From fc7668c8e45db55fc3a4b991ea99d2b80861a14c Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 28 Aug 2019 11:39:42 +0200
Subject: [PATCH] Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes #26091, CVE-2019-15715

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Original commit message reworded, added CVE reference.
---
 config_defaults_inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6dc188dd6a..516cd520eb 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4361,7 +4361,7 @@
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
 	'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
-	'impersonate_user_threshold', 'email_retry_in_days'
+	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'
 );
 
 /**