From: Glenn H. <thr...@us...> - 2006-01-06 02:30:14
|
Update of /cvsroot/mantisbt/mantisbt In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv7736 Modified Files: Tag: BRANCH_1_0_0rc4 proj_doc_delete.php proj_doc_page.php Log Message: fix for0006563: Port XSS Vulnerability in project documents (TKADV2005-11-002) Index: proj_doc_delete.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_delete.php,v retrieving revision 1.25 retrieving revision 1.25.10.1 diff -u -d -r1.25 -r1.25.10.1 --- proj_doc_delete.php 8 May 2005 20:42:08 -0000 1.25 +++ proj_doc_delete.php 6 Jan 2006 02:30:05 -0000 1.25.10.1 @@ -17,15 +17,20 @@ } $f_file_id = gpc_get_int( 'file_id' ); - $f_title = gpc_get_string( 'title', '' ); $t_project_id = file_get_field( $f_file_id, 'project_id', 'project' ); access_ensure_project_level( config_get( 'upload_project_file_threshold' ), $t_project_id ); + $t_project_file_table = config_get( 'mantis_project_file_table' ); + $query = "SELECT title FROM $t_project_file_table + WHERE id=$f_file_id"; + $result = db_query( $query ); + $t_title = db_result( $result ); + # Confirm with the user helper_ensure_confirmed( lang_get( 'confirm_file_delete_msg' ) . - '<br/>' . lang_get( 'filename' ) . ': ' . $f_title, + '<br/>' . lang_get( 'filename' ) . ': ' . string_display( $t_title ), lang_get( 'file_delete_button' ) ); file_delete( $f_file_id, 'project' ); Index: proj_doc_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_page.php,v retrieving revision 1.50 retrieving revision 1.50.6.1 diff -u -d -r1.50 -r1.50.6.1 --- proj_doc_page.php 16 Aug 2005 14:36:43 -0000 1.50 +++ proj_doc_page.php 6 Jan 2006 02:30:05 -0000 1.50.6.1 @@ -111,7 +111,7 @@ echo ' '; print_button( 'proj_doc_edit_page.php?file_id='.$v_id, lang_get( 'edit_link' ) ); echo ' '; - print_button( 'proj_doc_delete.php?file_id=' . $v_id . '&title=' . string_url( $v_title ), lang_get( 'delete_link' ) ); + print_button( 'proj_doc_delete.php?file_id=' . $v_id, lang_get( 'delete_link' ) ); } ?> </span> |