XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue #17725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes #17780 (CVE-2014-8598)

plugins/XmlImportExport/XmlImportExport.php

@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
 	function register( ) {
 		$this->name = plugin_lang_get( 'title' );
 		$this->description = plugin_lang_get( 'description' );
-		$this->page = '';
+		$this->page = "config_page";
 
 		$this->version = '1.0';
 		$this->requires = array(
@@ -54,6 +54,17 @@ function register( ) {
 	/**
 	 * Default plugin configuration.
 	 */
+	public function config() {
+		return array(
+			"import_threshold" => ADMINISTRATOR,
+			"export_threshold" => DEVELOPER,
+		);
+	}
+
+	/**
+	 * Plugin hooks
+	 * @return array
+	 */
 	function hooks( ) {
 		$hooks = array(
 			'EVENT_MENU_MANAGE' => 'import_issues_menu',
@@ -67,6 +78,9 @@ function import_issues_menu( ) {
 	}
 
 	function export_issues_menu( ) {
+		if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
+			return array();
+		}
 		return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
 	}
 

plugins/XmlImportExport/lang/strings_english.txt

@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
 $s_plugin_XmlImportExport_import = 'Import issues';
 $s_plugin_XmlImportExport_export = 'XML Export';
 
+$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
+$s_plugin_XmlImportExport_import_threshold = 'Import issues';
+$s_plugin_XmlImportExport_export_threshold = 'Export issues';
+
+$s_plugin_XmlImportExport_action_update = 'Update';
+
 $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
+
 $s_plugin_XmlImportExport_import_options = 'Import options';
 
 $s_plugin_XmlImportExport_cross_references = 'Cross references';

plugins/XmlImportExport/pages/config.php

@@ -0,0 +1,27 @@
+<?php
+# Copyright (c) 2014  MantisBT Team - mantisbt-dev@lists.sourceforge.net
+# Licensed under the MIT license
+
+form_security_validate( 'plugin_XmlImportExport_config' );
+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
+
+/**
+ * Sets plugin config option if value is different from current/default
+ * @param string $p_name  option name
+ * @param string $p_value value to set
+ * @return void
+ */
+function config_set_if_needed( $p_name, $p_value ) {
+	if ( $p_value != plugin_config_get( $p_name ) ) {
+		plugin_config_set( $p_name, $p_value );
+	}
+}
+
+$t_redirect_url = plugin_page( 'config_page', true );
+
+config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
+config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
+
+form_security_purge( 'plugin_XmlImportExport_config' );
+
+print_successful_redirect( $t_redirect_url );

plugins/XmlImportExport/pages/config_page.php

@@ -0,0 +1,48 @@
+<?php
+# Copyright (c) 2014  MantisBT Team - mantisbt-dev@lists.sourceforge.net
+# Licensed under the MIT license
+
+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
+
+html_page_top();
+//print_manage_menu();
+?>
+
+<br />
+<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
+<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
+<table class="width60" align="center">
+
+<tr>
+<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
+</tr>
+
+<tr <?php echo helper_alternate_class() ?>>
+<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
+<td><select name="import_threshold"><?php
+	print_enum_string_option_list(
+		'access_levels',
+		plugin_config_get( 'import_threshold' )
+	);
+	?></select></td>
+</tr>
+
+<tr <?php echo helper_alternate_class() ?>>
+<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
+<td><select name="export_threshold"><?php
+	print_enum_string_option_list(
+		'access_levels',
+		plugin_config_get( 'export_threshold' )
+	);
+	?></select></td>
+</tr>
+
+<tr>
+<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
+</tr>
+
+</table>
+</form>
+
+<?php
+html_page_bottom();

plugins/XmlImportExport/pages/export.php

@@ -20,6 +20,8 @@
 
 require_once( 'core.php' );
 
+access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
+
 auth_ensure_user_authenticated( );
 helper_begin_long_process( );
 

plugins/XmlImportExport/pages/import.php

@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
+
 auth_reauthenticate( );
 
 html_page_top( plugin_lang_get( 'import' ) );