From: <gi...@ma...> - 2010-10-22 10:13:51
|
The branch, master-1.2.x has been updated via 99e7eedc560ca293935986ccc2cd8e7a1cecd0fd (commit) from 6172ca398ce85cb9b23abc7d426821790b415339 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 99e7eedc560ca293935986ccc2cd8e7a1cecd0fd Author: Damien Regad <dam...@me...> Date: Wed Oct 20 18:07:45 2010 +0200 Fix #11351: Do not delete email or realname when editing user with LDAP When connecting to Mantis with LDAP and either use_ldap_email or use_ldap_realname = ON, that field is set to blank when the user edits their profile (account_page.php). The same happens when either or both of the above options are ON and the administrator updates a user from manage_user_edit_page.php. The original patch from Damien was updated to fix a few minor bugs and more importantly, to resolve a number of potential XSS vulnerabilities. Co-contributed-by: David Hicks <hic...@op...> Signed-off-by: David Hicks <hic...@op...> ----------------------------------------------------------------------- Summary of changes: account_page.php | 58 +++++++++++++++++++++++--------------------- core/print_api.php | 4 +- manage_user_edit_page.php | 34 +++++++++++++++++-------- 3 files changed, 55 insertions(+), 41 deletions(-) ----------------------------------------------------------------------- commit 99e7eedc560ca293935986ccc2cd8e7a1cecd0fd Author: Damien Regad <dam...@me...> Date: Wed Oct 20 18:07:45 2010 +0200 Fix #11351: Do not delete email or realname when editing user with LDAP When connecting to Mantis with LDAP and either use_ldap_email or use_ldap_realname = ON, that field is set to blank when the user edits their profile (account_page.php). The same happens when either or both of the above options are ON and the administrator updates a user from manage_user_edit_page.php. The original patch from Damien was updated to fix a few minor bugs and more importantly, to resolve a number of potential XSS vulnerabilities. Co-contributed-by: David Hicks <hic...@op...> Signed-off-by: David Hicks <hic...@op...> diff --git a/account_page.php b/account_page.php index 2c9790e..ebe2a43 100644 --- a/account_page.php +++ b/account_page.php @@ -128,7 +128,7 @@ </td> </tr> -<!-- Without LDAP --> + <!-- Without LDAP --> <?php } else { $t_show_update_button = true; ?> @@ -173,22 +173,8 @@ </td> </tr> -<?php -} // End LDAP conditional - -if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { ?> <!-- With LDAP Email--> - - <!-- Email --> - <tr <?php echo helper_alternate_class() ?>> - <td class="category"> - <?php echo lang_get( 'email' ) ?> - </td> - <td> - <?php echo $u_email ?> - </td> - </tr> - -<?php } else { ?> <!-- Without LDAP Email --> +<?php } ?> + <!-- End LDAP conditional --> <!-- Email --> <tr <?php echo helper_alternate_class() ?>> @@ -196,29 +182,45 @@ if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { ?> <!-- With LDAP Email <?php echo lang_get( 'email' ) ?> </td> <td> - <?php + <?php + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { + echo string_display_line( $u_email ); + ?> + <input type="hidden" name="email" value="<?php echo string_attribute( $u_email ) ?>" /> + <?php + } + // Without LDAP + else { $t_show_update_button = true; print_email_input( 'email', $u_email ); - ?> + } + ?> </td> </tr> -<?php } ?> <!-- End LDAP Email conditional --> - <!-- Realname --> <tr <?php echo helper_alternate_class() ?> valign="top"> <td class="category"> <?php echo lang_get( 'realname' ) ?> </td> <td> -<?php -if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { - echo string_display( ldap_realname_from_username( $u_username ) ); -} else { - $t_show_update_button = true; -?> + <?php + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { + echo string_display_line( ldap_realname_from_username( $u_username ) ); + ?> + <input type="hidden" name="realname" value="<?php echo string_attribute( ldap_realname_from_username( $u_username ) ) ?>" /> + <?php + } + // Without LDAP + else { + $t_show_update_button = true; + ?> <input type="text" size="32" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $u_realname ) ?>" /> -<?php } ?> + <?php + } + ?> </td> </tr> diff --git a/core/print_api.php b/core/print_api.php index 44dd346..51c794c 100644 --- a/core/print_api.php +++ b/core/print_api.php @@ -191,9 +191,9 @@ function print_email_input( $p_field_name, $p_email ) { # remove the domain part $p_email = preg_replace( '/@' . preg_quote( $t_limit_email_domain, '/' ) . '$/i', '', $p_email ); - echo '<input type="text" name="' . $p_field_name . '" size="20" maxlength="64" value="' . $p_email . '" />@' . $t_limit_email_domain; + echo '<input type="text" name="' . string_attribute( $p_field_name ) . '" size="20" maxlength="64" value="' . string_attribute( $p_email ) . '" />@' . string_display_line( $t_limit_email_domain ); } else { - echo '<input type="text" name="' . $p_field_name . '" size="32" maxlength="64" value="' . $p_email . '" />'; + echo '<input type="text" name="' . string_attribute( $p_field_name ) . '" size="32" maxlength="64" value="' . string_attribute( $p_email ) . '" />'; } } diff --git a/manage_user_edit_page.php b/manage_user_edit_page.php index 4ac18d4..075bcc8 100644 --- a/manage_user_edit_page.php +++ b/manage_user_edit_page.php @@ -66,7 +66,7 @@ <!-- Title --> <tr> <td class="form-title" colspan="2"> - <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> + <input type="hidden" name="user_id" value="<?php echo string_attribute( $t_user['id'] ) ?>" /> <?php echo lang_get( 'edit_user_title' ) ?> </td> </tr> @@ -77,23 +77,29 @@ <?php echo lang_get( 'username' ) ?>: </td> <td width="70%"> - <input type="text" size="16" maxlength="<?php echo USERLEN;?>" name="username" value="<?php echo $t_user['username'] ?>" /> + <input type="text" size="16" maxlength="<?php echo USERLEN;?>" name="username" value="<?php echo string_attribute( $t_user['username'] ) ?>" /> </td> </tr> <!-- Realname --> <tr <?php echo helper_alternate_class( 1 ) ?>> <td class="category" width="30%"> - <?php echo lang_get( 'realname' ) ?>: + <?php echo lang_get( 'realname' ) ?> </td> <td width="70%"> <?php - if ( !$t_ldap || config_get( 'use_ldap_realname' ) == OFF ) { + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { + echo string_display_line( user_get_realname( $f_user_id ) ); + ?> + <input type="hidden" name="realname" value="<?php echo string_attribute( user_get_realname( $f_user_id ) ) ?>" /> + <?php + } + // Without LDAP + else { ?> - <input type="text" size="16" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $t_user['realname'] ) ?>" /> + <input type="text" size="16" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $t_user['realname'] ) ?>" /> <?php - } else { - echo string_display( user_get_realname( $f_user_id ) ); } ?> </td> @@ -102,14 +108,20 @@ <!-- Email --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> - <?php echo lang_get( 'email' ) ?>: + <?php echo lang_get( 'email' ) ?> </td> <td> <?php - if ( !$t_ldap || config_get( 'use_ldap_email' ) == OFF ) { + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { + echo string_display_line( user_get_email( $f_user_id ) ); + ?> + <input type="hidden" name="email" value="<?php echo string_attribute( user_get_email( $f_user_id ) ) ?>" /> + <?php + } + // Without LDAP + else { print_email_input( 'email', $t_user['email'] ); - } else { - echo string_display( user_get_email( $f_user_id ) ); } ?> </td> ----------------------------------------------------------------------- -- Mantis Bug Tracker |