Skip to content

Commit 511564c

Browse files
committed
Fix #17890: XSS in extended project browser
Extended project browser allows projects to be passed in as A;B. helper_get_current_project() and helper_get_current_project_trace() then explodes the string by ';' and don't check that A is an int (a project / sub-project id). Finally, print_extended_project_browser() prints the result of the split into a javascript array. Paul Richards discovered the issue and wrote the original patch for it. His code was modified to remove a redudant typecast as well as an unnecessary foreach loop in helper_get_current_project(), replacing it with a single type cast.
1 parent 74ac9bf commit 511564c

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

Diff for: core/helper_api.php

+5-2
Original file line numberDiff line numberDiff line change
@@ -232,13 +232,13 @@ function helper_get_current_project() {
232232
$t_project_id = $t_pref->default_project;
233233
} else {
234234
$t_project_id = explode( ';', $t_project_id );
235-
$t_project_id = $t_project_id[count( $t_project_id ) - 1];
235+
$t_project_id = (int)$t_project_id[count( $t_project_id ) - 1];
236236
}
237237

238238
if( !project_exists( $t_project_id ) || ( 0 == project_get_field( $t_project_id, 'enabled' ) ) || !access_has_project_level( VIEWER, $t_project_id ) ) {
239239
$t_project_id = ALL_PROJECTS;
240240
}
241-
$g_cache_current_project = (int) $t_project_id;
241+
$g_cache_current_project = $t_project_id;
242242
}
243243
return $g_cache_current_project;
244244
}
@@ -272,6 +272,9 @@ function helper_get_current_project_trace() {
272272

273273
} else {
274274
$t_project_id = explode( ';', $t_project_id );
275+
foreach( $t_project_id as $t_key => $t_id ) {
276+
$t_project_id[$t_key] = (int)$t_id;
277+
}
275278
$t_bottom = $t_project_id[count( $t_project_id ) - 1];
276279
}
277280

0 commit comments

Comments
 (0)