View Issue Details

IDProjectCategoryView StatusLast Update
0027284mantisbtplug-inspublic2020-09-25 14:53
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows
Target Version2.24.3Fixed in Version2.24.3 
Summary0027284: Priority can override to any positive integer
Description

The priority selection are just 5,4,3,2,1 however in this issue this allows me to add a new priority value

Steps To Reproduce
  • Login as admin account

  • go to manage > manage plugin

  • make sure you install any plugin, update any priority

  • open intercept

  • update it

Request

POST /mantisbt2/manage_plugin_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 292
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_plugin_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=tg09rel94h819lbrn071r2sqe2; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896; MANTIS_BUG_LIST_COOKIE=11%2C10
Upgrade-Insecure-Requests: 1

manage_plugin_update_token=202009134ILfxKUHaW2AQX8cGjxI3vbeLyv9In4C&change_Gravatar=1&priority_Gravatar=4&change_XmlImportExport=1&priority_XmlImportExport=4&change_MantisGraph=1&priority_MantisGraph=5&change_MantisCore=1&change_MantisCoreFormatting=1&priority_MantisCoreFormatting=4294967295

Response

HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:42:46 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:42:46 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:42:46 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/manage_plugin_page.php
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and you can see a large number render on select
TagsNo tags attached.
Attached Files
override.png (33,411 bytes)   
override.png (33,411 bytes)   

Relationships

related to 0024336 closedatrol Plugin priority changed without being changed by user interaction 

Activities

dregad

dregad

2020-09-18 19:09

developer   ~0064447

Bug is confirmed (since release 1.2.0a1); consequences are minor, as the only impact is changing the order in which plugins are registered.

dregad

dregad

2020-09-18 19:16

developer   ~0064448

PR https://github.com/mantisbt/mantisbt/pull/1700

Related Changesets

MantisBT: master-2.24 fe3a91cb

2020-09-18 09:00

dregad


Details Diff
Plugin update: validate Priority parameter

Plugin Priority must be a number from 1 to 5. Trigger an error if
the parameter's value is outside of that range.

Fixes 0027284
Affected Issues
0027284
mod - manage_plugin_update.php Diff File