Fix XSS in view_all_bug_page.php

The value of the view_type parameter on the view_all_bug_page.php page was not encoded before being displayed. This vulnerability was discovered by Will Dollman of Netcraft Ltd. Initial patch modified to use strict comparison per Will's suggestion. Fixes #21611
mantisbt · Aug 17, 2016 · 7086c2d · 7086c2d
1 parent b66af6d
commit 7086c2d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -489,9 +489,15 @@ function filter_ensure_valid_filter( array $p_filter_arr ) {
 		# if the version is old, update it
 		$p_filter_arr['_version'] = FILTER_VERSION;
 	}
+
+	# Filter view type - ensure it's either 'simple' or 'advanced' (prevent XSS)
 	if( !isset( $p_filter_arr['_view_type'] ) ) {
 		$p_filter_arr['_view_type'] = gpc_get_string( 'view_type', 'simple' );
 	}
+	if( $p_filter_arr['_view_type'] !== 'advanced' ) {
+		$p_filter_arr['_view_type'] = 'simple';
+	}
+
 	if( !isset( $p_filter_arr[FILTER_PROPERTY_ISSUES_PER_PAGE] ) ) {
 		$p_filter_arr[FILTER_PROPERTY_ISSUES_PER_PAGE] = gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, config_get( 'default_limit_view' ) );
 	}