[Mantisbt-cvs] mantisbt proj_doc_delete.php,1.25,1.25.10.1 proj_doc_page.php,1.50,1.50.6.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/mantisbt/mantisbt
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv7736

Modified Files:
      Tag: BRANCH_1_0_0rc4
	proj_doc_delete.php proj_doc_page.php 
Log Message:
fix for0006563: Port XSS Vulnerability in project documents (TKADV2005-11-002)


Index: proj_doc_delete.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_delete.php,v
retrieving revision 1.25
retrieving revision 1.25.10.1
diff -u -d -r1.25 -r1.25.10.1

--- proj_doc_delete.php	8 May 2005 20:42:08 -0000	1.25
+++ proj_doc_delete.php	6 Jan 2006 02:30:05 -0000	1.25.10.1
@@ -17,15 +17,20 @@
 	}
 
 	$f_file_id = gpc_get_int( 'file_id' );
-	$f_title = gpc_get_string( 'title', '' );
 
 	$t_project_id = file_get_field( $f_file_id, 'project_id', 'project' );
 
 	access_ensure_project_level( config_get( 'upload_project_file_threshold' ), $t_project_id );
 
+	$t_project_file_table = config_get( 'mantis_project_file_table' );
+	$query = "SELECT title FROM $t_project_file_table 
+				WHERE id=$f_file_id";
+	$result = db_query( $query );
+	$t_title = db_result( $result );
+
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'confirm_file_delete_msg' ) .
-		'<br/>' . lang_get( 'filename' ) . ': ' . $f_title,
+		'<br/>' . lang_get( 'filename' ) . ': ' . string_display( $t_title ),
 		lang_get( 'file_delete_button' ) );
 
 	file_delete( $f_file_id, 'project' );

Index: proj_doc_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_page.php,v
retrieving revision 1.50
retrieving revision 1.50.6.1
diff -u -d -r1.50 -r1.50.6.1
--- proj_doc_page.php	16 Aug 2005 14:36:43 -0000	1.50
+++ proj_doc_page.php	6 Jan 2006 02:30:05 -0000	1.50.6.1
@@ -111,7 +111,7 @@
 			echo '&nbsp;';
 			print_button( 'proj_doc_edit_page.php?file_id='.$v_id, lang_get( 'edit_link' ) );
 			echo '&nbsp;';
-			print_button( 'proj_doc_delete.php?file_id=' . $v_id . '&title=' . string_url( $v_title ), lang_get( 'delete_link' ) );
+			print_button( 'proj_doc_delete.php?file_id=' . $v_id, lang_get( 'delete_link' ) );
 		}
 ?>
 	</span>



