1
Description: Fix for CVE-2012-1122: Incorrect access checks performed when moving bugs between projects
2
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13748
3
Bug-Debian: http://bugs.debian.org/669927
4
Origin: https://github.com/mantisbt/mantisbt/commit/64af3ef8c0b43bd007664d84e0177716daac4a84
5
Last-Update: 2012-04-21
6
Index: mantis/bug_actiongroup.php
7
===================================================================
8
--- mantis.orig/bug_actiongroup.php 2012-04-21 22:16:58.760666308 +0200
9
+++ mantis/bug_actiongroup.php 2012-04-21 22:20:42.921354198 +0200
14
- if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) {
15
+ if( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) &&
16
+ access_has_project_level( config_get( 'report_bug_threshold', null, null, $f_project_id ), $f_project_id ) ) {
17
# @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) );
18
$f_project_id = gpc_get_int( 'project_id' );
19
bug_set_field( $t_bug_id, 'project_id', $f_project_id );