MantisBT: master cff10f26

Author Committer Branch Timestamp Parent
dregad dregad master 2020-12-06 12:39:55 master 09886c87
Affected Issues  0027357: Attacker can leak private information via different functionality
 0027726: CVE-2020-29603: Disclosure of private project name
Changeset

Avoid private project name disclosure

When an unprivileged user tries to access a private project via
manage_proj_edit_page.php, they receive an Access Denied as expected,
but the project's name is leaked via the navbar's project selector.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting and
providing an initial patch for this bug.

Fixes 0027726, 0027357, CVE-2020-29603

mod - core/layout_api.php Diff File