Skip to content
Permalink
Browse files

Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes #26091, CVE-2019-15715

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Original commit message reworded, added CVE reference.
  • Loading branch information
atrol authored and dregad committed Aug 28, 2019
1 parent a7413da commit fc7668c8e45db55fc3a4b991ea99d2b80861a14c
Showing with 1 addition and 1 deletion.
  1. +1 −1 config_defaults_inc.php
@@ -4361,7 +4361,7 @@
'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
'impersonate_user_threshold', 'email_retry_in_days'
'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'
);

/**

0 comments on commit fc7668c

Please sign in to comment.
You can’t perform that action at this time.