Commits on Jun 14, 2016
  1. @atrol

    Delete doc/INSTALL

    This file has been removed some while ago in commit e4d1beb
    The contents have been moved to file in root directory of Mantis.
    atrol committed on GitHub Jun 14, 2016
  2. Merge Modern UI

    This extra merge commit fixes the git history as explained in
    committed Jun 14, 2016
  3. @syncguru
Commits on Jun 12, 2016
  1. @vboctor
  2. @vboctor

    Update version to 1.3.0-rc.2

    vboctor committed Jun 12, 2016
  3. Fix intermittent "error 2300 token not found"

    In some rare cases, collapse_cache_token() would attempt to touch a
    token that does not exist. This can happen when the current user does
    not have any TOKEN_COLLAPSE token, and the MANTIS_collapse_cookie
    contains a non-empty value that does not form a valid, colon-delimited
    The issue has been addressed by adding a token_exists() check prior to
    calling token_touch().
    Fixes #21068
    committed Jun 11, 2016
Commits on Jun 11, 2016
  1. Fix html/css for print_all_bug_page.php

    This is a follow-up on grangeway's commit to remove function
    helper_alternate_colors() 9ba4fe9.
    Issue #16471
    committed Jul 17, 2014
  2. Coding guidelines

    committed Jun 11, 2016
  3. Negate test in api_token_is_used()

    Fix error in 1f678c2
    Fixes #20472
    committed Jun 11, 2016
  4. Update credits

    committed Jun 11, 2016
  5. @grangeway

    Remove obsolete helper_alternate_colors() function

    The helper_alternate_colors function used to add odd/even classes to
    HTML elements, but dhx worked to remove these in 1.3.
    Related functions were already removed, however this function was
    grangeway committed with Jul 14, 2014
  6. Preparing Admin guide for release

    committed Jun 10, 2016
  7. Update ERD diagram to schema 209

    - Reflect changes since schema 189
    - Update MySQLWorkbench version in README file
    - Updated image for Developer's guide
    Fixes #21082
    committed Jun 10, 2016
  8. Convert README to markdown

    committed Jun 10, 2016
  9. Merge branch 'token_api-fixes'

    committed Jun 11, 2016
  10. Revert 'name' and 'hash' columns to original definition

    Following discussion in PR mantisbt#700
    Fixes #20472
    committed Jun 11, 2016
  11. New api_token_is_used() function

    Move the logic to determine whether a token has been used from
    api_tokens_page.php to the api_tokens API where it belongs.
    The check against date_used has been changed from '=== 0' to '<= 1' to
    reflect the change in schema definition in step 206.
    Fixes #20472
    committed Jun 10, 2016
  12. Fixing api_token table structure

    After careful review following @grangeway's comment in PR 685 [1]:
    - user_id field should be *unsigned* int
    - default value for varchar columns should be ''
    - default value for date fields should be 1 not 0
    [1] mantisbt#685 (comment)
    Fixes #20472
    committed Jan 2, 2016
  13. Reduce email and realname columns to 191 chars

    The varchar(255) implemented to address issue #8017 was causing issues
    with utf8mb4 encoding due a limitation in the size of indexes in MySQL.
    Fixes #20465
    committed Dec 31, 2015
  14. Doc: replacement of $g_page_title by $g_top_include_page

    Fixes #21087
    committed Jun 11, 2016
  15. New html_print_logo() API function

    This makes it easier for people to add the logo in an include file,
    since it is not shown anymore when $g_top_include_page is set.
    The html_top_banner() function was modified to use the new API.
    Fixes #21087
    committed Jun 11, 2016
  16. CSS: restore 'pagetitle' class

    This reverts commit 24e35d7.
    While not used in the code anymore since removal of html_header()
    function (see 6d6f093), the class is
    still referenced in the documentation to be used for custom page title
    via $g_top_include_page.
    Fixes #21087
    committed Jun 11, 2016
  17. String Test: 'javascript:' uri scheme

    Should redirect to index.php
    committed May 27, 2016
  18. Fix XSS in custom fields management

    Kacper Szurek ( discovered an XSS
    vulnerability in Custom fields management pages, caused by unescaped
    output of 'return URL' GPC parameter. His report describes two ways to
    exploit this issue:
    1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
       the administrator in manage_custom_field_edit_page.php when the
       keyboard shortcut is actioned
    2. using 'javascript:' URI scheme executes the code when the user clicks
       the [Proceed] link on manage_custom_field_update.php after updating
       a custom field
    This commit fixes both attack vectors:
    - properly escape the return URL prior to printing it on the hidden form
    - let html_operation_successful() sanitize the URL before displaying
      it, just like html_meta_redirect() does. In this case, if the
      string contains an URI scheme, it will be replaced by 'index.php'
    Fixes #20956
    committed May 27, 2016
Commits on Jun 10, 2016
  1. Reduce user.username column size to 191 chars

    The varchar(255) implemented to address issue #8017 was causing issues
    with utf8mb4 encoding due a limitation in the size of indexes in MySQL.
    Fixes #20465
    committed Dec 31, 2015
  2. @atrol

    Enhance documentation for option max_file_size

    Fixes #6282
    atrol committed Jun 10, 2016
Commits on Jun 8, 2016
  1. @atrol

    Correct PHPdoc

    Issue #20660
    atrol committed Jun 8, 2016
  2. @atrol

    Minor corrections

    atrol committed Jun 8, 2016
  3. @atrol
Commits on Jun 5, 2016
  1. Do not enforce related thresholds when sponsorship is OFF

    When $g_enable_sponsorship = OFF, we should not enforce related
    thresholds ($g_handle_sponsored_bugs_threshold and
    $g_assign_sponsored_bugs_threshold) when updating issues.
    Fixes #21030
    committed May 31, 2016