Permalink
Browse files

Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes #15388
  • Loading branch information...
1 parent 42627a6 commit 4362aa1481ad354dc3c05538aad0f21fa530dd21 @dregad dregad committed Jan 19, 2013
Showing with 14 additions and 14 deletions.
  1. +12 −12 core/filter_api.php
  2. +1 −1 search.php
  3. +1 −1 view_all_set.php
View
@@ -1109,11 +1109,11 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
$t_view_type = $t_filter['_view_type'];
-
+
// project query clauses must be AND-ed always, irrespective of how the filter
// clauses are requested by the user ( all matching -> AND, any matching -> OR )
$t_where_clauses = array();
-
+
$t_project_where_clauses = array(
"$t_project_table.enabled = " . db_param(),
"$t_project_table.id = $t_bug_table.project_id",
@@ -1263,13 +1263,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
log_event( LOG_FILTERING, 'project query = ' . $t_project_query );
array_push( $t_project_where_clauses, $t_project_query );
}
-
+
# date filter
if(( 'on' == $t_filter[FILTER_PROPERTY_FILTER_BY_DATE] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_YEAR] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_YEAR] ) ) {
-
+
$t_start_string = $t_filter[FILTER_PROPERTY_START_YEAR] . "-" . $t_filter[FILTER_PROPERTY_START_MONTH] . "-" . $t_filter[FILTER_PROPERTY_START_DAY] . " 00:00:00";
$t_end_string = $t_filter[FILTER_PROPERTY_END_YEAR] . "-" . $t_filter[FILTER_PROPERTY_END_MONTH] . "-" . $t_filter[FILTER_PROPERTY_END_DAY] . " 23:59:59";
-
+
$t_where_params[] = strtotime( $t_start_string );
$t_where_params[] = strtotime( $t_end_string );
array_push( $t_project_where_clauses, "($t_bug_table.date_submitted BETWEEN " . db_param() . " AND " . db_param() . " )" );
@@ -2029,13 +2029,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
# End text search
-
+
# Determine join operator
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY )
$t_join_operator = ' OR ';
else
$t_join_operator = ' AND ';
-
+
log_event(LOG_FILTERING, 'Join operator : ' . $t_join_operator);
$t_from_clauses[] = $t_project_table;
@@ -2071,8 +2071,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_where_string .= implode( $t_join_operator, $t_query_clauses['where'] );
$t_where_string .= ' ) ';
}
-
-
+
+
$t_result = db_query_bound( "$t_select_string $t_from_string $t_join_string $t_where_string $t_order_string", $t_query_clauses['where_values'], $p_per_page, $t_offset );
$t_row_count = db_num_rows( $t_result );
@@ -3388,17 +3388,17 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
<tr class="row-1">
<td class="small-caption"><a href="<?php echo $t_filters_url . FILTER_PROPERTY_MATCH_TYPE;?>" id="match_type_filter"><?php echo lang_get( 'filter_match_type' )?>:</a></td>
<td class="small-caption" id="match_type_filter_target">
- <?php
+ <?php
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY ) {
echo lang_get ('filter_match_any');
} else if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ALL ) {
echo lang_get ('filter_match_all');
}
?>
- <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
+ <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE] ?>"/>
</td>
<td colspan="6">&#160;</td>
- </tr>
+ </tr>
</table>
<?php
}
View
@@ -89,7 +89,7 @@
$my_filter[FILTER_PROPERTY_OS_BUILD] = gpc_get_string_array( FILTER_PROPERTY_OS_BUILD, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_VIEW_STATE] = gpc_get_string_array( FILTER_PROPERTY_VIEW_STATE, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_VERSION] = gpc_get_string_array( FILTER_PROPERTY_VERSION, META_FILTER_ANY );
-$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
+$my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
// Filtering by Date
$my_filter[FILTER_PROPERTY_FILTER_BY_DATE] = gpc_get_bool( FILTER_PROPERTY_FILTER_BY_DATE );
View
@@ -233,7 +233,7 @@
$f_note_user_id = array( $f_note_user_id );
}
-$f_match_type = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
+$f_match_type = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
# these are only single values, even when doing advanced filtering
$f_per_page = gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, -1 );

0 comments on commit 4362aa1

Please sign in to comment.