From 2962191af12908eefc5432b6362bdbc802951fdd Mon Sep 17 00:00:00 2001 From: Roland Becker Date: Wed, 23 Dec 2015 20:32:10 +0100 Subject: [PATCH] Implement a white list of options that can be accessed via SOAP API Fixes #20277 --- config_defaults_inc.php | 346 +++++++++++++++++++++++++- core/config_api.php | 63 +---- docbook/Admin_Guide/en-US/config/settings.xml | 6 + 3 files changed, 354 insertions(+), 61 deletions(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 780fd1f..9be2cb6 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -4262,7 +4262,351 @@ $g_global_settings = array( 'class_path','library_path', 'language_path', 'absolute_path_default_upload_folder', 'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url', - 'cdn_enabled' + 'cdn_enabled', 'public_config_names' +); + +/** + * The following list of configuration options is used to check if it is + * allowed to query a specific configuration option via SOAP API. + * @global array $g_public_config_names + */ +$g_public_config_names = array( + 'access_levels_enum_string', + 'action_button_position', + 'add_bugnote_threshold', + 'add_profile_threshold', + 'admin_site_threshold', + 'allow_account_delete', + 'allow_anonymous_login', + 'allow_blank_email', + 'allow_delete_own_attachments', + 'allow_download_own_attachments', + 'allow_file_upload', + 'allow_freetext_in_profile_fields', + 'allow_no_category', + 'allow_permanent_cookie', + 'allow_reporter_close', + 'allow_reporter_reopen', + 'allow_reporter_upload', + 'allow_signup', + 'allowed_files', + 'anonymous_account', + 'antispam_max_event_count', + 'antispam_time_window_in_seconds', + 'assign_sponsored_bugs_threshold', + 'auto_set_status_to_assigned', + 'backward_year_count', + 'bottom_include_page', + 'bug_assigned_status', + 'bug_closed_status_threshold', + 'bug_count_hyperlink_prefix', + 'bug_duplicate_resolution', + 'bug_feedback_status', + 'bug_link_tag', + 'bug_list_cookie', + 'bug_readonly_status_threshold', + 'bug_reminder_threshold', + 'bug_reopen_resolution', + 'bug_reopen_status', + 'bug_resolution_fixed_threshold', + 'bug_resolution_not_fixed_threshold', + 'bug_resolved_status_threshold', + 'bug_revision_drop_threshold', + 'bug_submit_status', + 'bugnote_link_tag', + 'bugnote_order', + 'bugnote_user_change_view_state_threshold', + 'bugnote_user_delete_threshold', + 'bugnote_user_edit_threshold', + 'calendar_date_format', + 'calendar_js_date_format', + 'cdn_enabled', + 'change_view_status_threshold', + 'check_mx_record', + 'complete_date_format', + 'compress_html', + 'cookie_prefix', + 'cookie_time_length', + 'copyright_statement', + 'create_permalink_threshold', + 'create_project_threshold', + 'create_short_url', + 'css_include_file', + 'css_rtl_include_file', + 'csv_add_bom', + 'csv_separator', + 'custom_field_edit_after_create', + 'custom_field_link_threshold', + 'custom_field_type_enum_string', + 'default_bug_additional_info', + 'default_bug_eta', + 'default_bug_priority', + 'default_bug_projection', + 'default_bug_relationship_clone', + 'default_bug_relationship', + 'default_bug_reproducibility', + 'default_bug_resolution', + 'default_bug_severity', + 'default_bug_steps_to_reproduce', + 'default_bug_view_status', + 'default_bugnote_order', + 'default_bugnote_view_status', + 'default_category_for_moves', + 'default_email_bugnote_limit', + 'default_email_on_assigned_minimum_severity', + 'default_email_on_assigned', + 'default_email_on_bugnote_minimum_severity', + 'default_email_on_bugnote', + 'default_email_on_closed_minimum_severity', + 'default_email_on_closed', + 'default_email_on_feedback_minimum_severity', + 'default_email_on_feedback', + 'default_email_on_new_minimum_severity', + 'default_email_on_new', + 'default_email_on_priority_minimum_severity', + 'default_email_on_priority', + 'default_email_on_reopened_minimum_severity', + 'default_email_on_reopened', + 'default_email_on_resolved_minimum_severity', + 'default_email_on_resolved', + 'default_email_on_status_minimum_severity', + 'default_email_on_status', + 'default_home_page', + 'default_language', + 'default_limit_view', + 'default_manage_tag_prefix', + 'default_manage_user_prefix', + 'default_new_account_access_level', + 'default_project_view_status', + 'default_redirect_delay', + 'default_refresh_delay', + 'default_reminder_view_status', + 'default_show_changed', + 'default_timezone', + 'delete_bug_threshold', + 'delete_bugnote_threshold', + 'delete_project_threshold', + 'development_team_threshold', + 'differentiate_duplicates', + 'disallowed_files', + 'display_bug_padding', + 'display_bugnote_padding', + 'display_project_padding', + 'download_attachments_threshold', + 'due_date_update_threshold', + 'due_date_view_threshold', + 'email_padding_length', + 'email_receive_own', + 'email_separator1', + 'email_separator2', + 'enable_email_notification', + 'enable_eta', + 'enable_product_build', + 'enable_profiles', + 'enable_project_documentation', + 'enable_projection', + 'enable_sponsorship', + 'eta_enum_string', + 'fallback_language', + 'favicon_image', + 'file_upload_max_num', + 'filter_by_custom_fields', + 'filter_custom_fields_per_row', + 'filter_position', + 'forward_year_count', + 'from_email', + 'from_name', + 'handle_bug_threshold', + 'handle_sponsored_bugs_threshold', + 'hide_status_default', + 'history_default_visible', + 'history_order', + 'hr_size', + 'hr_width', + 'html_make_links', + 'html_valid_tags_single_line', + 'html_valid_tags', + 'inline_file_exts', + 'limit_reporters', + 'logo_image', + 'logo_url', + 'logout_cookie', + 'logout_redirect_page', + 'long_process_timeout', + 'lost_password_feature', + 'mail_priority', + 'manage_config_cookie', + 'manage_configuration_threshold', + 'manage_custom_fields_threshold', + 'manage_global_profile_threshold', + 'manage_news_threshold', + 'manage_plugin_threshold', + 'manage_project_threshold', + 'manage_site_threshold', + 'manage_user_threshold', + 'manage_users_cookie', + 'max_dropdown_length', + 'max_failed_login_count', + 'max_file_size', + 'max_lost_password_in_progress_count', + 'meta_include_file', + 'min_refresh_delay', + 'minimum_sponsorship_amount', + 'monitor_add_others_bug_threshold', + 'monitor_bug_threshold', + 'monitor_delete_others_bug_threshold', + 'move_bug_threshold', + 'my_view_boxes_fixed_position', + 'my_view_bug_count', + 'news_enabled', + 'news_limit_method', + 'news_view_limit_days', + 'news_view_limit', + 'normal_date_format', + 'notify_flags', + 'notify_new_user_created_threshold_min', + 'plugins_enabled', + 'preview_attachments_inline_max_size', + 'preview_max_height', + 'preview_max_width', + 'priority_enum_string', + 'priority_significant_threshold', + 'private_bug_threshold', + 'private_bugnote_threshold', + 'private_news_threshold', + 'private_project_threshold', + 'project_cookie', + 'project_status_enum_string', + 'project_user_threshold', + 'project_view_state_enum_string', + 'projection_enum_string', + 'reassign_on_feedback', + 'reauthentication_expiry', + 'reauthentication', + 'recently_visited_count', + 'relationship_graph_enable', + 'relationship_graph_fontname', + 'relationship_graph_fontsize', + 'relationship_graph_max_depth', + 'relationship_graph_orientation', + 'relationship_graph_view_on_click', + 'reminder_receive_threshold', + 'reminder_recipients_monitor_bug', + 'reopen_bug_threshold', + 'report_bug_threshold', + 'report_issues_for_unreleased_versions_threshold', + 'reporter_summary_limit', + 'reproducibility_enum_string', + 'resolution_enum_string', + 'return_path_email', + 'roadmap_update_threshold', + 'roadmap_view_threshold', + 'rss_enabled', + 'set_bug_sticky_threshold', + 'set_configuration_threshold', + 'set_view_status_threshold', + 'severity_enum_string', + 'severity_significant_threshold', + 'short_date_format', + 'show_assigned_names', + 'show_avatar_threshold', + 'show_avatar', + 'show_bug_project_links', + 'show_changelog_dates', + 'show_detailed_errors', + 'show_footer_menu', + 'show_log_threshold', + 'show_memory_usage', + 'show_monitor_list_threshold', + 'show_priority_text', + 'show_product_version', + 'show_project_menu_bar', + 'show_queries_count', + 'show_realname', + 'show_roadmap_dates', + 'show_sticky_issues', + 'show_timer', + 'show_user_email_threshold', + 'show_user_realname_threshold', + 'show_version_dates_threshold', + 'show_version', + 'signup_use_captcha', + 'sort_by_last_name', + 'sponsor_threshold', + 'sponsorship_currency', + 'sponsorship_enum_string', + 'status_enum_string', + 'status_legend_position', + 'status_percentage_legend', + 'stop_on_errors', + 'store_reminders', + 'stored_query_create_shared_threshold', + 'stored_query_create_threshold', + 'stored_query_use_threshold', + 'string_cookie', + 'subprojects_enabled', + 'subprojects_inherit_categories', + 'subprojects_inherit_versions', + 'summary_category_include_project', + 'tag_attach_threshold', + 'tag_create_threshold', + 'tag_detach_own_threshold', + 'tag_detach_threshold', + 'tag_edit_own_threshold', + 'tag_edit_threshold', + 'tag_separator', + 'tag_view_threshold', + 'time_tracking_edit_threshold', + 'time_tracking_enabled', + 'time_tracking_reporting_threshold', + 'time_tracking_stopwatch', + 'time_tracking_view_threshold', + 'time_tracking_with_billing', + 'time_tracking_without_note', + 'top_include_page', + 'update_bug_assign_threshold', + 'update_bug_status_threshold', + 'update_bug_threshold', + 'update_bugnote_threshold', + 'update_readonly_bug_threshold', + 'upload_bug_file_threshold', + 'upload_project_file_threshold', + 'use_dynamic_filters', + 'user_login_valid_regex', + 'validate_email', + 'version_suffix', + 'view_all_cookie', + 'view_attachments_threshold', + 'view_bug_threshold', + 'view_changelog_threshold', + 'view_configuration_threshold', + 'view_filters', + 'view_handler_threshold', + 'view_history_threshold', + 'view_proj_doc_threshold', + 'view_sponsorship_details_threshold', + 'view_sponsorship_total_threshold', + 'view_state_enum_string', + 'view_summary_threshold', + 'webmaster_email', + 'webservice_admin_access_level_threshold', + 'webservice_error_when_version_not_found', + 'webservice_eta_enum_default_when_not_found', + 'webservice_priority_enum_default_when_not_found', + 'webservice_projection_enum_default_when_not_found', + 'webservice_readonly_access_level_threshold', + 'webservice_readwrite_access_level_threshold', + 'webservice_resolution_enum_default_when_not_found', + 'webservice_severity_enum_default_when_not_found', + 'webservice_specify_reporter_on_add_access_level_threshold', + 'webservice_status_enum_default_when_not_found', + 'webservice_version_when_not_found', + 'wiki_enable', + 'wiki_engine_url', + 'wiki_engine', + 'wiki_root_namespace', + 'window_title', + 'wrap_in_preformatted_text' ); # Temporary variables should not remain defined in global scope diff --git a/core/config_api.php b/core/config_api.php index 8cace8c..7b25293 100644 --- a/core/config_api.php +++ b/core/config_api.php @@ -677,71 +677,14 @@ function config_eval( $p_value, $p_global = false ) { } /** - * list of configuration variable which may expose web server details and should not be exposed to users or web services + * Check if a configuration variable should not be exposed to users or web services * * @param string $p_config_var Configuration option. * @return boolean */ function config_is_private( $p_config_var ) { - switch( $p_config_var ) { - case 'hostname': - case 'db_username': - case 'db_password': - case 'database_name': - case 'db_schema': - case 'db_type': - case 'master_crypto_salt': - case 'smtp_host': - case 'smtp_username': - case 'smtp_password': - case 'smtp_connection_mode': - case 'smtp_port': - case 'email_send_using_cronjob': - case 'absolute_path': - case 'core_path': - case 'class_path': - case 'library_path': - case 'language_path': - case 'session_save_path': - case 'session_handler': - case 'session_validation': - case 'global_settings': - case 'system_font_folder': - case 'phpMailer_method': - case 'attachments_file_permissions': - case 'file_upload_method': - case 'absolute_path_default_upload_folder': - case 'ldap_server': - case 'plugin_path': - case 'ldap_root_dn': - case 'ldap_organization': - case 'ldap_uid_field': - case 'ldap_bind_dn': - case 'ldap_bind_passwd': - case 'use_ldap_email': - case 'ldap_protocol_version': - case 'login_method': - case 'cookie_path': - case 'cookie_domain': - case 'bottom_include_page': - case 'top_include_page': - case 'css_include_file': - case 'css_rtl_include_file': - case 'meta_include_file': - case 'log_level': - case 'log_destination': - case 'dot_tool': - case 'neato_tool': - return true; - - # Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api. - # These can be removed once complete removal from config and db is enforced by upgrade process. - case 'file_upload_ftp_server': - case 'file_upload_ftp_user': - case 'file_upload_ftp_pass': - return true; - } + global $g_public_config_names; - return false; + return !in_array( $p_config_var, $g_public_config_names, true ); } diff --git a/docbook/Admin_Guide/en-US/config/settings.xml b/docbook/Admin_Guide/en-US/config/settings.xml index 066b0e3..548e8f8 100644 --- a/docbook/Admin_Guide/en-US/config/settings.xml +++ b/docbook/Admin_Guide/en-US/config/settings.xml @@ -12,5 +12,11 @@ This option contains the list of configuration options that are used to determine if it is allowed for a specific configuration option to be saved to or loaded from the database. Configuration options that are in the list are considered global only and hence are only configurable via the config_inc.php file and defaulted by config_defaults_inc.php file. + + $g_public_config_names + + This option contains a list of configuration options that can be queried via SOAP API. + + -- 2.5.4 (Apple Git-61)