From 92f07eb66c4b967f346b927e4b0afba00456e5d2 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 12 Mar 2017 09:00:30 +0100
Subject: [PATCH 1/3] Install: fix db connection as admin check (#1049)

Commit 42718557933d1e58fc134ef3bea7db97aeb00c65 (issue #22400)
introduced a regression in the installer, causing the 'Attempting to
connect to database as admin' check to fail for new installations, even
though the Admin user ID and password are correct.

Fixes #22510
---
 admin/install.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/admin/install.php b/admin/install.php
index 7aad216fde..4fcec7f5ea 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -408,17 +408,17 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	$t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password );
 
 	if( $t_result ) {
-		# check if db exists for the admin
-		$t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
-	}
-	if( $t_result ) {
-		$t_db_open = true;
-		$f_db_exists = true;
-
 		# due to a bug in ADODB, this call prompts warnings, hence the @
 		# the check only works on mysql if the database is open
 		$t_version_info = @$g_db->ServerInfo();
 
+		# check if db exists for the admin
+		$t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
+		if( $t_result ) {
+			$t_db_open = true;
+			$f_db_exists = true;
+		}
+
 		print_test_result( GOOD );
 	} else {
 		print_test_result( BAD, true, 'Does administrative user have access to the database? ( ' . db_error_msg() . ' )' );

From 1abcbc10ea82aa36c2f2c2f38f43343d013749c4 Mon Sep 17 00:00:00 2001
From: Victor Boctor <victor@mantishub.net>
Date: Sun, 12 Mar 2017 16:10:04 -0700
Subject: [PATCH 2/3] Update version to 2.2.1

---
 core/constant_inc.php                         |  2 +-
 .../Admin_Guide/en-US/Revision_History.xml    | 28 +++++++++++++++++++
 .../en-US/Revision_History.xml                | 28 +++++++++++++++++++
 3 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/core/constant_inc.php b/core/constant_inc.php
index b42e58f3c5..2b9a557a8b 100644
--- a/core/constant_inc.php
+++ b/core/constant_inc.php
@@ -21,7 +21,7 @@
 /**
  * Mantis Version
  */
-define( 'MANTIS_VERSION', '2.2.0' );
+define( 'MANTIS_VERSION', '2.2.1' );
 define( 'FILTER_VERSION', 'v9' );
 
 # --- constants -------------------
diff --git a/docbook/Admin_Guide/en-US/Revision_History.xml b/docbook/Admin_Guide/en-US/Revision_History.xml
index 57f5d2904a..68bf65bd08 100644
--- a/docbook/Admin_Guide/en-US/Revision_History.xml
+++ b/docbook/Admin_Guide/en-US/Revision_History.xml
@@ -5,6 +5,34 @@
 	<title>Revision History</title>
 	<simpara>
 		<revhistory>
+			<revision>
+				<revnumber>2.2-2</revnumber>
+				<date>Sun Mar 12 2017</date>
+				<author>
+					<firstname>Victor</firstname>
+					<surname>Boctor</surname>
+					<email>vboctor@mantisbt.org</email>
+				</author>
+				<revdescription>
+					<simplelist>
+						<member>Release 2.2.1</member>
+					</simplelist>
+				</revdescription>
+			</revision>
+			<revision>
+				<revnumber>1.3-18</revnumber>
+				<date>Sun Mar 12 2017</date>
+				<author>
+					<firstname>Victor</firstname>
+					<surname>Boctor</surname>
+					<email>vboctor@mantisbt.org</email>
+				</author>
+				<revdescription>
+					<simplelist>
+						<member>Release 1.3.7</member>
+					</simplelist>
+				</revdescription>
+			</revision>
 			<revision>
 				<revnumber>2.2-1</revnumber>
 				<date>Sun Feb 26 2017</date>
diff --git a/docbook/Developers_Guide/en-US/Revision_History.xml b/docbook/Developers_Guide/en-US/Revision_History.xml
index 618a287142..f1ea111b3e 100644
--- a/docbook/Developers_Guide/en-US/Revision_History.xml
+++ b/docbook/Developers_Guide/en-US/Revision_History.xml
@@ -7,6 +7,34 @@
 	<title>Revision History</title>
 	<simpara>
 		<revhistory>
+			<revision>
+				<revnumber>2.2-2</revnumber>
+				<date>Sun Mar 12 2017</date>
+				<author>
+					<firstname>Victor</firstname>
+					<surname>Boctor</surname>
+					<email>vboctor@mantisbt.org</email>
+				</author>
+				<revdescription>
+					<simplelist>
+						<member>Release 2.2.1</member>
+					</simplelist>
+				</revdescription>
+			</revision>
+			<revision>
+				<revnumber>1.3-18</revnumber>
+				<date>Sun Mar 12 2017</date>
+				<author>
+					<firstname>Victor</firstname>
+					<surname>Boctor</surname>
+					<email>vboctor@mantisbt.org</email>
+				</author>
+				<revdescription>
+					<simplelist>
+						<member>Release 1.3.7</member>
+					</simplelist>
+				</revdescription>
+			</revision>
 			<revision>
 				<revnumber>2.2-1</revnumber>
 				<date>Sun Feb 26 2017</date>

From da74c5aa02bcf21cfaab1180f892c22415e5fea6 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 17 Mar 2017 15:09:09 +0100
Subject: [PATCH 3/3] Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes #22537
---
 adm_config_report.php | 20 +++++++++++++++-----
 adm_config_set.php    |  2 +-
 core/constant_inc.php |  4 ++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index 8c0f017dbe..37e8189e47 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -218,7 +218,17 @@ function check_config_value( $p_config ) {
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -443,7 +453,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 			echo '</div>';
@@ -459,7 +469,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 			echo '</div>';
@@ -514,7 +524,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-header widget-header-small">
 		<h4 class="widget-title lighter">
 			<i class="ace-icon fa fa-sliders"></i>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 			</h4>
 		</div>
 
@@ -605,7 +615,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-toolbox padding-4 clearfix">
 			<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
 			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
-				value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>"/>
+				value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>"/>
 		</div>
 	</div>
 	</div>
diff --git a/adm_config_set.php b/adm_config_set.php
index 23c894770e..c9e41e97a7 100644
--- a/adm_config_set.php
+++ b/adm_config_set.php
@@ -134,7 +134,7 @@
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
diff --git a/core/constant_inc.php b/core/constant_inc.php
index 2b9a557a8b..089c704205 100644
--- a/core/constant_inc.php
+++ b/core/constant_inc.php
@@ -655,3 +655,7 @@
 # types, 2^31 is a safe limit to be used for all.
 define( 'DB_MAX_INT', 2147483647 );
 
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );