Fix for 0005959: Cross Site Scripting Vulnerabilty in the mantis/view…

…_all_set.php Script - validate and discard invalid sorting criteria Fix for 0005972: Sorting using column titles is broken - only use primary sort in setting up the titles git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@3705 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Jul 18, 2005 · 2df5ff2 · 2df5ff2
1 parent 2901ddf
commit 2df5ff2
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 4 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: filter_api.php,v 1.117 2005-06-15 18:25:53 thraxisp Exp $
+	# $Id: filter_api.php,v 1.118 2005-07-18 18:57:01 thraxisp Exp $
 	# --------------------------------------------------------
 
 	$t_core_dir = dirname( __FILE__ ).DIRECTORY_SEPARATOR;
@@ -2332,6 +2332,47 @@ function filter_ensure_valid_filter( $p_filter_arr ) {
 		if ( !isset( $p_filter_arr['dir'] ) ) {
 			$p_filter_arr['dir'] = "DESC";
 		}
+		#validate sorting
+		$t_fields = helper_call_custom_function( 'get_columns_to_view', array() );
+		$t_n_fields = count( $t_fields );
+		$t_shown_fields[""] = "";
+		for ( $i=0; $i < $t_n_fields; $i++ ) {
+			if ( in_array( $t_fields[$i], array( 'selection', 'edit', 'bugnotes_count', 'attachment' ) ) ) {
+				unset( $t_fields[$i] );
+			}
+		}
+		$t_sort_fields = split( ',', $p_filter_arr['sort'] );
+		$t_dir_fields = split( ',', $p_filter_arr['dir'] );
+		for ( $i=0; $i<2; $i++ ) {
+			if ( isset( $t_sort_fields[$i] ) ) {
+				$t_drop = false;
+				$t_sort = $t_sort_fields[$i];
+        		if ( strpos( $t_sort, 'custom_' ) === 0 ) {
+        			if ( false === custom_field_get_id_from_name( substr( $t_sort, strlen( 'custom_' ) ) ) ) {
+        				$t_drop = true;
+        			}
+        		} else {
+        			if ( ! in_array( $t_sort, $t_fields ) ) {
+        				$t_drop = true;
+        			}
+        		}
+				if ( ! in_array( $t_dir_fields[$i], array( "ASC", "DESC" ) ) ) {
+					$t_drop = true;
+				}
+				if ( $t_drop ) {
+					unset( $t_sort_fields[$i] );
+					unset( $t_dir_fields[$i] );
+				}
+			}
+		}
+		if ( count( $t_sort_fields ) > 0 ) {
+			$p_filter_arr['sort'] = implode( ',', $t_sort_fields );
+			$p_filter_arr['dir'] = implode( ',', $t_dir_fields );
+		} else {
+			$p_filter_arr['sort'] = "last_updated";
+			$p_filter_arr['dir'] = "DESC";
+		}			
+
 		if ( !isset( $p_filter_arr['start_month'] ) ) {
 			$p_filter_arr['start_month'] = gpc_get_string( 'start_month', date( 'm' ) );
 		}

diff --git a/view_all_inc.php b/view_all_inc.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: view_all_inc.php,v 1.160 2005-06-28 11:04:05 vboctor Exp $
+	# $Id: view_all_inc.php,v 1.161 2005-07-18 18:56:59 thraxisp Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -21,8 +21,8 @@
 
 	$t_filter = current_user_get_bug_filter();
 
-	$t_sort = $t_filter['sort'];
-	$t_dir = $t_filter['dir'];
+	list( $t_sort, ) = split( ',', $t_filter['sort'] );
+	list( $t_dir, ) = split( ',', $t_filter['dir'] );
 
 	$t_checkboxes_exist = false;