_bug_table.date_submitted BETWEEN " . db_param() . " AND " . db_param() . " )" );
@@ -2004,13 +2004,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
 	}
 
 	# End text search
-	
+
 	# Determine join operator
 	if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY )
 		$t_join_operator = ' OR ';
 	else
 		$t_join_operator = ' AND ';
-	
+
 	log_event(LOG_FILTERING, 'Join operator : ' . $t_join_operator);
 
 	$t_from_clauses[] = $t_project_table;
@@ -2046,8 +2046,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
 		$t_where_string .= implode( $t_join_operator, $t_query_clauses['where'] );
 		$t_where_string .= ' ) ';
 	}
-	
-	
+
+
 	$t_result = db_query_bound( "$t_select_string $t_from_string $t_join_string $t_where_string $t_order_string", $t_query_clauses['where_values'], $p_per_page, $t_offset );
 	$t_row_count = db_num_rows( $t_result );
 
@@ -3393,14 +3393,14 @@ function <?php echo $t_js_toggle_func;?>() {
 		<tr class="row-1">
 			<td class="small-caption" valign="top"><a href="<?php echo $t_filters_url . FILTER_PROPERTY_MATCH_TYPE;?>" id="match_type_filter"><?php echo lang_get( 'filter_match_type' )?>:</a></td>
 			<td class="small-caption" valign="top" id="match_type_filter_target">
-			<?php 
+			<?php
 				if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY ) {
 					echo lang_get ('filter_match_any');
 				} else if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ALL ) {
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
+			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE] ?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>

diff --git a/search.php b/search.php
@@ -73,7 +73,7 @@
 	$my_filter[FILTER_PROPERTY_OS_BUILD] = gpc_get_string_array( FILTER_SEARCH_OS_BUILD, META_FILTER_ANY );
 	$my_filter[FILTER_PROPERTY_VIEW_STATE_ID] = gpc_get_string_array( FILTER_SEARCH_VIEW_STATE_ID, META_FILTER_ANY );
 	$my_filter[FILTER_PROPERTY_PRODUCT_VERSION] = gpc_get_string_array( FILTER_SEARCH_PRODUCT_VERSION, META_FILTER_ANY );
-	$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_string ( FILTER_SEARCH_MATCH_TYPE, FILTER_MATCH_ALL );
+	$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_int( FILTER_SEARCH_MATCH_TYPE, FILTER_MATCH_ALL );
 
 	// Filtering by Date
 	$my_filter[FILTER_PROPERTY_FILTER_BY_DATE] = gpc_get_bool( FILTER_SEARCH_FILTER_BY_DATE );

diff --git a/view_all_set.php b/view_all_set.php
@@ -202,7 +202,7 @@
         $f_note_user_id = array( $f_note_user_id );
     }
 
-    $f_match_type = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
+	$f_match_type = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
 
 	# these are only single values, even when doing advanced filtering
 	$f_per_page				= gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, -1 );