Switch branches/tags
release-2.2.0 release-2.1.1 release-2.1.0 release-2.0.1 release-2.0.0 release-2.0.0-rc.2 release-2.0.0-rc.1 release-2.0.0-beta.3 release-2.0.0-beta.2 release-2.0.0-beta.1 release-1.3.6 release-1.3.5 release-1.3.4 release-1.3.3 release-1.3.2 release-1.3.1 release-1.3.0 release-1.3.0-rc.2 release-1.3.0-rc.1 release-1.3.0-beta.3 release-1.3.0-beta.2 release-1.3.0-beta.1 release-1.2.20 release-1.2.19 release-1.2.18 release-1.2.17 release-1.2.16 release-1.2.15 release-1.2.14 release-1.2.13 release-1.2.12 release-1.2.11 release-1.2.10 release-1.2.9 release-1.2.8 release-1.2.7 release-1.2.6 release-1.2.5 release-1.2.4 release-1.2.3 release-1.2.2 release-1.2.1 release-1.2.0 release-1.2.0rc2 release-1.2.0rc1 release-1.2.0a3 release-1.2.0a2 release-1.2.0a1 release-1.1.9 release-1.1.8 release-1.1.7 release-1.1.6 release-1.1.5 release-1.1.4 release-1.1.3 release-1.1.2 release-1.1.1 release-1.1.0 release-1.1.0rc1 release-1.1.0a4 release-1.1.0a3 release-1.1.0a2 release-1.1.0a1 release-1.0.8 release-1.0.7 release-1.0.6 release-1.0.5 release-1.0.4 release-1.0.3 release-1.0.2 release-1.0.1 release-1.0.0 release-1.0.0rc2 release-1.0.0rc1 release-1.0.0a3 release-1.0.0a2 release-1.0.0a1 release-0.19.2 release-0.19.1 release-0.19.0 release-0.19.0rc1 release-0.19.0a2 release-0.19.0a1 release-0.18.2 release-0.18.1 release-0.18.0rc1 release-0.18.0a4 release-0.18.0a3 release-0.18.0a2 release-0.18.0a1 release-0.16.0 release-0.15.12 release-0.15.7 release-0.15.6 release-0.15.5 release-0.15.3 release-0.15.1 release-0.15.0 release-0.14.8 release-0.14.7
Nothing to show
Commits on Dec 7, 2014
  1. Merge tag 'release-1.2.18' into oracle

    dregad committed Dec 7, 2014
    Stable release 1.2.18
Commits on Dec 5, 2014
  1. Fix invalid link in 'nosniff' header comment

    dregad committed Dec 5, 2014
    Missed that occurence in html_api.php when I updated it in
    file_download.php (e66ecc9).
Commits on Dec 3, 2014
  1. Update CREDITS

    dregad committed Dec 3, 2014
  2. Update mailmap file

    dregad committed Nov 23, 2014
  3. Fix URL redirection issue in login_page.php

    dregad committed Dec 3, 2014
    When Mantis is installed at the web server's root, $g_short_path is set
    to '/'. string_sanitize_url() removes the trailing '/' from the short
    path, which causes the URL to be incorrectly categorized as "type 2",
    thus allowing cross-site redirection to occur.
    By making checking that the short path is not empty before setting URL
    as type 2, we ensure that we categorize it as type 3, which then forces
    the function's return value to 'index.php'
    Fixes #17648 (CVE-2014-6316)
  4. Tests: revise StringTest.php

    dregad committed Dec 3, 2014
    - Add assertion to check string_sanitize_url() when $g_short_path = '/'
      This is a bit of a hack, but it gets the job done
    - Add test case for login page URL redirection issue #17648
Commits on Nov 30, 2014
  1. Improve comment for 'nosniff' header

    dregad committed Nov 29, 2014
    - Reworded the part about IE8 second-guessing content type
    - Added a note about Flash, as per Mathias Karlsson's recommendation in
      issue #17874
  2. Fix #17874: XSS in file uploads

    dregad committed Nov 29, 2014
    An attacker can upload a Flash file with an image extension. If such an
    attachment is displayed inline, it becomes a vector for XSS attacks.
    This issue was reported by Matthias Karlsson (
    as part of Offensive Security's bug bounty program [1].
    Patch with contribution from Victor Boctor.
Commits on Nov 29, 2014
  1. Fix #17297: XSS in string_insert_hrefs

    dregad committed Nov 28, 2014
    The URL matching regex in the function did not validate the protocol,
    allowing an attacker to use 'javascript://' to execute arbitrary code.
    Issue was discovered by Mathias Karlsson (
    and reported by Offensive Security (
  2. Fix #17876: XSS in copy_field.php

    mantis authored and dregad committed Oct 30, 2014
    This issue was reported by Matthias Karlsson (
    as part of Offensive Security's bug bounty program [1].
    Signed-off-by: Damien Regad <>
  3. Fix #17583: XSS in projax_api.php

    mantis authored and dregad committed Oct 30, 2014
    Offensive Security reported this issue via their bug bounty program [1].
    The Projax library does not properly escape html strings.  An attacker
    could take advantage of this to perform an XSS attack using the
    profile/Platform field.
    Signed-off-by: Damien Regad <>
  4. Fix #17890: XSS in extended project browser

    dregad committed Nov 15, 2014
    Extended project browser allows projects to be passed in as A;B.
    helper_get_current_project() and helper_get_current_project_trace() then
    explodes the string by ';' and don't check that A is an int (a project /
    sub-project id).  Finally, print_extended_project_browser() prints the
    result of the split into a javascript array.
    Paul Richards discovered the issue and wrote the original patch for it.
    His code was modified to remove a redudant typecast as well as an
    unnecessary foreach loop in helper_get_current_project(), replacing it
    with a single type cast.
  5. Do not pass raw user data to unserialize

    mantis authored and dregad committed Nov 1, 2014
    Filters were moved to TOKEN api, so the code in current_user_api to handle
    ?filter= on URL query strings is a left over from this move and is no
    longer necessary.
    This issue was reported by Matthias Karlsson (
    as part of Offensive Security's bug bounty program [1].
    Fixes #17875
    Signed-off-by: Damien Regad <>
  6. DB Credentials leak in upgrade_unattended.php

    dregad committed Nov 28, 2014
    Retrieve credentials from Mantis system configuration instead of
    accepting them from POST parameters.
    This issue was reported by Matthias Karlsson (
    as part of Offensive Security's bug bounty program [1].
    Paul Richards' original patch was modified to align the code with master
    branch to (basically replacing DIRECTORY_SEPARATOR by '/') to facilitate
    Fixes #17877
    Signed-off-by: Damien Regad <>
Commits on Nov 26, 2014
  1. Allow setting 'announcement' flag when editing News

    thinkl33t authored and dregad committed Nov 26, 2014
    News Edit was not working - boolean was being interpreted as a string
    Fixes #17924
    Signed-off-by: Damien Regad <>
  2. Increase captcha public key max value

    dregad committed Nov 26, 2014
    The captcha's public key was generated as a random number between 0 and
    As per Alejo Popovici's recommendation in ~41918, this commit removes
    the limitation in mt_rand() call, so the generated key is now a number
    between 0 and mt_getrandmax() (2147483647 on my box).
    Issue #17811
  3. Use session rather than form key for captcha

    vboctor authored and dregad committed Nov 25, 2014
    Fixes #17811
    Signed-off-by: Damien Regad <>
Commits on Nov 25, 2014
  1. Improve validation for filter sort and direction

    vboctor authored and dregad committed Nov 25, 2014
    Fixes #17841
Commits on Nov 15, 2014
  1. Fix bug doesn't exist error in timeline feature

    vboctor committed Nov 15, 2014
    The error was caused by 0f030fd which checks that the user has access to issues referenced in issue history.
    Issue #9885
  2. Incorrect access check on attachment downloads

    mantis authored and dregad committed Oct 30, 2014
    Even if config variables $g_download_attachments_threshold and
    $g_view_attachments_threshold are set to 55 (developer), users with
    lower privileges can download attachments.
    Fixes #17742
    Signed-off-by: Damien Regad <>
  3. Fix #17870: XSS in adm_config_report.php

    dregad committed Nov 14, 2014
    This is the correct fix for this issue, using string_attribute() to
    escape the variable. Thanks to Paul Richards for pointing this out.
  4. Revert "Fix #17870: XSS in adm_config_report.php"

    dregad committed Nov 15, 2014
    This reverts commit ee8100d.
    The wrong string API call was used, it should have been
    string_attribute() and not string_display_line(). Thanks to
    Paul Richards for pointing this out.
  5. Ensure username is valid in login_page.php

    mantis authored and dregad committed Oct 30, 2014
    This is a fix to improve the behaviour of login_page against possible
    XSS exploits to ensure that a username is valid before displaying it
    back to the user when entered.
    Fixes #17338
    Signed-off-by: Damien Regad <>
  6. Prevent unauthorized users setting handler when reporting issue

    mantis authored and dregad committed Oct 30, 2014
    Adding a security check to block the update when access level is
    Fixes #17878
    Signed-off-by: Damien Regad <>
  7. SOAP API: apply access control to mci_account_get_array_by_id

    rombert authored and dregad committed Apr 30, 2014
    The access controls are the same as the ones applied by
    view_user_page.php, with the single addition of making the info
    available if the user requests their own information.
    This preserves the behaviour of the mc_login method call.
    Fixes #17243 (leak of user personal information)
    Signed-off-by: Damien Regad <>
  8. adm_config_report: invalid config handling

    dregad committed Nov 15, 2014
    When receiving an invalid config_id, the page will default the select to
    [any] (META_FILTER_NONE) instead of adding the invalid config to the
    This is a backport of cabacdc and
    3d0625d from master.
    Fixes #17889
  9. Force reporting of E_USER_* in error api

    dregad committed Jun 14, 2013
    Solves the problem of Mantis silently proceeding through errors that
    should effectively stop code execution, when error_reporting is disabled
    in php.ini or apache mod config.
    This follows @davidhicks recommendation in comment ~22998.
    Fixes #10966
    Backported from master cec4549.
Commits on Nov 14, 2014
Commits on Nov 7, 2014
  1. New BugData object due_date should be blank

    dregad committed Oct 15, 2014
    Prior to this, the due_date field was initialized to 0, causing the date
    to be incorrectly preset to 1970-01-01 00:00 UTC.
    Backport from master 2d82b24
    Fixes #17847
  2. XML Import: use new method to replace bug links

    dregad committed Nov 7, 2014
    A new private method replaceLinks() was added to avoid code duplication.
    Now replacement of buglinks for 'description', 'steps_to_reproduce' and
    'additional_information' is performed via this method.
    Backport from master 8e111ab
    Fixes #17775
  3. XML plugin: Add config page with access thresholds

    dregad committed Oct 17, 2014
    Prior to this, any user of a MantisBT instance with the XML
    Import/Export plugin enabled and knowing the URL to the plugin's import
    page could upload an XML file and insert data without restriction,
    regardless of their access level.
    This vulnerability is particularly dangerous when used in combination
    with the one described in issue #17725 (CVE-2014-7146) as it makes for a
    very simple and easily accessible vector for PHP code injection attacks.
    There was also no access check when exporting data, which could allow an
    attacker to gain access to confidential information (disclosure of all
    bug-related data, including usernames).
    Fixes #17780 (CVE-2014-8598)
  4. XML Import: Fix php code injection vulnerability

    dregad committed Nov 1, 2014
    Egidio Romano discovered a vulnerability in the XML import plugin.
    User input passed through the "description" field (and the "issuelink"
    attribute) of the uploaded XML file isn't properly sanitized before
    being used in a call to the preg_replace() function which uses the 'e'
    modifier. This can be exploited to inject and execute arbitrary PHP code
    when the Import/Export plugin is installed.
    This fix is a partial backport from a master branch commit which has
    been confirmed as addressing the issue (8401753)
    excluding changes not relevant to fixing the security issue, including
    subsequent fixes (aea1a34,
    Fixes #17725 (CVE-2014-7146)