[mantisbt-commits] mantisbt.git branch, master-1.1.x, updated. release-1.1.8-10-g3bc117f

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The branch, master-1.1.x has been updated
       via  3bc117fc87003af07d8871f7ad81b5c999215efd (commit)
       via  51ee3d3fd47ea7087b69e3d20b008e381add8297 (commit)
       via  8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d (commit)
      from  c6f356da55f3044afd3de6d5c9cc7df84083f1bf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 3bc117fc87003af07d8871f7ad81b5c999215efd
Author: Gianluca Sforna <gi...@gm...>
Date:   Sun Sep 19 01:29:15 2010 +0200

    Fix #12371: XSS in print_all_bug_page_word.php project/category names
    
    Backport of commit bfc9e9 for bug 12238

commit 51ee3d3fd47ea7087b69e3d20b008e381add8297
Author: Gianluca Sforna <gi...@gm...>
Date:   Sun Sep 19 01:13:21 2010 +0200

    Fix #12370: Multiple XSS issues with custom field enumeration values
    
    Backport of commit 7ab71d01 fixing bug 12232

commit 8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d
Author: Gianluca Sforna <gi...@gm...>
Date:   Sat Sep 18 23:29:04 2010 +0200

    Fix #12369: XSS vulnerability when deleting maliciously named categories
    
    Backport of commit 083c34f06ca927b16e781bae3ae324f450c35ea4

-----------------------------------------------------------------------

Summary of changes:
 core/custom_field_api.php   |   14 +++++++-------
 manage_proj_cat_delete.php  |    2 +-
 print_all_bug_page_word.php |    6 +++++-
 3 files changed, 13 insertions(+), 9 deletions(-)

-----------------------------------------------------------------------

commit 3bc117fc87003af07d8871f7ad81b5c999215efd
Author: Gianluca Sforna <gi...@gm...>
Date:   Sun Sep 19 01:29:15 2010 +0200

    Fix #12371: XSS in print_all_bug_page_word.php project/category names
    
    Backport of commit bfc9e9 for bug 12238

diff --git a/print_all_bug_page_word.php b/print_all_bug_page_word.php
index 334736c..1f900c0 100644
--- a/print_all_bug_page_word.php
+++ b/print_all_bug_page_word.php
@@ -160,7 +160,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 		<?php echo $v_id ?>
 	</td>
 	<td class="print">
-		<?php echo "[$t_project_name] $v_category" ?>
+		<?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?>
 	</td>
 	<td class="print">
 		<?php echo get_enum_element( 'severity', $v_severity ) ?>
@@ -503,7 +503,11 @@ foreach( $t_related_custom_field_ids as $t_id ) {
 							}
 							echo implode( ', ', $t_to ) . '<br />';
 						default:
+<<<<<<< HEAD
 							echo $v3_note;
+=======
+							echo string_display_links( $t_bugnote->note );
+>>>>>>> bfc9e9f... Fix #12238: XSS in print_all_bug_page_word.php project/category names
 					}
 				?>
 			</td>

commit 51ee3d3fd47ea7087b69e3d20b008e381add8297
Author: Gianluca Sforna <gi...@gm...>
Date:   Sun Sep 19 01:13:21 2010 +0200

    Fix #12370: Multiple XSS issues with custom field enumeration values
    
    Backport of commit 7ab71d01 fixing bug 12232

diff --git a/core/custom_field_api.php b/core/custom_field_api.php
index 5b9f39e..6768b6e 100644
--- a/core/custom_field_api.php
+++ b/core/custom_field_api.php
@@ -1218,9 +1218,9 @@
 			$t_selected_values = explode( '|', $t_custom_field_value );
  			foreach( $t_values as $t_option ) {
 				if( in_array( $t_option, $t_selected_values, true ) ) {
- 					echo '<option value="' . $t_option . '" selected="selected"> ' . $t_option . '</option>';
+ 					echo '<option value="' . string_attribute( $t_option ) . '" selected="selected"> ' . string_display_line( $t_option ) . '</option>';
  				} else {
- 					echo '<option value="' . $t_option . '">' . $t_option . '</option>';
+ 					echo '<option value="' . string_attribute( $t_option ) . '">' . string_display_line( $t_option ) . '</option>';
  				}
  			}
  			echo '</select>';
@@ -1231,9 +1231,9 @@
 			foreach( $t_values as $t_option ) {
 				echo '<input ', helper_get_tab_index(), ' type="checkbox" name="custom_field_' . $t_id . '[]"';
 				if( in_array( $t_option, $t_checked_values, true ) ) {
-					echo ' value="' . $t_option . '" checked="checked">&nbsp;' . $t_option . '&nbsp;&nbsp;';
+					echo ' value="' . string_attribute( $t_option ) . '" checked="checked">&nbsp;' . string_display_line( $t_option ) . '&nbsp;&nbsp;';
 				} else {
-					echo ' value="' . $t_option . '">&nbsp;' . $t_option . '&nbsp;&nbsp;';
+					echo ' value="' . string_attribute( $t_option ) . '">&nbsp;' . string_display_line( $t_option ) . '&nbsp;&nbsp;';
 				}
 			}
  			break;
@@ -1266,14 +1266,14 @@
 		$t_custom_field_value = custom_field_get_value( $p_field_id, $p_bug_id );
 		switch( $p_def['type'] ) {
 			case CUSTOM_FIELD_TYPE_EMAIL:
-				return "<a href=\"mailto:$t_custom_field_value\">$t_custom_field_value</a>";
+				return '<a href="mailto:' . string_attribute( $t_custom_field_value ) . '">' . string_display_line( $t_custom_field_value ) . '</a>';
 				break;
 			case CUSTOM_FIELD_TYPE_ENUM:
 			case CUSTOM_FIELD_TYPE_LIST:
 			case CUSTOM_FIELD_TYPE_MULTILIST:
 			case CUSTOM_FIELD_TYPE_CHECKBOX:
 				// strip possible start and end markers before converting markers to commas
-				return str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $t_custom_field_value . '|' ), 1, -1 ) );
+				return string_display_line( str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $t_custom_field_value . '|' ), 1, -1 ) ) );
 				break;
 			case CUSTOM_FIELD_TYPE_DATE:
 				if ($t_custom_field_value != null) {
@@ -1310,7 +1310,7 @@
 			case CUSTOM_FIELD_TYPE_MULTILIST:
 			case CUSTOM_FIELD_TYPE_CHECKBOX:
 				// strip start and end markers before converting markers to commas
-				return str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $p_value . '|' ), 1, -1 ) );
+				return string_display_line( str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $p_value . '|' ), 1, -1 ) ) );
 				break;
 			case CUSTOM_FIELD_TYPE_DATE:
 				if ($p_value != null) {

commit 8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d
Author: Gianluca Sforna <gi...@gm...>
Date:   Sat Sep 18 23:29:04 2010 +0200

    Fix #12369: XSS vulnerability when deleting maliciously named categories
    
    Backport of commit 083c34f06ca927b16e781bae3ae324f450c35ea4

diff --git a/manage_proj_cat_delete.php b/manage_proj_cat_delete.php
index c4c591f..f406500 100644
--- a/manage_proj_cat_delete.php
+++ b/manage_proj_cat_delete.php
@@ -38,7 +38,7 @@
 
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) .
-		'<br/>' . lang_get( 'category' ) . ': ' . $f_category,
+		'<br/>' . lang_get( 'category' ) . ': ' . string_display_line($f_category),
 		lang_get( 'delete_category_button' ) );
 
 	category_remove( $f_project_id, $f_category );

-----------------------------------------------------------------------


--
Mantis Bug Tracker


