From: Glenn H. <thr...@us...> - 2006-01-05 03:54:27
|
Update of /cvsroot/mantisbt/mantisbt In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv32430 Modified Files: Tag: BRANCH_1_0_0rc4 manage_user_page.php Log Message: fix for 0006557: XSS Vulnerability in manage_user (TKADV2005-11-002) - port from CVS HEAD Index: manage_user_page.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/manage_user_page.php,v retrieving revision 1.59.8.1 retrieving revision 1.59.8.1.2.1 diff -u -d -r1.59.8.1 -r1.59.8.1.2.1 --- manage_user_page.php 5 Dec 2005 10:51:59 -0000 1.59.8.1 +++ manage_user_page.php 5 Jan 2006 03:54:19 -0000 1.59.8.1.2.1 @@ -25,12 +25,31 @@ $f_save = gpc_get_bool( 'save' ); $f_prefix = strtoupper( gpc_get_string( 'prefix', config_get( 'default_manage_user_prefix' ) ) ); + $t_user_table = config_get( 'mantis_user_table' ); $t_cookie_name = config_get( 'manage_cookie' ); $t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />'; + # Clean up the form variables + if ( ! in_array( $f_sort, db_field_names( $t_user_table ) ) ) { + $c_sort = 'username'; + } else { + $c_sort = addslashes($f_sort); + } + + if ($f_dir == 'ASC') { + $c_dir = 'ASC'; + } else { + $c_dir = 'DESC'; + } + + if ($f_hide == 0) { # a 0 will turn it off + $c_hide = 0; + } else { # anything else (including 'on') will turn it on + $c_hide = 1; + } # set cookie values for hide, sort by, and dir if ( $f_save ) { - $t_manage_string = $f_hide.':'.$f_sort.':'.$f_dir; + $t_manage_string = $c_hide.':'.$c_sort.':'.$c_dir; gpc_set_cookie( $t_cookie_name, $t_manage_string, true ); } else if ( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) { $t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) ); @@ -49,20 +68,6 @@ } } - # Clean up the form variables - $c_sort = addslashes($f_sort); - - if ($f_dir == 'ASC') { - $c_dir = 'ASC'; - } else { - $c_dir = 'DESC'; - } - - if ($f_hide == 0) { # a 0 will turn it off - $c_hide = 0; - } else { # anything else (including 'on') will turn it on - $c_hide = 1; - } ?> <?php html_page_top1( lang_get( 'manage_users_link' ) ) ?> <?php html_page_top2() ?> @@ -71,8 +76,6 @@ <?php # New Accounts Form BEGIN ?> <?php - $t_user_table = config_get( 'mantis_user_table' ); - $days_old = 7; $query = "SELECT * FROM $t_user_table |