mantisbt proj_doc_delete.php,1.25,1.26 proj_doc_page.php,1.50,1.51

Update of /cvsroot/mantisbt/mantisbt
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv7086

Modified Files:
        proj_doc_delete.php proj_doc_page.php 
Log Message:
fix for 0006564: Port XSS Vulnerability in project documents (TKADV2005-11-002)


Index: proj_doc_delete.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_delete.php,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- proj_doc_delete.php 8 May 2005 20:42:08 -0000       1.25
+++ proj_doc_delete.php 6 Jan 2006 02:23:15 -0000       1.26
@@ -17,15 +17,20 @@
        }
 
        $f_file_id = gpc_get_int( 'file_id' );
-       $f_title = gpc_get_string( 'title', '' );
 
        $t_project_id = file_get_field( $f_file_id, 'project_id', 'project' );
 
        access_ensure_project_level( config_get( 
'upload_project_file_threshold' ), $t_project_id );
 
+       $t_project_file_table = config_get( 'mantis_project_file_table' );
+       $query = "SELECT title FROM $t_project_file_table 
+                               WHERE id=$f_file_id";
+       $result = db_query( $query );
+       $t_title = db_result( $result );
+
        # Confirm with the user
        helper_ensure_confirmed( lang_get( 'confirm_file_delete_msg' ) .
-               '<br/>' . lang_get( 'filename' ) . ': ' . $f_title,
+               '<br/>' . lang_get( 'filename' ) . ': ' . string_display( 
$t_title ),
                lang_get( 'file_delete_button' ) );
 
        file_delete( $f_file_id, 'project' );

Index: proj_doc_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/proj_doc_page.php,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -d -r1.50 -r1.51
--- proj_doc_page.php   16 Aug 2005 14:36:43 -0000      1.50
+++ proj_doc_page.php   6 Jan 2006 02:23:16 -0000       1.51
@@ -111,7 +111,7 @@
                        echo '&nbsp;';
                        print_button( 'proj_doc_edit_page.php?file_id='.$v_id, 
lang_get( 'edit_link' ) );
                        echo '&nbsp;';
-                       print_button( 'proj_doc_delete.php?file_id=' . $v_id . 
'&title=' . string_url( $v_title ), lang_get( 'delete_link' ) );
+                       print_button( 'proj_doc_delete.php?file_id=' . $v_id, 
lang_get( 'delete_link' ) );
                }
 ?>
        </span>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click