Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and 'neato_tool' config options from the Manage Configuration Page These can now only be set in the config_inc.php file. Fixes #26091, CVE-2019-15715 Signed-off-by: Damien Regad <dregad@mantisbt.org> Original commit message reworded, added CVE reference.
mantisbt · Sep 21, 2019 · fc7668c · fc7668c
1 parent a7413da
commit fc7668c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
@@ -4361,7 +4361,7 @@
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
 	'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
-	'impersonate_user_threshold', 'email_retry_in_days'
+	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'
 );
 
 /**