Skip to content

Commit e5fc835

Browse files
mantisdregad
authored andcommitted
Fix #17876: XSS in copy_field.php
This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [1]. [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org>
1 parent 0bff06e commit e5fc835

File tree

1 file changed

+12
-9
lines changed

1 file changed

+12
-9
lines changed

Diff for: admin/copy_field.php

+12-9
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,18 @@
3030

3131
$f_source_field_id = gpc_get_int( 'source_id' );
3232
$f_dest_field = gpc_get( 'dest_id' );
33+
34+
# checks on validity
35+
$t_valid_fields = array(
36+
'fixed_in_version',
37+
);
38+
if( !in_array( $f_dest_field, $t_valid_fields ) ) {
39+
echo '<html><body>';
40+
echo '<p>Invalid destination field (' . string_attribute($f_dest_field) . ') specified.</p>';
41+
echo '</body></html>';
42+
exit;
43+
}
44+
3345
?>
3446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3547
<html>
@@ -53,15 +65,6 @@
5365
<br /><br />
5466

5567
<?php
56-
# checks on validity
57-
$t_valid_fields = array(
58-
'fixed_in_version',
59-
);
60-
if( !in_array( $f_dest_field, $t_valid_fields ) ) {
61-
echo '<p>Invalid destination field (' . $f_dest_field . ') specified.</p>';
62-
echo '</body></html>';
63-
exit;
64-
}
6568

6669
# @@@ check that source and destination are compatible
6770

0 commit comments

Comments
 (0)