Commits on Sep 24, 2011
  1. Enhanced plugin_config_get() function

    dominik committed with dregad Sep 23, 2011
    The function now works similar to config_get(), and allows the usage
    of user_id and project_id parameters. With this change it is now
    possible to fetch plugins config values for a specific user and/or
    Fixes #13346
    Signed-off-by: Damien Regad <>
  2. Issue #13344: Add missing PHP closing tags for manage_proj pages

    davidhicks committed Sep 24, 2011
    Commit 9c1dce1 forgot some PHP closing
    tags, preventing manage_project_edit_page and manage_project_page from
    parsing correctly.
Commits on Sep 23, 2011
  1. SOAP API: Ensure that helper_get_current_project() resolves to the re…

    rombert committed Sep 23, 2011
    …quested project
    Fixes #13324: Adding or updating issue with mylyn causes error #13
  2. Fix display of upgrade_warning.php

    rombert committed Sep 23, 2011
    - use the correct html header
    - encode '<' and '>' chars
Commits on Sep 22, 2011
  1. Send email notifications when updating bugs using the SOAP API

    rombert committed Sep 22, 2011
    Fix #13339 : Email notifications through mantis mylyn connector / SOAP
  2. Print Handler for Categories in a standard way

    dregad committed Sep 22, 2011
    The user assigned to a Global or Project-specific Category as default
    handler was printed in a non-standard way. We now use function
    prepare_user_name() to display it instead.
    Fixes #13344
  3. Fallback to English when string is not defined

    dregad committed Sep 21, 2011
    MantisBT generally falls back correctly to default English when a string
    is not defined in the current language. However, when the admin wants to
    restrict the available languages ($g_language_choices_arr) and remove
    'english' from the list (see issue #13315), an error 300 is displayed
    when strings are missing from the translated strings_xxx.txt file (as
    can be the case for strings defined as "optional" in TranslateWiki, such
    as $s_directionality).
    Commit also removes obsolete comment about not falling back to English.
Commits on Sep 21, 2011
  1. Excel API: allow alignments to be specified

    rombert committed Sep 21, 2011
    Affects #13290: Allow more control over excel export format
Commits on Sep 20, 2011
  1. Fix error handling in ldap_get_field_from_username

    dregad committed Sep 20, 2011
    When successful, ldap_get_entries always returns an array with at least
    one element inside (the count), so the check for no matches was always
    successful even when no values were retrieved from LDAP.
    Fixes #13331
Commits on Sep 19, 2011
  1. Cosmetic changes in the time tracking table layout

    dregad committed Sep 19, 2011
      - reset the alternating line colors at start of each block
      - use bold font for Totals line
      - right-align the cost column
  2. Fix #13338: Time tracking cost column font size

    dregad committed Sep 19, 2011
    There was no class specified on the td tag for the cost column.
  3. Fix #11662: Allow decimal costs in time tracking/billing

    dregad committed Sep 19, 2011
    Previously the cost was retrieved from the form using gpc_get_int(), and
    error 203 was triggered when decimal values were entered. We now get the
    field as a string and convert it using floatval().
Commits on Sep 14, 2011
  1. Fix #13303: use strtolower in ini_get_bool()

    dregad committed Sep 14, 2011
    Generally, ini_get() returns '0' or '1' when querying a boolean option,
    regardless of the actual string used to set it (i.e. On, False, etc).
    However, in some cases (e.g. when the option is set in httpd.conf
    via php_admin_value instead of php_admin_flag), ini_get() returns the
    string itself instead.
    This caused ini_get_bool() to wrongly return False when the option is
    set to an equivalent of True but with a different case ('On', 'TRUE').
Commits on Sep 12, 2011
  1. Improve directory validation in admin checks

    dregad committed Sep 12, 2011
    This commit brings the following improvements in check_paths_inc.php:
     - In addition to checking that a directory is valid, we now also
       verify that it is readable, this way admin will know if the error
       is caused e.g. by a symlink, or due to access rights
     - Print actual path instead of a text description in install check.
       The config option name is already displayed as part of the first
       line of the check's output, so repeating the information does not
       add any additional value.
     - Escape data printed in messages (path) with htmlspecialchars() as
       recommended by dhx
     - Added comments to clearly identify purpose of each check block
Commits on Sep 10, 2011
  1. Fix #12443: Moving bugs - check for reporter permissions in destinati…

    cproensa committed with davidhicks Nov 9, 2010
    …on project
    The user with enough rights to move a bug into another project, is
    allowed to move it into a project in which he has only 'viewer' rights.
    Steps to reproduce this bug:
    1. User has full rights in project A (enough to report and move bugs)
    2. User has 'viewer' right in project B
    3. User creates a bug in project A and is allowed to move it into project B
    Signed-off-by: David Hicks <>
  2. Revert "Fix #12443: Moving bugs - check for reporter permissions in d…

    davidhicks committed Sep 10, 2011
    …estination project"
    This reverts commit 63db6ac.
    This commit has been incorrectly forward-ported from the master-1.2.x
    branch and has overwritten changes to this file made in the master
    Removed, to be reapplied correctly.
  3. Revert "Changed require_once to required_api for bug_api.php"

    davidhicks committed Sep 10, 2011
    This reverts commit adb0b81.
    This commit fixed a problem that was introduced by the erronous commit
    63db6ac. As this erronous commit is
    being removed, this patch is no longer needed.
Commits on Sep 9, 2011
  1. Fix #13280: Incorrect queries logged when sorting by custom field hav…

    dregad committed Sep 9, 2011
    …ing accented chars
    The offsets returned by preg_match are byte-based, which causes issues with
    UTF-8 characters as the subsequent calls to utf8_substr operate on the wrong
    part of the string; this results in logging of invalid SQL queries when
    $g_show_queries_list = ON.
    This commit fixes the problem by realigning the offsets prior to performing the
    query parameter substitution.
    It also simplifies the code by removing parenthesis in the regexp pattern,
    which is not necessary since we are only matching a single element, this way
    there is no need to deal with a multi-dimentional array.
Commits on Sep 5, 2011
  1. Fix #12361: Private bug visibility leak in my_view/view_all_bug_page

    Todd Whitesel committed with davidhicks Sep 5, 2011
    In the My View / View Issues screens, private bugs in public projects
    (and probably private projects too) appear to ignore the
    private_bug_threshold value of their project unless you select it. When
    some projects have tighter security on viewing private bugs than others,
    this creates a situation where a user who should not be able to see a
    bug can still discover its existence in My View and View Issues. Viewing
    it fails with 'access denied', but if the summary had confidential
    information in it then the security leak has already happened.
    I don't consider giving All Projects the tighter security to be a usable
    workaround, because then you can't find bugs in the projects that use
    normal security for private bugs, until you select one of them, but then
    you can only see the subproject hierarchy you just went into.
    Steps to reproduce:
    On a fresh 1.2.2 install try this:
    Create a public project.
    In the project, edit thresholds so that you need manager to view private
    Submit a private bug to that project.
    Login as a different user with global access of developer. View All
    You can see the bug in MyView / ViewIssues but then when you click on it
    you get an Access Denied screen. If you select the bug's project, then
    it correctly disappears.
    Signed-off-by: David Hicks <>
  2. Fix #13140: Incorrect permissions check during bug reporting and cloning

    davidhicks committed Sep 5, 2011
    Todd Whitesel reported an issue with incorrect permissions checks being
    performed when cloning issues. The steps to reproduce this bug were
    provided by Todd:
    Fresh 1.2.5 install.
    Create two users, a Developer and an Updater.
    Create a private project.
    (Actually create a couple more projects so you can see the project
    Add both users to the private project AS MANAGERS.
    Login as Developer, select the private project, and create an issue.
    Login as Updater, select All Projects, and attempt to clone that issue.
    It fails with ACCESS DENIED error #13. Also note that your access level
    was Manager while editing the cloned issue, but in the error screen your
    access level is back to your global access of Updater.
    As Updater, Select the private project, create an issue. Then select All
    Projects, and attempt to clone that issue. It succeeds, apparently
    because you are cloning your own issue.
    Create a public project and attach the private project as a subproject
    of it. Retry the above cloning tests with the public parent project
    instead of All Projects -- the results are the same whether you select
    All Projects or the parent project.
    The problem was that the current project (from the project selector
    dropdown) was used as the basis for config_get calls, thus leading to
    incorrect permissions and settings being used within bug_report.php. We
    need to instead switch (temporarily) the current project to either the
    master issue (when cloning) or the specified project_id (when creating a
    new issue via bug_report_page.php).
    Thanks again to Todd for the discovery and debugging of this problem, the
    detailed bug report and initial patch (that has been extended to resolve
    the second project_id issue from bug_report_page.php).
  3. Fix #13141: Incorrect parameters to config_get function

    davidhicks committed Sep 5, 2011
    Thanks to Todd Whitesel for finding this problem in filter_api.php and
    to Roland Becker for providing further assistance.
    I have grepped the source code and reviewed all other calls to
    config_get to ensure they correctly use parameters. There was one
    additional bug discovered in bug_report_page.php.
Commits on Sep 4, 2011
  1. Allow more control over the excel api's output

    rombert committed Sep 4, 2011
    The following changes have been made:
    - allow declaration of Spreadsheet styles to control the appearance of
      rows and cells
    - allow setting of attributes on individual cells
    The actual output of the excel export is unchanged.
    The API changes are completely backwards compatible.
    Fixes #13290: Allow more control over excel export format
  2. Using just script_name is OK, but it's feasible that SCRIPT_NAME isn'…

    grangeway committed Sep 4, 2011
    …t set - this is more common in (badly configured?) nginx servers
  3. Remove unreachable code branch in config_defaults_inc.php

    davidhicks committed Sep 4, 2011
    Commit 57c9448 introduced an
    unreachable code branch that has no effect. Removed.
    The functionality will likely need to be rechecked by Paul/John to see
    whether we do want to use PHP_SELF.
Commits on Aug 29, 2011
  1. Project override should only apply if $p_project hasn't been explicit…

    grangeway committed Aug 29, 2011
    …y set.
    For the most part, we use config_get(var) to get information for the current project [or overriden project]
    If we are explicity passing in a project ID, we should use this ID instead, and not override.
  2. Fix issue introduced previously whereby php_Self is now used unchecked.

    grangeway committed Aug 29, 2011
    introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.
    This is a simpler version of what we were trying to do previously aka;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8
    Depending on server/mantis config this can lead to XSS issues
  3. Rework the bug action group api such that we can easily convert this …

    grangeway committed Aug 29, 2011
    …to an object in the future, and to validate calls to require once.
    This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
    Depending on webserver configuration, this is a file inclusion vulnerability.
    There will be a follow up commit to config api - probably:
    -		if( $g_project_override != null ) {
    +		if( $g_project_override != null && $p_project == null ) {
    At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
    a) change project override within the command list function
    b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.
  4. Remove accidental commit of config_inc.php

    davidhicks committed Aug 20, 2011
    The file "12x" was accidentally committed by Damien in commit
    bcfdfff. Deleted.
Commits on Aug 18, 2011
  1. Fix #13245: XSS issues with search.php parameters

    davidhicks committed Aug 18, 2011
    Net.Edit0r ( from BlACK Hat Group
    [] posted a vulnerability report for an XSS issue in
    search.php for MantisBT 1.2.6.
    The full report is available at
    filter_api.php is the culprit for this vulnerability as it passes user
    supplied search parameters back into output without first escaping the
    It should be noted that numerous other XSS vulnerabilities (all related)
    have been fixed with this patch. In other words, it is not just the
    project_id parameter to search.php that was affected - it was numerous
    other parameters/fields as well.
    The second SQL injection vulnerability identified by Net.Edit0r is
    invalid because the only time we ever make reference to "mbadmin" in the
    source code is:
    if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )
    This usage is safe because nothing is ever done with $_GET['mbadmin'].
    It may be the case that the user's customised version of
    mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
    to the screen. The default/sample mantis_offline.php has been checked
    and does not print any dynamically created strings/user supplied values.
Commits on Aug 16, 2011
  1. Merge pull request #10 from MarcinKleczek/master

    davidhicks committed Aug 16, 2011
    Replace require_once call with require_api in bug_actiongroup.php
Commits on Aug 15, 2011
  1. Changed require_once to required_api for bug_api.php

    Marcin Kłeczek committed Aug 15, 2011
Commits on Aug 10, 2011
  1. Fix #13228: SQL error in bugnote_api.php with PostgreSQL

    dregad committed Aug 10, 2011
    ERROR: column "u.realname" must appear in the GROUP BY clause or be used in an
    aggregate function
    Bug was introduced in release 1.2.6, commit c4c0a01.
    A new column was added to 2 SQL statements' SELECT clause, but the GROUP BY
    was not updated to match.
    This passed testing, as MySQL is more (too?) permissive and allows the SELECT
    clause to refer to ungrouped columns that are not in aggregate functions.
    This commit also removes unnecessary "" column from the group by clause.
Commits on Aug 9, 2011
  1. Fix #13226: Installation check should verify that default file upload…

    dregad committed Aug 9, 2011
    … path has trailing /
    Add config option absolute_path_default_upload_folder to the list of paths to
    validate in check_paths_inc.php