From: <gi...@ma...> - 2010-09-18 23:42:55
|
The branch, master-1.1.x has been updated via 3bc117fc87003af07d8871f7ad81b5c999215efd (commit) via 51ee3d3fd47ea7087b69e3d20b008e381add8297 (commit) via 8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d (commit) from c6f356da55f3044afd3de6d5c9cc7df84083f1bf (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 3bc117fc87003af07d8871f7ad81b5c999215efd Author: Gianluca Sforna <gi...@gm...> Date: Sun Sep 19 01:29:15 2010 +0200 Fix #12371: XSS in print_all_bug_page_word.php project/category names Backport of commit bfc9e9 for bug 12238 commit 51ee3d3fd47ea7087b69e3d20b008e381add8297 Author: Gianluca Sforna <gi...@gm...> Date: Sun Sep 19 01:13:21 2010 +0200 Fix #12370: Multiple XSS issues with custom field enumeration values Backport of commit 7ab71d01 fixing bug 12232 commit 8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d Author: Gianluca Sforna <gi...@gm...> Date: Sat Sep 18 23:29:04 2010 +0200 Fix #12369: XSS vulnerability when deleting maliciously named categories Backport of commit 083c34f06ca927b16e781bae3ae324f450c35ea4 ----------------------------------------------------------------------- Summary of changes: core/custom_field_api.php | 14 +++++++------- manage_proj_cat_delete.php | 2 +- print_all_bug_page_word.php | 6 +++++- 3 files changed, 13 insertions(+), 9 deletions(-) ----------------------------------------------------------------------- commit 3bc117fc87003af07d8871f7ad81b5c999215efd Author: Gianluca Sforna <gi...@gm...> Date: Sun Sep 19 01:29:15 2010 +0200 Fix #12371: XSS in print_all_bug_page_word.php project/category names Backport of commit bfc9e9 for bug 12238 diff --git a/print_all_bug_page_word.php b/print_all_bug_page_word.php index 334736c..1f900c0 100644 --- a/print_all_bug_page_word.php +++ b/print_all_bug_page_word.php @@ -160,7 +160,7 @@ xmlns="http://www.w3.org/TR/REC-html40"> <?php echo $v_id ?> </td> <td class="print"> - <?php echo "[$t_project_name] $v_category" ?> + <?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?> </td> <td class="print"> <?php echo get_enum_element( 'severity', $v_severity ) ?> @@ -503,7 +503,11 @@ foreach( $t_related_custom_field_ids as $t_id ) { } echo implode( ', ', $t_to ) . '<br />'; default: +<<<<<<< HEAD echo $v3_note; +======= + echo string_display_links( $t_bugnote->note ); +>>>>>>> bfc9e9f... Fix #12238: XSS in print_all_bug_page_word.php project/category names } ?> </td> commit 51ee3d3fd47ea7087b69e3d20b008e381add8297 Author: Gianluca Sforna <gi...@gm...> Date: Sun Sep 19 01:13:21 2010 +0200 Fix #12370: Multiple XSS issues with custom field enumeration values Backport of commit 7ab71d01 fixing bug 12232 diff --git a/core/custom_field_api.php b/core/custom_field_api.php index 5b9f39e..6768b6e 100644 --- a/core/custom_field_api.php +++ b/core/custom_field_api.php @@ -1218,9 +1218,9 @@ $t_selected_values = explode( '|', $t_custom_field_value ); foreach( $t_values as $t_option ) { if( in_array( $t_option, $t_selected_values, true ) ) { - echo '<option value="' . $t_option . '" selected="selected"> ' . $t_option . '</option>'; + echo '<option value="' . string_attribute( $t_option ) . '" selected="selected"> ' . string_display_line( $t_option ) . '</option>'; } else { - echo '<option value="' . $t_option . '">' . $t_option . '</option>'; + echo '<option value="' . string_attribute( $t_option ) . '">' . string_display_line( $t_option ) . '</option>'; } } echo '</select>'; @@ -1231,9 +1231,9 @@ foreach( $t_values as $t_option ) { echo '<input ', helper_get_tab_index(), ' type="checkbox" name="custom_field_' . $t_id . '[]"'; if( in_array( $t_option, $t_checked_values, true ) ) { - echo ' value="' . $t_option . '" checked="checked"> ' . $t_option . ' '; + echo ' value="' . string_attribute( $t_option ) . '" checked="checked"> ' . string_display_line( $t_option ) . ' '; } else { - echo ' value="' . $t_option . '"> ' . $t_option . ' '; + echo ' value="' . string_attribute( $t_option ) . '"> ' . string_display_line( $t_option ) . ' '; } } break; @@ -1266,14 +1266,14 @@ $t_custom_field_value = custom_field_get_value( $p_field_id, $p_bug_id ); switch( $p_def['type'] ) { case CUSTOM_FIELD_TYPE_EMAIL: - return "<a href=\"mailto:$t_custom_field_value\">$t_custom_field_value</a>"; + return '<a href="mailto:' . string_attribute( $t_custom_field_value ) . '">' . string_display_line( $t_custom_field_value ) . '</a>'; break; case CUSTOM_FIELD_TYPE_ENUM: case CUSTOM_FIELD_TYPE_LIST: case CUSTOM_FIELD_TYPE_MULTILIST: case CUSTOM_FIELD_TYPE_CHECKBOX: // strip possible start and end markers before converting markers to commas - return str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $t_custom_field_value . '|' ), 1, -1 ) ); + return string_display_line( str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $t_custom_field_value . '|' ), 1, -1 ) ) ); break; case CUSTOM_FIELD_TYPE_DATE: if ($t_custom_field_value != null) { @@ -1310,7 +1310,7 @@ case CUSTOM_FIELD_TYPE_MULTILIST: case CUSTOM_FIELD_TYPE_CHECKBOX: // strip start and end markers before converting markers to commas - return str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $p_value . '|' ), 1, -1 ) ); + return string_display_line( str_replace( '|', ', ', substr( str_replace( "||", "|", '|' . $p_value . '|' ), 1, -1 ) ) ); break; case CUSTOM_FIELD_TYPE_DATE: if ($p_value != null) { commit 8f1ebac61d30ee75bb3ff934ebfed3a78fc8284d Author: Gianluca Sforna <gi...@gm...> Date: Sat Sep 18 23:29:04 2010 +0200 Fix #12369: XSS vulnerability when deleting maliciously named categories Backport of commit 083c34f06ca927b16e781bae3ae324f450c35ea4 diff --git a/manage_proj_cat_delete.php b/manage_proj_cat_delete.php index c4c591f..f406500 100644 --- a/manage_proj_cat_delete.php +++ b/manage_proj_cat_delete.php @@ -38,7 +38,7 @@ # Confirm with the user helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) . - '<br/>' . lang_get( 'category' ) . ': ' . $f_category, + '<br/>' . lang_get( 'category' ) . ': ' . string_display_line($f_category), lang_get( 'delete_category_button' ) ); category_remove( $f_project_id, $f_category ); ----------------------------------------------------------------------- -- Mantis Bug Tracker |