Permalink
Browse files

Rework the bug action group api such that we can easily convert this …

…to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
-		if( $g_project_override != null ) {
+		if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc3510 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
  bug_actiongroup_ext.php
  bug_actiongroup_ext_page.php
  bug_actiongroup_page.php
  core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>
  • Loading branch information...
1 parent 965b00a commit 5b93161f3ece2f73410c296fed8522f6475d273d @grangeway grangeway committed with davidhicks Aug 29, 2011
Showing with 26 additions and 28 deletions.
  1. +1 −2 bug_actiongroup_ext.php
  2. +3 −22 bug_actiongroup_ext_page.php
  3. +3 −0 bug_actiongroup_page.php
  4. +19 −4 core/bug_group_action_api.php
View
@@ -35,12 +35,11 @@
$f_action = gpc_get_string( 'action' );
$f_bug_arr = gpc_get_int_array( 'bug_arr', array() );
- $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php';
$t_form_name = 'bug_actiongroup_' . $f_action;
form_security_validate( $t_form_name );
- require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file );
+ bug_group_action_init( $f_action );
# group bugs by project
$t_projects_bugs = array();
@@ -20,34 +20,15 @@
* @copyright Copyright (C) 2002 - 2011 MantisBT Team - mantisbt-dev@lists.sourceforge.net
* @link http://www.mantisbt.org
*/
- /**
- * MantisBT Core API's
- */
- require_once( 'core.php' );
+ require_once( 'core.php' );
require_once( 'bug_group_action_api.php' );
- auth_ensure_user_authenticated();
-
- $f_action = gpc_get_string( 'action' );
- $f_bug_arr = gpc_get_int_array( 'bug_arr', array() );
-
- # redirect to view issues if nothing is selected
- if ( is_blank( $f_action ) || ( 0 == count( $f_bug_arr ) ) ) {
- print_header_redirect( 'view_all_bug_page.php' );
- }
-
- # redirect to view issues page if action doesn't have ext_* prefix.
- # This should only occur if this page is called directly.
- $t_external_action_prefix = 'EXT_';
- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) {
- print_header_redirect( 'view_all_bug_page.php' );
- }
-
$t_external_action = utf8_strtolower( utf8_substr( $f_action, utf8_strlen( $t_external_action_prefix ) ) );
- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php';
$t_form_name = 'bug_actiongroup_' . $t_external_action;
+ bug_group_action_init( $t_external_action );
+
bug_group_action_print_top();
?>
View
@@ -42,6 +42,7 @@
# run through the issues to see if they are all from one project
$t_project_id = ALL_PROJECTS;
$t_multiple_projects = false;
+ $t_projects = array();
bug_cache_array_rows( $f_bug_arr );
@@ -52,11 +53,13 @@
$t_multiple_projects = true;
} else {
$t_project_id = $t_bug->project_id;
+ $t_projects[$t_project_id] = $t_project_id;
}
}
}
if ( $t_multiple_projects ) {
$t_project_id = ALL_PROJECTS;
+ $t_projects[ALL_PROJECTS] = ALL_PROJECTS;
}
# override the project if necessary
if( $t_project_id != helper_get_current_project() ) {
@@ -23,6 +23,25 @@
*/
/**
+ * Initialise bug action group api
+ */
+function bug_group_action_init( $p_action ) {
+ $t_valid_actions = bug_group_action_get_commands( current_user_get_accessible_projects() );
+ $t_action = strtoupper( $p_action );
+
+ if ( !isset( $t_valid_actions[$t_action] ) && !isset ( $t_valid_actions['EXT_' . $t_action] ) ) {
+ trigger_error( ERROR_GENERIC, ERROR );
+ }
+
+ $t_include_file = config_get_global( 'absolute_path' ) . 'bug_actiongroup_' . $p_action . '_inc.php';
+ if ( !file_exists( $t_include_file ) ) {
+ trigger_error( ERROR_GENERIC, ERROR );
+ } else {
+ require_once( $t_include_file );
+ }
+}
+
+/**
* Print the top part for the bug action group page.
*/
function bug_group_action_print_top() {
@@ -94,7 +113,6 @@ function bug_group_action_print_hidden_fields( $p_bug_ids_array ) {
* @param $p_action The custom action name without the "EXT_" prefix.
*/
function bug_group_action_print_action_fields( $p_action ) {
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
$t_function_name = 'action_' . $p_action . '_print_fields';
$t_function_name();
}
@@ -106,7 +124,6 @@ function bug_group_action_print_action_fields( $p_action ) {
* @param $p_action The custom action name without the "EXT_" prefix.
*/
function bug_group_action_print_title( $p_action ) {
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
$t_function_name = 'action_' . $p_action . '_print_title';
$t_function_name();
}
@@ -121,7 +138,6 @@ function bug_group_action_print_title( $p_action ) {
* @returns true|array true if action can be applied or array of ( bug_id => reason for failure to validate )
*/
function bug_group_action_validate( $p_action, $p_bug_id ) {
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
$t_function_name = 'action_' . $p_action . '_validate';
return $t_function_name( $p_bug_id );
}
@@ -136,7 +152,6 @@ function bug_group_action_validate( $p_action, $p_bug_id ) {
* @returns true|array Action can be applied., ( bug_id => reason for failure to process )
*/
function bug_group_action_process( $p_action, $p_bug_id ) {
- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
$t_function_name = 'action_' . $p_action . '_process';
return $t_function_name( $p_bug_id );
}

0 comments on commit 5b93161

Please sign in to comment.