/mantisbt

Permalink
Browse files

Update match_type parameter to be XSS-safe by itself 

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes #15388
  • Loading branch information...
@dregad
dregad committed Jan 19, 2013
1 parent 26c8ca2 commit dbf923c3a0a19fe891a594d13739d5716d0bc912
Unified Split
Showing with 13 additions and 13 deletions.
  1. +11 −11 core/filter_api.php
  2. +1 −1 search.php
  3. +1 −1 view_all_set.php
View
22 core/filter_api.php
@@ -1085,11 +1085,11 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
$t_view_type = $t_filter['_view_type'];
-
+
// project query clauses must be AND-ed always, irrespective of how the filter
// clauses are requested by the user ( all matching -> AND, any matching -> OR )
$t_where_clauses = array();
-
+
$t_project_where_clauses = array(
"$t_project_table.enabled = " . db_param(),
"$t_project_table.id = $t_bug_table.project_id",
@@ -1239,13 +1239,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
log_event( LOG_FILTERING, 'project query = ' . $t_project_query );
array_push( $t_project_where_clauses, $t_project_query );
}
-
+
# date filter
if(( 'on' == $t_filter[FILTER_PROPERTY_FILTER_BY_DATE] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_START_YEAR] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_MONTH] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_DAY] ) && is_numeric( $t_filter[FILTER_PROPERTY_END_YEAR] ) ) {
-
+
$t_start_string = $t_filter[FILTER_PROPERTY_START_YEAR] . "-" . $t_filter[FILTER_PROPERTY_START_MONTH] . "-" . $t_filter[FILTER_PROPERTY_START_DAY] . " 00:00:00";
$t_end_string = $t_filter[FILTER_PROPERTY_END_YEAR] . "-" . $t_filter[FILTER_PROPERTY_END_MONTH] . "-" . $t_filter[FILTER_PROPERTY_END_DAY] . " 23:59:59";
-
+
$t_where_params[] = strtotime( $t_start_string );
$t_where_params[] = strtotime( $t_end_string );
array_push( $t_project_where_clauses, "($t_bug_table.date_submitted BETWEEN " . db_param() . " AND " . db_param() . " )" );
@@ -2004,13 +2004,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
}
# End text search
-
+
# Determine join operator
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY )
$t_join_operator = ' OR ';
else
$t_join_operator = ' AND ';
-
+
log_event(LOG_FILTERING, 'Join operator : ' . $t_join_operator);
$t_from_clauses[] = $t_project_table;
@@ -2046,8 +2046,8 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
$t_where_string .= implode( $t_join_operator, $t_query_clauses['where'] );
$t_where_string .= ' ) ';
}
-
-
+
+
$t_result = db_query_bound( "$t_select_string $t_from_string $t_join_string $t_where_string $t_order_string", $t_query_clauses['where_values'], $p_per_page, $t_offset );
$t_row_count = db_num_rows( $t_result );
@@ -3393,14 +3393,14 @@ function <?php echo $t_js_toggle_func;?>() {
<tr class="row-1">
<td class="small-caption" valign="top"><a href="<?php echo $t_filters_url . FILTER_PROPERTY_MATCH_TYPE;?>" id="match_type_filter"><?php echo lang_get( 'filter_match_type' )?>:</a></td>
<td class="small-caption" valign="top" id="match_type_filter_target">
- <?php
+ <?php
if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ANY ) {
echo lang_get ('filter_match_any');
} else if ( $t_filter[FILTER_PROPERTY_MATCH_TYPE] == FILTER_MATCH_ALL ) {
echo lang_get ('filter_match_all');
}
?>
- <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
+ <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE] ?>"/>
</td>
<td colspan="6">&#160;</td>
</tr>
View
2 search.php
@@ -73,7 +73,7 @@
$my_filter[FILTER_PROPERTY_OS_BUILD] = gpc_get_string_array( FILTER_SEARCH_OS_BUILD, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_VIEW_STATE_ID] = gpc_get_string_array( FILTER_SEARCH_VIEW_STATE_ID, META_FILTER_ANY );
$my_filter[FILTER_PROPERTY_PRODUCT_VERSION] = gpc_get_string_array( FILTER_SEARCH_PRODUCT_VERSION, META_FILTER_ANY );
- $my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_string ( FILTER_SEARCH_MATCH_TYPE, FILTER_MATCH_ALL );
+ $my_filter[FILTER_PROPERTY_MATCH_TYPE] = gpc_get_int( FILTER_SEARCH_MATCH_TYPE, FILTER_MATCH_ALL );
// Filtering by Date
$my_filter[FILTER_PROPERTY_FILTER_BY_DATE] = gpc_get_bool( FILTER_SEARCH_FILTER_BY_DATE );
View
2 view_all_set.php
@@ -202,7 +202,7 @@
$f_note_user_id = array( $f_note_user_id );
}
- $f_match_type = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
+ $f_match_type = gpc_get_int( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
# these are only single values, even when doing advanced filtering
$f_per_page = gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, -1 );

0 comments on commit dbf923c

Please sign in to comment.