From bd6bf9c2df3d1d69f653214e8916fec15a2eb6ef Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 6 Apr 2018 16:50:26 +0200
Subject: [PATCH] Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Added an access level check, so that the operation now fails with an
Access Denied error.

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

Fixes #24221
---
 bug_report_page.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bug_report_page.php b/bug_report_page.php
index 2fc3f0a..79a35df 100644
--- a/bug_report_page.php
+++ b/bug_report_page.php
@@ -89,6 +89,9 @@ if( $f_master_bug_id > 0 ) {
 		trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
 	}
 
+	# User can view the master bug
+	access_ensure_bug_level( config_get( 'view_bug_threshold' ), $f_master_bug_id );
+
 	$t_bug = bug_get( $f_master_bug_id, true );
 
 	#@@@ (thraxisp) Note that the master bug is cloned into the same project as the master, independent of
-- 
1.9.1