From 5c55e6c6357c67d91b5f4cbec5846c30e3b94ab8 Mon Sep 17 00:00:00 2001 From: Paul Richards Date: Sat, 18 Oct 2014 23:32:59 +0100 Subject: [PATCH] Fix Cross-Site Scripting issue via helper_get_current_project there's no bug in tracker for this one it's in helper get project trace anyway, helper_get_current_project_trace is WEIRD as it allows ;'s aka 0;0 when used with subproject browser there's a XSS "vulnerbility" in that PROJECT_COOKIE if you could get that set to something the subproject browser displays it in raw text so I think we should always cast as int a) whether there's any realistic way to exploit that... b) in 1.3, code in trace functions for ; but the 2 project browser weird thing is gone you know, it would be a lot easier if you did this the right way, i.e. private issue on the tracker and attach the patch to it ;) I couldn't work out before we the explode logic in trace actually is needed anymore --- core/helper_api.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/helper_api.php b/core/helper_api.php index 8579212..c88c747 100644 --- a/core/helper_api.php +++ b/core/helper_api.php @@ -232,6 +232,9 @@ function helper_get_current_project() { $t_project_id = $t_pref->default_project; } else { $t_project_id = explode( ';', $t_project_id ); + foreach( $t_project_id as $t_key => $t_id ) { + $t_project_id[$t_key] = (int)$t_id; + } $t_project_id = $t_project_id[count( $t_project_id ) - 1]; } @@ -272,6 +275,9 @@ function helper_get_current_project_trace() { } else { $t_project_id = explode( ';', $t_project_id ); + foreach( $t_project_id as $t_key => $t_id ) { + $t_project_id[$t_key] = (int)$t_id; + } $t_bottom = $t_project_id[count( $t_project_id ) - 1]; } -- 1.9.4.msysgit.1