Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix #17876: XSS in copy_field.php
This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>
  • Loading branch information
mantis authored and dregad committed Nov 29, 2014
1 parent 0bff06e commit e5fc835
Showing 1 changed file with 12 additions and 9 deletions.
21 changes: 12 additions & 9 deletions admin/copy_field.php
Expand Up @@ -30,6 +30,18 @@

$f_source_field_id = gpc_get_int( 'source_id' );
$f_dest_field = gpc_get( 'dest_id' );

# checks on validity
$t_valid_fields = array(
'fixed_in_version',
);
if( !in_array( $f_dest_field, $t_valid_fields ) ) {
echo '<html><body>';
echo '<p>Invalid destination field (' . string_attribute($f_dest_field) . ') specified.</p>';
echo '</body></html>';
exit;
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
Expand All @@ -53,15 +65,6 @@
<br /><br />

<?php
# checks on validity
$t_valid_fields = array(
'fixed_in_version',
);
if( !in_array( $f_dest_field, $t_valid_fields ) ) {
echo '<p>Invalid destination field (' . $f_dest_field . ') specified.</p>';
echo '</body></html>';
exit;
}

# @@@ check that source and destination are compatible

Expand Down

0 comments on commit e5fc835

Please sign in to comment.