Fix #11494: Don't allow *_inc.php files to be called directly

The *_inc.php files in the MantisBT root path should not do anything if
they're called directly by the user. There *_inc.php files should only
do something if they're called from another PHP script.

account_manage_columns_page.php

@@ -33,11 +33,12 @@
 
 html_page_top( lang_get( 'manage_columns_config' ) );
 
-# Define constant that will be checked by the include page.
-define ( 'ACCOUNT_COLUMNS', '' );
-
 current_user_ensure_unprotected();
 
+# Define constant that will be checked by the include page.
+define ( 'ACCOUNT_COLUMNS', true );
+
+define( 'MANAGE_COLUMNS_INC_ALLOW', true );
 include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'manage_columns_inc.php' );
 
 html_page_bottom();

account_prefs_inc.php

@@ -34,6 +34,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'ACCOUNT_PREFS_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'authentication_api.php' );
 require_api( 'config_api.php' );
 require_api( 'constant_inc.php' );

account_prefs_page.php

@@ -60,7 +60,8 @@
 
 current_user_ensure_unprotected();
 
-include( 'account_prefs_inc.php' );
+define( 'ACCOUNT_PREFS_INC_ALLOW', true );
+include( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_prefs_inc.php' );
 
 html_page_top( lang_get( 'change_preferences_link' ) );
 

account_prof_edit_page.php

@@ -50,6 +50,10 @@
 require_api( 'profile_api.php' );
 require_api( 'string_api.php' );
 
+if ( !config_get( 'enable_profiles' ) ) {
+	trigger_error( ERROR_ACCESS_DENIED, ERROR );
+}
+
 auth_ensure_user_authenticated();
 
 current_user_ensure_unprotected();

account_prof_menu_page.php

@@ -50,6 +50,10 @@
 require_api( 'print_api.php' );
 require_api( 'profile_api.php' );
 
+if ( !config_get( 'enable_profiles' ) ) {
+	trigger_error( ERROR_ACCESS_DENIED, ERROR );
+}
+
 if ( isset( $g_global_profiles ) ) {
 	$g_global_profiles = true;
 } else {

account_prof_update.php

@@ -46,6 +46,10 @@
 require_api( 'print_api.php' );
 require_api( 'profile_api.php' );
 
+if ( !config_get( 'enable_profiles' ) ) {
+	trigger_error( ERROR_ACCESS_DENIED, ERROR );
+}
+
 form_security_validate('profile_update');
 
 auth_ensure_user_authenticated();

account_sponsor_page.php

@@ -76,7 +76,7 @@
 require_api( 'string_api.php' );
 require_api( 'version_api.php' );
 
-if ( config_get( 'enable_sponsorship' ) == OFF ) {
+if ( !config_get( 'enable_sponsorship' ) ) {
 	trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR );
 }
 

account_sponsor_update.php

@@ -49,6 +49,10 @@
 require_api( 'print_api.php' );
 require_api( 'sponsorship_api.php' );
 
+if ( !config_get( 'enable_sponsorship' ) ) {
+	trigger_error( ERROR_SPONSORSHIP_NOT_ENABLED, ERROR );
+}
+
 form_security_validate( 'account_sponsor_update' );
 
 auth_ensure_user_authenticated();

billing_inc.php

@@ -35,6 +35,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'BUG_VIEW_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'bugnote_api.php' );
 require_api( 'collapse_api.php' );
 require_api( 'config_api.php' );
@@ -46,12 +50,8 @@
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
-if ( !config_get('time_tracking_enabled') )
-	return;
 ?>
-
 <a name="bugnotestats" id="bugnotestats" /><br />
-
 <?php
 collapse_open( 'bugnotestats' );
 

billing_page.php

@@ -23,16 +23,22 @@
  * @uses core.php
  * @uses access_api.php
  * @uses config_api.php
+ * @uses constant_inc.php
  * @uses html_api.php
  * @uses lang_api.php
  */
 
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'constant_inc.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 
+if ( !config_get( 'time_tracking_enabled' ) )
+	trigger_error( ERROR_ACCESS_DENIED, ERROR );
+?>
+
 access_ensure_global_level( config_get( 'time_tracking_reporting_threshold' ) );
 
 html_page_top( lang_get( 'time_tracking_billing_link' )  );
@@ -41,10 +47,9 @@
 <br />
 
 <?php
-$t_mantis_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
-
 # Work break-down
-include( $t_mantis_dir . 'billing_inc.php' );
+define( 'BILLING_INC_ALLOW', true );
+include( $dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'billing_inc.php' );
 
 html_page_bottom();
 

bug_actiongroup_add_note_inc.php

@@ -32,6 +32,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'BUG_ACTIONGROUP_ADD_NOTE_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'bug_api.php' );
 require_api( 'config_api.php' );

bug_actiongroup_attach_tags_inc.php

@@ -30,6 +30,10 @@
  * @uses tag_api.php
  */
 
+if ( !defined( 'BUG_ACTIONGROUP_ATTACH_TAGS_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'authentication_api.php' );
 require_api( 'config_api.php' );

bug_actiongroup_update_product_build_inc.php

@@ -27,6 +27,10 @@
  * @uses lang_api.php
  */
 
+if ( !defined( 'BUG_ACTIONGROUP_UPDATE_PRODUCT_BUILD_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'bug_api.php' );
 require_api( 'config_api.php' );

bug_actiongroup_update_severity_inc.php

@@ -28,6 +28,10 @@
  * @uses print_api.php
  */
 
+if ( !defined( 'BUG_ACTIONGROUP_UPDATE_SEVERITY_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'bug_api.php' );
 require_api( 'config_api.php' );

bug_change_status_page.php

@@ -61,8 +61,6 @@
 
 $g_allow_browser_cache = 1;
 
-define ( 'BUG_VIEW_INC_ALLOW', true );
-
 $f_bug_id = gpc_get_int( 'id' );
 $t_bug = bug_get( $f_bug_id );
 
@@ -405,4 +403,5 @@
 
 echo '<br />';
 
+define( 'BUG_VIEW_INC_ALLOW', true );
 include( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'bug_view_inc.php' );

bug_file_upload_inc.php

@@ -31,6 +31,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'BUG_FILE_UPLOAD_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'collapse_api.php' );
 require_api( 'config_api.php' );
 require_api( 'file_api.php' );

bug_monitor_list_view_inc.php

@@ -34,6 +34,10 @@
  * @uses user_api.php
  */
 
+if ( !defined( 'BUG_MONITOR_LIST_VIEW_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'collapse_api.php' );
 require_api( 'config_api.php' );

bug_relationship_graph.php

@@ -182,13 +182,13 @@
 <br />
 
 <?php
-define ( 'BUG_VIEW_INC_ALLOW', true );
 $_GET['id'] = $f_bug_id;
 $tpl_fields_config_option = 'bug_view_page_fields';
 $tpl_show_page_header = false;
 $tpl_force_readonly = true;
 $tpl_mantis_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
 $tpl_file = __FILE__;
 
-include( 'bug_view_inc.php' );
+define ( 'BUG_VIEW_INC_ALLOW', true );
+include( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'bug_view_inc.php' );
 html_page_bottom();

bug_reminder_page.php

@@ -128,12 +128,12 @@
 
 <br />
 <?php
-define ( 'BUG_VIEW_INC_ALLOW', true );
 $_GET['id'] = $f_bug_id;
 $tpl_fields_config_option = 'bug_view_page_fields';
 $tpl_show_page_header = false;
 $tpl_force_readonly = true;
 $tpl_mantis_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
 $tpl_file = __FILE__;
 
+define ( 'BUG_VIEW_INC_ALLOW', true );
 include( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'bug_view_inc.php' );

bug_sponsorship_list_view_inc.php

@@ -37,6 +37,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'BUG_SPONSORSHIP_LIST_VIEW_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'bug_api.php' );
 require_api( 'collapse_api.php' );

bug_update_advanced_page.php

@@ -719,6 +719,7 @@
 
 echo '</table></form>';
 
+define( 'BUGNOTE_VIEW_INC_ALLOW', true );
 include( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'bugnote_view_inc.php' );
 html_page_bottom();
 

bug_view_inc.php

@@ -50,7 +50,7 @@
  */
 
 if ( !defined( 'BUG_VIEW_INC_ALLOW' ) ) {
-	access_denied();
+	return;
 }
 
 require_api( 'access_api.php' );
@@ -194,6 +194,7 @@
 $tpl_show_steps_to_reproduce = !is_blank( $tpl_bug->steps_to_reproduce ) && in_array( BUG_FIELD_STEPS_TO_REPRODUCE, $t_fields );
 $tpl_show_monitor_box = !$tpl_force_readonly;
 $tpl_show_relationships_box = !$tpl_force_readonly;
+$tpl_show_sponsorships_box = config_get( 'enable_sponsorship' ) && access_has_bug_level( config_get( 'view_sponsorship_total_threshold' ), $f_bug_id );
 $tpl_show_upload_form = !$tpl_force_readonly && !bug_is_readonly( $f_bug_id );
 $tpl_show_history = $f_history;
 $tpl_show_profiles = config_get( 'enable_profiles' );
@@ -720,7 +721,10 @@
 echo '</table>';
 
 # User list sponsoring the bug
-include( $tpl_mantis_dir . 'bug_sponsorship_list_view_inc.php' );
+if ( $tpl_show_sponsorships_box ) {
+	define( 'BUG_SPONSORSHIP_LIST_VIEW_INC_ALLOW', true );
+	include( $tpl_mantis_dir . 'bug_sponsorship_list_view_inc.php' );
+}
 
 # Bug Relationships
 if ( $tpl_show_relationships_box ) {
@@ -729,26 +733,32 @@
 
 # File upload box
 if ( $tpl_show_upload_form ) {
+	define( 'BUG_FILE_UPLOAD_INC_ALLOW', true );
 	include( $tpl_mantis_dir . 'bug_file_upload_inc.php' );
 }
 
 # User list monitoring the bug
 if ( $tpl_show_monitor_box ) {
+	define( 'BUG_MONITOR_LIST_VIEW_INC_ALLOW', true );
 	include( $tpl_mantis_dir . 'bug_monitor_list_view_inc.php' );
 }
 
 # Bugnotes and "Add Note" box
 if ( 'ASC' == current_user_get_pref( 'bugnote_order' ) ) {
+	define( 'BUGNOTE_VIEW_INC_ALLOW', true );
 	include( $tpl_mantis_dir . 'bugnote_view_inc.php' );
 
 	if ( !$tpl_force_readonly ) {
+		define( 'BUGNOTE_ADD_INC_ALLOW', true );
 		include( $tpl_mantis_dir . 'bugnote_add_inc.php' );
 	}
 } else {
 	if ( !$tpl_force_readonly ) {
+		define( 'BUGNOTE_ADD_INC_ALLOW', true );
 		include( $tpl_mantis_dir . 'bugnote_add_inc.php' );
 	}
 
+	define( 'BUGNOTE_VIEW_INC_ALLOW', true );
 	include( $tpl_mantis_dir . 'bugnote_view_inc.php' );
 }
 
@@ -757,6 +767,7 @@
 
 # History
 if ( $tpl_show_history ) {
+	define( 'HISTORY_INC_ALLOW', true );
 	include( $tpl_mantis_dir . 'history_inc.php' );
 }
 

bugnote_add_inc.php

@@ -32,6 +32,10 @@
  * @uses lang_api.php
  */
 
+if ( !defined( 'BUGNOTE_ADD_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'bug_api.php' );
 require_api( 'collapse_api.php' );

bugnote_stats_inc.php

@@ -34,6 +34,10 @@
  * @uses utility_api.php
  */
 
+if ( !defined( 'BUGNOTE_STATS_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'bugnote_api.php' );
 require_api( 'collapse_api.php' );
 require_api( 'config_api.php' );

bugnote_view_inc.php

@@ -42,6 +42,10 @@
  * @uses user_api.php
  */
 
+if ( !defined( 'BUGNOTE_VIEW_INC_ALLOW' ) ) {
+	return;
+}
+
 require_api( 'access_api.php' );
 require_api( 'authentication_api.php' );
 require_api( 'bug_api.php' );