Bug 477734 - [SECURITY] Xss + SQL INJECTION
THIS IS NOT A FIX, SOME BREAKAGE IS EXPECTED.
Given the severity of this bug, we added an exit() at the top of this
file to stop it from being executed on our servers. The owner(s) of this
website should review every request to MYSQL, $_POST and $_GET variables
AS SOON AS POSSIBLE.
There is more scripts in this repo that are vulnerable but I did not
modified because they are protected with the internalUseOnly() function.
I kept these files as-is to avoid breakage to your build but this is
still very dangerous, someone needs to review this code as soon as
possible.
SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution (e.g. to dump the database contents to the
attacker).
Cross-Site Scripting (XSS) vulnerabilities are a type of computer
security vulnerability typically found in Web applications. XSS
vulnerabilities enable attackers to inject client-side script into Web
pages viewed by other users.
Signed-off-by: Christopher Guindon <chris.guindon@eclipse.org>
diff --git a/emft/downloads/testResults.php b/emft/downloads/testResults.php
index 96fca59..d872095 100644
--- a/emft/downloads/testResults.php
+++ b/emft/downloads/testResults.php
@@ -1 +1,25 @@
-<?php include($_SERVER["DOCUMENT_ROOT"] . "/modeling/includes/testResults-common.php"); ?>
+<?php
+
+/**
+ * Bug 477734 - [SECURITY] Xss + SQL INJECTION
+ *
+ * SQL injection is a code injection technique,
+ * used to attack data-driven applications, in which malicious
+ * SQL statements are inserted into an entry field for execution
+ * (e.g. to dump the database contents to the attacker).
+ *
+ * Cross-Site Scripting (XSS) vulnerabilities are a type of
+ * computer security vulnerability typically found in Web applications.
+ * XSS vulnerabilities enable attackers to inject client-side script
+ * into Web pages viewed by other users.
+ *
+ * Given the severity of this bug, we added an exit() at the top
+ * of this file to stop it from being executed on our servers.
+ *
+ * The owner(s) of this website should review every request to MYSQL before
+ * removing the exit() on this page.
+ *
+ */
+exit();
+
+include($_SERVER["DOCUMENT_ROOT"] . "/modeling/includes/testResults-common.php"); ?>
diff --git a/emft/news/relnotes.php b/emft/news/relnotes.php
index 3fdc277..5440de7 100644
--- a/emft/news/relnotes.php
+++ b/emft/news/relnotes.php
@@ -1,4 +1,27 @@
<?php
+
+/**
+ * Bug 477734 - [SECURITY] Xss + SQL INJECTION
+ *
+ * SQL injection is a code injection technique,
+ * used to attack data-driven applications, in which malicious
+ * SQL statements are inserted into an entry field for execution
+ * (e.g. to dump the database contents to the attacker).
+ *
+ * Cross-Site Scripting (XSS) vulnerabilities are a type of
+ * computer security vulnerability typically found in Web applications.
+ * XSS vulnerabilities enable attackers to inject client-side script
+ * into Web pages viewed by other users.
+ *
+ * Given the severity of this bug, we added an exit() at the top
+ * of this file to stop it from being executed on our servers.
+ *
+ * The owner(s) of this website should review every request to MYSQL before
+ * removing the exit() on this page.
+ *
+ */
+exit();
+
require_once ("../../includes/buildServer-common.php");
$pageTitle = "Eclipse Modeling - EMFT - Release Notes";
diff --git a/emft/project-info/ipquery.php b/emft/project-info/ipquery.php
index 6a5e184..f3fc77e 100755
--- a/emft/project-info/ipquery.php
+++ b/emft/project-info/ipquery.php
@@ -1,4 +1,27 @@
<?php
+
+/**
+ * Bug 477734 - [SECURITY] Xss + SQL INJECTION
+ *
+ * SQL injection is a code injection technique,
+ * used to attack data-driven applications, in which malicious
+ * SQL statements are inserted into an entry field for execution
+ * (e.g. to dump the database contents to the attacker).
+ *
+ * Cross-Site Scripting (XSS) vulnerabilities are a type of
+ * computer security vulnerability typically found in Web applications.
+ * XSS vulnerabilities enable attackers to inject client-side script
+ * into Web pages viewed by other users.
+ *
+ * Given the severity of this bug, we added an exit() at the top
+ * of this file to stop it from being executed on our servers.
+ *
+ * The owner(s) of this website should review every request to MYSQL before
+ * removing the exit() on this page.
+ *
+ */
+exit();
+
$product_id = 42; # EMFT
$committers = array( # taken from http://www.eclipse.org/projects/project_summary.php?projectid=modeling.emft
"emerks" => "PMC",
@@ -7,13 +30,13 @@
"drizov" => "emf4net",
"rbihler" => "emf4net",
"mboettger" => "emf4net",
-
+
"sboehme" => "jcrm",
-
+
"jcote" => "temporality",
-
+
"ttonelli" => "servus",
-
+
"mgarcia" => "emfatic",
"cdaly" => "emfatic",
@@ -56,7 +79,7 @@
"jackrabbit-jcr-rmi Jar 1.3, Orbit, , , 1858, jcrm",
"jcr-1.0.jar 1.0, , Day Spec License, , 2241, jcrm",
-
+
"org.apache.ant 1.6.5, Orbit, Apache 2.0, ?, 1525, mwe",
"org.apache.commons.logging 1.0.4.v200701082340, Orbit, Apache 2.0, ?, 1526, mwe",
"Apache Commons Line Interface 1.0, Orbit, Apache 2.0, ?, 1527, mwe",
@@ -64,25 +87,25 @@
"Apache Commons Logging Jar 1.0.4, Orbit, Apache 2.0, unmodified entire package, 1946, search",
"Apache Commons Line Interface 1.0, Orbit, Apache 2.0, unmodified entire package, 1947, search",
"Apache Commons Lang 2.1, Orbit, Apache 2.0, unmodified entire package, 1948, search",
-
+
"wsdl4j-1.6.2.jar 1.6.2, Orbit, , , 2300, servus",
-
+
/* Stuff that has moved to another project */
-
- //"Apache Commons Codec 1.3, /cvsroot/tools/org.eclipse.orbit/org.apache.commons.codec, EPL 1.0, original jar repackaged as OSGi bundle, 2339, net4j",
- //"Apache HttpClient 3.1, /cvsroot/tools/org.eclipse.orbit/org.apache.commons.httpclient, EPL 1.0, original jar repackaged as OSGi bundle, 2340, net4j",
- //"Apache Derby 10.1.2.1, /cvsroot/tools/org.eclipse.orbit/org.apache.derby, EPL 1.0, original jar repackaged as OSGi bundle, 2341, net4j",
+
+ //"Apache Commons Codec 1.3, /cvsroot/tools/org.eclipse.orbit/org.apache.commons.codec, EPL 1.0, original jar repackaged as OSGi bundle, 2339, net4j",
+ //"Apache HttpClient 3.1, /cvsroot/tools/org.eclipse.orbit/org.apache.commons.httpclient, EPL 1.0, original jar repackaged as OSGi bundle, 2340, net4j",
+ //"Apache Derby 10.1.2.1, /cvsroot/tools/org.eclipse.orbit/org.apache.derby, EPL 1.0, original jar repackaged as OSGi bundle, 2341, net4j",
//"JMS Spec 1.1 (Glassfish) (PB CQ1614), CDDL, , , 1769, net4j",
//"jpox-1.1.7.jar 1.1.7, , Apache 2.0, , 1555, teneo",
//"jdo2-api-2.0.jar 2.0, , Apache 2.0, not distributed; required for build, 1556, teneo",
-
+
//"LPG Runtime and Generated OCL Parser 1, Orbit, , moved to MDT per CQ 1080, 303, ocl",
//"Apache Tomcat 3.2.4, Historical Approval, Apache 2.0, moved to M2T per CQ 2335, 336, jet",
);
-if (isset($_GET["ganymede"])){
- $components = array("search", "compare", "ecoretools", "mint");
+if (isset($_GET["ganymede"])){
+ $components = array("search", "compare", "ecoretools", "mint");
}
-require_once ($_SERVER['DOCUMENT_ROOT'] . "/modeling/includes/ipquery-common.php");
+require_once ($_SERVER['DOCUMENT_ROOT'] . "/modeling/includes/ipquery-common.php");
doIPQueryPage(); ?>
\ No newline at end of file
diff --git a/includes/ipquery-common.php b/includes/ipquery-common.php
index 6a7000c..ac0170e 100755
--- a/includes/ipquery-common.php
+++ b/includes/ipquery-common.php
@@ -1,4 +1,28 @@
-<?php # Script for retrieving IP log information.
+<?php
+
+/**
+ * Bug 477734 - [SECURITY] Xss + SQL INJECTION
+ *
+ * SQL injection is a code injection technique,
+ * used to attack data-driven applications, in which malicious
+ * SQL statements are inserted into an entry field for execution
+ * (e.g. to dump the database contents to the attacker).
+ *
+ * Cross-Site Scripting (XSS) vulnerabilities are a type of
+ * computer security vulnerability typically found in Web applications.
+ * XSS vulnerabilities enable attackers to inject client-side script
+ * into Web pages viewed by other users.
+ *
+ * Given the severity of this bug, we added an exit() at the top
+ * of this file to stop it from being executed on our servers.
+ *
+ * The owner(s) of this website should review every request to MYSQL before
+ * removing the exit() on this page.
+ *
+ */
+exit();
+
+# Script for retrieving IP log information.
# for database schema, see: https://dev.eclipse.org/committers/committertools/dbo_bugs_schema.php
@@ -34,18 +58,18 @@
$committers = filterCommitters($committers, $components);
$showbuglist = isset($_GET["showbuglist"]);
-if ($showbuglist)
+if ($showbuglist)
{
$sortBy = "bugid";
}
-
+
function getComponentQueryString()
{
global $components;
$componentQueryString = "";
foreach ($components as $component)
{
- $componentQueryString .= "&components[]=" . urlencode($component);
+ $componentQueryString .= "&components[]=" . urlencode($component);
}
return $componentQueryString;
}
@@ -54,27 +78,27 @@
{
global $bugClass, $product_id, $sortBy, $components, $showbuglist, $showobsolete;
$data = array();
- if (!is_file($bugClass))
+ if (!is_file($bugClass))
{
print "<li><b style='color:red'>Error: could not query Bugzilla database.</b></li>";
}
else
{
-
+
$componentSQL = "";
foreach ($components as $component)
{
- $componentSQL .= $componentSQL ? "OR " : "";
- $componentSQL .= "components.name = '$component' ";
+ $componentSQL .= $componentSQL ? "OR " : "";
+ $componentSQL .= "components.name = '$component' ";
}
$componentSQL = $componentSQL ? "(" . $componentSQL . ") AND " : "";
# Connect to database
$dbc = new DBConnectionBugs();
$dbh = $dbc->connect();
-
+
# NOTE: bug_status = 5 is RESOLVED, resolution = 2 is FIXED, 'contributed' keyword id = 22
- # for product_id, use:
+ # for product_id, use:
# 8, EMF
# 12, GMT
# 29, GMF
@@ -88,8 +112,8 @@
# 106, TMF
$order = "$sortBy ASC";
- $queries = array(
- "(SELECT
+ $queries = array(
+ "(SELECT
attachments.description,
attachments.ispatch,
attachments.isobsolete,
@@ -99,21 +123,21 @@
bugs.short_desc,
components.name as component,
profiles.login_name AS contact
- FROM
- attachments, attach_data, bugs, components, keywords, profiles
+ FROM
+ attachments, attach_data, bugs, components, keywords, profiles
WHERE
attachments.ispatch = 1 AND
" . (!$showobsolete ? "attachments.isobsolete = 0 AND " : "") . "
- attachments.bug_id = bugs.bug_id AND
- attachments.attach_id = attach_data.id AND
+ attachments.bug_id = bugs.bug_id AND
+ attachments.attach_id = attach_data.id AND
components.id = bugs.component_id AND
- " . $componentSQL . "
- bugs.bug_id = keywords.bug_id AND
- keywords.keywordid = 22 AND
- profiles.userid = attachments.submitter_id AND
+ " . $componentSQL . "
+ bugs.bug_id = keywords.bug_id AND
+ keywords.keywordid = 22 AND
+ profiles.userid = attachments.submitter_id AND
bugs.product_id = $product_id)
- UNION
- (SELECT
+ UNION
+ (SELECT
longdescs.thetext AS description,
1 AS ispatch,
0 AS isobsolete,
@@ -123,37 +147,37 @@
bugs.short_desc,
components.name AS component,
longdescs.thetext AS contact
- FROM
- longdescs, bugs, components, keywords, profiles
+ FROM
+ longdescs, bugs, components, keywords, profiles
WHERE
- components.id = bugs.component_id AND
- " . $componentSQL . "
- bugs.bug_id = keywords.bug_id AND
- keywords.keywordid = 22 AND
- bugs.product_id = $product_id AND
- profiles.userid = longdescs.who AND
- longdescs.bug_id = bugs.bug_id AND
+ components.id = bugs.component_id AND
+ " . $componentSQL . "
+ bugs.bug_id = keywords.bug_id AND
+ keywords.keywordid = 22 AND
+ bugs.product_id = $product_id AND
+ profiles.userid = longdescs.who AND
+ longdescs.bug_id = bugs.bug_id AND
longdescs.thetext like '%[contrib %email=%]%')
ORDER BY
$order");
-
+
foreach ($queries as $query)
{
$rs = mysql_query($query, $dbh);
-
+
if(mysql_errno($dbh) > 0) {
echo "<li><b style='color:red'>There was an error processing this request: " . $query . " : " . mysql_error($dbh) . "</b></li>\n";
$dbc->disconnect();
exit;
}
-
+
while($myrow = mysql_fetch_assoc($rs))
{
$data[] = $myrow;
}
}
$dbc->disconnect();
-
+
$rs = null;
$dbh = null;
$dbc = null;
@@ -167,12 +191,12 @@
$componentQueryString = getComponentQueryString();
$cnt = 0;
if ($isFormatted)
- {
+ {
print " <table>\n <tr>" .
"<th><acronym title=\"click to sort\"><a" . ($sortBy == "component" ? " style='text-decoration:underline'" : "") . " href='?sortBy=component" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Component</a></acronym></th>" .
"<th><acronym title=\"click to sort\"><a" . ($sortBy == "bugid" ? " style='text-decoration:underline'" : "") . " href='?sortBy=bugid" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Bug #</a></acronym></th>" .
- "<th><acronym title=\"click to sort\"><a" . ($sortBy == "contact" ? " style='text-decoration:underline'" : "") . " href='?sortBy=contact" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Contributor</a></acronym></th>" .
- "<th><acronym title=\"click to sort\"><a" . ($sortBy == "size" ? " style='text-decoration:underline'" : "") . " href='?sortBy=size" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Size</a></acronym></th>" .
+ "<th><acronym title=\"click to sort\"><a" . ($sortBy == "contact" ? " style='text-decoration:underline'" : "") . " href='?sortBy=contact" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Contributor</a></acronym></th>" .
+ "<th><acronym title=\"click to sort\"><a" . ($sortBy == "size" ? " style='text-decoration:underline'" : "") . " href='?sortBy=size" . $componentQueryString . ($showobsolete ? "&showobsolete" : "") . "'>Size</a></acronym></th>" .
"<th>Description</th></tr>\n";
}
$bgcol = "#FFFFEE";
@@ -183,21 +207,21 @@
if ($isFormatted)
{
if ($myrow['short_desc'] != $prevDesc)
- {
+ {
$bgcol = $bgcol == "#EEEEFF" ? "#FFFFEE" : "#EEEEFF";
}
list($shortname, $email) = getContributor($myrow['contact']);
print "<tr bgcolor=\"$bgcol\" align=\"top\">" .
"<td><acronym title=\"click to filter/unfilter this component\">" .
"<a style=\"font-size:8px\" href=\"?" . 'sortBy=' . $sortBy . ($showobsolete ? "&showobsolete" : ""). (sizeof($components) == 1 && strtolower($components[0]) == strtolower($myrow['component']) ? "" : "&component=" . strtolower($myrow['component'])) . "\">" . $myrow['component'] . "</a></acronym> " .
- "<a href=\"http://www.eclipse.org/$PR/?project=" . strtolower($myrow['component']) . "\"><img src=\"/modeling/images/link-out.png\"/></a>" .
+ "<a href=\"http://www.eclipse.org/$PR/?project=" . strtolower($myrow['component']) . "\"><img src=\"/modeling/images/link-out.png\"/></a>" .
"</td>" .
"<td nowrap=\"nowrap\">" . doBugLink($myrow['bugid']) . "</td>" .
"<td><acronym title=\"" . $email . "\">$shortname</acronym></td>" .
"<td>" . (isset($myrow['size']) && $myrow['size'] ? pretty_size($myrow['size']) : "") . "</td>" .
- "<td width=\"99%\">" . "<small style=\"font-size:8px\">" .
- ($myrow['short_desc'] != $prevDesc ? preg_replace("#(\d{5,6})#", doBugLink("$1"), str_replace(",", " ", $myrow['short_desc'])) : "") .
- (isset($myrow['description']) && $myrow['description'] ? ($myrow['short_desc'] != $prevDesc ? "<br/>" : "") . "  • " . (isset($myrow['isobsolete']) && $myrow['isobsolete'] ? "<strike>" : "") . preg_replace("#(\d{5,6})#", doBugLink("$1"), str_replace(",", " ", $myrow['description'])) : "") .
+ "<td width=\"99%\">" . "<small style=\"font-size:8px\">" .
+ ($myrow['short_desc'] != $prevDesc ? preg_replace("#(\d{5,6})#", doBugLink("$1"), str_replace(",", " ", $myrow['short_desc'])) : "") .
+ (isset($myrow['description']) && $myrow['description'] ? ($myrow['short_desc'] != $prevDesc ? "<br/>" : "") . "  • " . (isset($myrow['isobsolete']) && $myrow['isobsolete'] ? "<strike>" : "") . preg_replace("#(\d{5,6})#", doBugLink("$1"), str_replace(",", " ", $myrow['description'])) : "") .
(isset($myrow['isobsolete']) && $myrow['isobsolete'] ? "</strike> (obsolete patch)" : "") . "</small></td>" .
"</tr>\n";
$prevDesc = $myrow['short_desc'];
@@ -205,16 +229,16 @@
else
{
list($shortname, $email) = getContributor($myrow['contact']);
- print $myrow['component'] . "," . $myrow['bugid'] . "," . $email .
- "," . (isset($myrow['size']) && $myrow['size'] ? $myrow['size'] : "") .
- "," . str_replace(",", " ", $myrow['short_desc']) .
+ print $myrow['component'] . "," . $myrow['bugid'] . "," . $email .
+ "," . (isset($myrow['size']) && $myrow['size'] ? $myrow['size'] : "") .
+ "," . str_replace(",", " ", $myrow['short_desc']) .
(isset($myrow['description']) && $myrow['description'] ? " (" . preg_replace("/[,\n]+/", " ", $myrow['description']) . ")" : "") .
- (isset($myrow['isobsolete']) && $myrow['isobsolete'] ? " [obsolete patch]" : "") .
+ (isset($myrow['isobsolete']) && $myrow['isobsolete'] ? " [obsolete patch]" : "") .
"\n";
}
}
if ($isFormatted)
- {
+ {
print " </table>\n";
}
return $cnt;
@@ -222,13 +246,13 @@
function doBugLink($id)
{
- return "<a href=\"/modeling/searchcvs.php?q=" . $id . "\"><img src=\"/modeling/images/delta.gif\" border=\"0\" alt=\"Search CVS for bug " . $id . "\"></a> " .
+ return "<a href=\"/modeling/searchcvs.php?q=" . $id . "\"><img src=\"/modeling/images/delta.gif\" border=\"0\" alt=\"Search CVS for bug " . $id . "\"></a> " .
"<a href=\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=" . $id . "\">" . $id . "</a>";
}
function getContributor($in)
{
- global $debug;
+ global $debug;
if ($debug) echo "Processing {{ $in }}<br/>";
if (strpos($in, "@") !== false && strpos($in, "[") === false)
{
@@ -260,23 +284,23 @@
# Connect to database
$dbc = new DBConnectionBugs();
$dbh = $dbc->connect();
-
- $query = "SELECT
- products.id,
+
+ $query = "SELECT
+ products.id,
products.name
- FROM
- products
+ FROM
+ products
ORDER BY
products.id";
-
+
$rs = mysql_query($query, $dbh);
-
+
if(mysql_errno($dbh) > 0) {
echo "There was an error processing this request: " . $query . " : ";
-
+
# For debugging purposes - don't display this stuff in a production page.
echo mysql_error($dbh);
-
+
# Mysql disconnects automatically, but I like my disconnects to be explicit.
$dbc->disconnect();
exit;
@@ -285,9 +309,9 @@
while($myrow = mysql_fetch_assoc($rs)) {
print $myrow['id'] . ", " . $myrow['name'] . "\n";
}
-
+
$dbc->disconnect();
-
+
$rs = null;
$dbh = null;
$dbc = null;
@@ -295,7 +319,7 @@
function doIPQueryPage()
{
- global $incubating, $isFormatted, $showbuglist, $components, $showobsolete, $sortBy, $committers, $product_id, $extra_IP, $third_party, $third_party_works_with, $theme, $PR, $App, $Menu, $Nav;
+ global $incubating, $isFormatted, $showbuglist, $components, $showobsolete, $sortBy, $committers, $product_id, $extra_IP, $third_party, $third_party_works_with, $theme, $PR, $App, $Menu, $Nav;
ksort($committers); reset($committers);
$componentQueryString = getComponentQueryString();
@@ -318,7 +342,7 @@
}
print "\n" . sizeof($bugs) . " bugs total.\n";
exit;
- }
+ }
if (!$isFormatted)
{
header("Content-type: text/plain\n\n");
@@ -337,7 +361,7 @@
foreach ($extra_IP as $ip)
{
print "$ip\n";
- }
+ }
}
$third_parties = array(
"Third Party Software (Section 3)" => $third_party,
@@ -360,14 +384,14 @@
}
}
}
-
+
$projct= preg_replace("#.+/#", "", $PR);
$projectName = $projct != "modeling" ? strtoupper($projct) : "Modeling Project";
-
+
ob_start();
?>
<div id="midcolumn">
-
+
<h1><?php print $projectName; ?> IP Log</h1>
<div class="homeitem3col">
<a name="section1"></a><h3>Committers (Section 1)</h3>
@@ -378,7 +402,7 @@
<div class="homeitem3col">
<a name="section2"></a><h3>Developers (Section 2)</h3>
<?php $cnt = printIPQuery(doIPQuery(), true); ?>
- <p align="right"><?php echo $cnt; ?> records found.</p>
+ <p align="right"><?php echo $cnt; ?> records found.</p>
<p>
<?php if (isset($extra_IP) && is_array($extra_IP) && sizeof($extra_IP) > 0)
{
@@ -396,12 +420,12 @@
"Third Party \"Works-With\" Software (Non-EPL, Non-Distributed)" => $third_party_works_with
);
foreach ($third_parties as $label => $third_party_arr)
- {
+ {
if (isset($third_party_arr) && is_array($third_party_arr) && sizeof($third_party_arr) > 0)
{
$cnt = 0; ?>
<div class="homeitem3col">
- <a name="section3"></a><h3><?php print $label; ?></h3><?php
+ <a name="section3"></a><h3><?php print $label; ?></h3><?php
$hasComponent = false;
foreach ($third_party_arr as $tp)
{
@@ -412,7 +436,7 @@
break;
}
}
-
+
print "<table>\n" .
"<tr>" . ($hasComponent ? "<th>Component</th>" : "") . "<th>Name & Version</th><th>Location</th><th>License</th><th>Usage</th><th><acronym title=\"Contribution Questionnaires, if known\">CQ</acronym></tr>\n";
$bgcol = "#FFFFEE";
@@ -425,7 +449,7 @@
if (sizeof($components) < 1 || (isset($bits[5]) && in_array($bits[5], $components)))
{
print "<tr bgcolor=\"$bgcol\" align=\"top\">" .
- ($hasComponent ? "<td>" . (isset($bits[5]) && $bits[5] ?
+ ($hasComponent ? "<td>" . (isset($bits[5]) && $bits[5] ?
"<acronym title=\"click to filter/unfilter this component\"><a style=\"font-size:8px\" href=\"?" . 'sortBy=' . $sortBy . ($showobsolete ? "&showobsolete" : ""). (sizeof($components) == 1 && $components[0] == $bits[5] ? "" : "&component=" . strtolower($bits[5])) . "\">" . $bits[5] . "</a></acronym> " .
"<a href=\"http://www.eclipse.org/$PR/?project=" . strtolower($bits[5]) . "\"><img src=\"/modeling/images/link-out.png\"/></a>" : "") . "</td>" : "") .
"<td>" . cqlink(isset($bits[4]) && $bits[4] ? $bits[4] : "", $bits[0]) . "</td>" .
@@ -443,9 +467,9 @@
}
} ?>
</div>
-
+
<div id="rightcolumn">
-
+
<?php if (isset($incubating)) { ?>
<div class="sideitem">
<h6>Incubation</h6>
@@ -454,13 +478,13 @@
align="center" src="http://www.eclipse.org/images/egg-incubation.png"
border="0" /></a></div>
</div>
-<?php } ?>
+<?php } ?>
<div class="sideitem">
<h6>Committers (Section 1)</h6>
<ul>
- <?php foreach ($committers as $committer => $componentList)
+ <?php foreach ($committers as $committer => $componentList)
{
- print "<li>" . ($componentList ? "<acronym title=\"$componentList\">" : "") .
+ print "<li>" . ($componentList ? "<acronym title=\"$componentList\">" : "") .
"<a href=\"/$PR/searchcvs.php?q=author:$committer\">$committer</a>" . ($componentList ? "</acronym>" : ""). "</li>\n";
} ?>
</ul>
@@ -494,27 +518,27 @@
</div>
<div class="sideitem">
<a name="Note"></a><h6>Data Inclusion</h6>
-
- <p>Note that this data is only as accurate as the
+
+ <p>Note that this data is only as accurate as the
<a href="http://wiki.eclipse.org/index.php/GMF_Development_Guidelines#Committing_a_Contribution">process used to collect it</a>.
- To appear in this list, a contribution must: (1) have a related bug, (2) include a <i>patch</i> type attachment, and (3) bear the <i>contributed</i> keyword.
-
+ To appear in this list, a contribution must: (1) have a related bug, (2) include a <i>patch</i> type attachment, and (3) bear the <i>contributed</i> keyword.
+
<p>For older bugs that do not follow the above convention, you can also tag a contribution by entering a <i>[contrib email="..."/]</i> comment in a bug, or add some <i>Additional IP</i> <a href="http://www.eclipse.org/modeling/gmf/project-info/ipquery.php#section2a">like this</a>.
- <p>If you see an omission and cannot correct it yourself,
+ <p>If you see an omission and cannot correct it yourself,
<a href="https://bugs.eclipse.org/bugs/enter_bug.cgi?product=modeling&component=Website">please report it</a>.
</p>
</div>
</div>
-
+
<?php
$html = ob_get_contents();
ob_end_clean();
-
+
$pageTitle= "Eclipse Modeling - " . ($projectName && $projct != "modeling" ? $projectName . " -" : "") . " IP Log";
$pageKeywords = "eclipse,project,modeling,IP";
$pageAuthor = "Nick Boldt";
-
+
$App->AddExtraHtmlHeader('<link rel="stylesheet" type="text/css" href="/modeling/includes/index.css"/>' . "\n");
$App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
}
@@ -545,7 +569,7 @@
function pretty_print($in, $split, $num)
{
$bits = explode($split, $in);
- $out = "";
+ $out = "";
for ($i=sizeof($bits) - $num; $i<sizeof($bits); $i++)
{
if ($out)
@@ -559,7 +583,7 @@
function cqlink($num, $label = "")
{
- return $num ?
+ return $num ?
"<acronym title=\"Contribution Questionnaire #$num\"><a href=\"https://dev.eclipse.org/ipzilla/show_bug.cgi?id=$num\">" . ($label ? $label : $num) . "</a></acronym>" :
($label ? "<acronym title=\"Contribution Questionnaire Search\"><a href=\"https://dev.eclipse.org/ipzilla/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=" . urlencode($label) . "&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=\">" . $label . "</a></acronym>" : $num);
}
diff --git a/includes/relnotes-common.php b/includes/relnotes-common.php
index ed06c60..706cda3 100644
--- a/includes/relnotes-common.php
+++ b/includes/relnotes-common.php
@@ -1,4 +1,27 @@
<?php
+
+/**
+ * Bug 477734 - [SECURITY] Xss + SQL INJECTION
+ *
+ * SQL injection is a code injection technique,
+ * used to attack data-driven applications, in which malicious
+ * SQL statements are inserted into an entry field for execution
+ * (e.g. to dump the database contents to the attacker).
+ *
+ * Cross-Site Scripting (XSS) vulnerabilities are a type of
+ * computer security vulnerability typically found in Web applications.
+ * XSS vulnerabilities enable attackers to inject client-side script
+ * into Web pages viewed by other users.
+ *
+ * Given the severity of this bug, we added an exit() at the top
+ * of this file to stop it from being executed on our servers.
+ *
+ * The owner(s) of this website should review every request to MYSQL before
+ * removing the exit() on this page.
+ *
+ */
+exit();
+
/* REMINDER:
When adding new projects to the database, you must insert a 0.0.0 release as a basis from which
to compare, or you won't get anything returned from your query.
@@ -37,7 +60,7 @@
/* set defaults */
$cvscom = "";
-$tmp = array_keys($cvsprojs);
+$tmp = array_keys($cvsprojs);
if (sizeof($tmp) > 0)
{
$proj = (isset($defaultProj)) ? preg_replace("#^/#", "", $defaultProj) : $tmp[0];
