Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix #17890: XSS in extended project browser
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ';' and don't check that A is an int (a project /
sub-project id).  Finally, print_extended_project_browser() prints the
result of the split into a javascript array.

Paul Richards discovered the issue and wrote the original patch for it.
His code was modified to remove a redudant typecast as well as an
unnecessary foreach loop in helper_get_current_project(), replacing it
with a single type cast.
  • Loading branch information
dregad committed Nov 29, 2014
1 parent 74ac9bf commit 511564c
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions core/helper_api.php
Expand Up @@ -232,13 +232,13 @@ function helper_get_current_project() {
$t_project_id = $t_pref->default_project;
} else {
$t_project_id = explode( ';', $t_project_id );
$t_project_id = $t_project_id[count( $t_project_id ) - 1];
$t_project_id = (int)$t_project_id[count( $t_project_id ) - 1];
}

if( !project_exists( $t_project_id ) || ( 0 == project_get_field( $t_project_id, 'enabled' ) ) || !access_has_project_level( VIEWER, $t_project_id ) ) {
$t_project_id = ALL_PROJECTS;
}
$g_cache_current_project = (int) $t_project_id;
$g_cache_current_project = $t_project_id;
}
return $g_cache_current_project;
}
Expand Down Expand Up @@ -272,6 +272,9 @@ function helper_get_current_project_trace() {

} else {
$t_project_id = explode( ';', $t_project_id );
foreach( $t_project_id as $t_key => $t_id ) {
$t_project_id[$t_key] = (int)$t_id;
}
$t_bottom = $t_project_id[count( $t_project_id ) - 1];
}

Expand Down

0 comments on commit 511564c

Please sign in to comment.